access-list

This command creates an IP ACL (Access Control List) that is identified by the access list number, which is 1-99 for standard ACLs or 100-199 for extended ACLs. ACL Command Parameters describes the parameters for the access-list command.

IP Standard ACL:

Format access-list 1-99 {remark comment} | {[sequence-number]} ] {deny | permit} {every | srcip srcmask | host srcip} [time-range time-range-name] [log] [assign-queue queue-id] [{mirror | redirect} unit/slot/port] [rate-limit rate burst-size]
Mode Global Config

IP Extended ACL:

Format access-list 100-199 {remark comment} | {[sequence-number]} [rule 1-1023] {deny | permit} {every | {{eigrp | gre | icmp | igmp | ip | ipinip | ospf | pim | tcp | udp | 0 -255} {srcip srcmask|any|host srcip}[range {portkey|startport} {portkey|endport} {eq|neq|lt|gt} {portkey|0-65535}{dstip dstmask|any|host dstip}[{range {portkey|startport} {portkey|endport} | {eq | neq | lt | gt} {portkey | 0-65535} ] [flag [+fin | -fin] [+syn | -syn] [+rst | -rst] [+psh | -psh] [+ack | -ack] [+urg | -urg] [established]] [icmp-type icmp-type [icmp-code icmp-code] | icmp-message icmp-message] [igmp-type igmp-type] [fragments] [precedence precedence | tos tos [ tosmask] | dscp dscp]}} [time-range time-range-name] [log] [assign-queue queue-id] [{mirror | redirect} unit/slot/port] [rate-limit rate burst-size]
Mode Global Config
Note

Note

IPv4 extended ACLs have the following limitations for egress ACLs:
  • Match on port ranges is not supported.
  • The rate-limit command is not supported.
Click to expand in new window

ACL Command Parameters

Parameter Description
remark comment Use the remark keyword to add a comment (remark) to an IP standard or IP extended ACL. The remarks make the ACL easier to understand and scan. Each remark is limited to 100 characters. A remark can consist of characters in the range A-Z, a-z, 0-9, and special characters: space, hyphen, underscore. Remarks are displayed only in show running configuration. One remark per rule can be added for IP standard or IP extended ACL. User can remove only remarks that are not associated with a rule. Remarks associated with a rule are removed when the rule is removed
sequence-number Specifies a sequence number for the ACL rule. Every rule receives a sequence number. A sequence number is specified by the user or is generated by the device.

If a sequence number is not specified for the rule, a sequence number that is 10 greater than the last sequence number in the ACL is used and this rule is located in the end of the list. If this is the first ACL rule in the given ACL, a sequence number of 10 is assigned. If the calculated sequence number exceeds the maximum sequence number value, the ACL rule creation fails.

It is not allowed to create a rule that duplicates an already existing one and a rule cannot be configured with a sequence number that is already used for another rule.

For example, if user adds new ACL rule to ACL without specifying a sequence number, it is placed at the bottom of the list. By changing the sequence number, user can move the ACL rule to a different position in the ACL.

1-99 or 100-199 Range 1 to 99 is the access list number for an IP standard ACL. Range 100 to 199 is the access list number for an IP extended ACL.
[rule 1-1023] Specifies the IP access list rule.
{deny | permit} Specifies whether the IP ACL rule permits or denies an action.
Note: Assign-queue, redirect, and mirror attributes are configurable for a deny rule, but they have no operational effect.
every Match every packet.
{eigrp | gre | icmp | igmp | ip | ipinip | ospf | pim | tcp | udp | 0 -255} Specifies the protocol to filter for an extended IP ACL rule.
srcip srcmask|any|host scrip Specifies a source IP address and source netmask for match condition of the IP ACL rule.

Specifying any specifies srcip as 0.0.0.0 and srcmask as 255.255.255.255.

Specifying host A.B.C.D specifies srcip as A.B.C.D and srcmask as 0.0.0.0.

{{range{portkey|startport}{portkey|endport}|{eq|neq|lt|gt} {portkey | 0-65535}] This option is available only if the protocol is TCP or UDP.

Specifies the source layer 4 port match condition for the IP ACL rule. You can use the port number, which ranges from 0-65535, or you specify the portkey, which can be one of the following keywords:

  • For TCP: bgp, domain, echo, ftp, ftp-data, http, smtp, telnet, www, pop2, pop3.
  • For UDP: domain, echo, ntp, rip, snmp, tftp, time, and who.

For both TCP and UDP, each of these keywords translates into its equivalent port number, which is used as both the start and end of a port range.

If range is specified, the IP ACL rule matches only if the layer 4 port number falls within the specified portrange. The startport and endport parameters identify the first and last ports that are part of the port range. They have values from 0 to 65535. The ending port must have a value equal or greater than the starting port. The starting port, ending port, and all ports in between will be part of the layer 4 port range.

When eq is specified, the IP ACL rule matches only if the layer 4 port number is equal to the specified port number or portkey.

When lt is specified, IP ACL rule matches if the layer 4 port number is less than the specified port number or portkey. It is equivalent to specifying the range as 0 to specified port number – 1.

When gt is specified, the IP ACL rule matches if the layer 4 port number is greater than the specified port number or portkey. It is equivalent to specifying the range as specified port number + 1 to 65535.

When neq is specified, IP ACL rule matches only if the layer 4 port number is not equal to the specified port number or portkey.

Two rules are added in the hardware one with range equal to 0 to specified port number - 1 and one with range equal to specified port number + 1 to 65535

Port number matches only apply to unfragmented or first fragments.

dstip dstmask|any|host dstip Specifies a destination IP address and netmask for match condition of the IP ACL rule.

Specifying any implies specifying dstip as 0.0.0.0 and dstmask as 255.255.255.255.

Specifying host A.B.C.D implies dstip as A.B.C.D and dstmask as 0.0.0.0.

[precedence precedence | tos tos [tosmask] | dscp dscp] Specifies the TOS for an IP ACL rule depending on a match of precedence or DSCP values using the parameters dscp, precedence, tos/tosmask.

tosmask is an optional parameter.

flag [+fin | -fin] [+syn | -syn] [+rst | -rst] [+psh | -psh] [+ack | -ack] [+urg | -urg] [established] This option is available only if the protocol is tcp.

Specifies that the IP ACL rule matches on the TCP flags.

When +tcpflagname is specified, a match occurs if the specified tcpflagname flag is set in the TCP header.

When -tcpflagname is specified, a match occurs if the specified tcpflagname flag is not set in the TCP header.

When established is specified, a match occurs if the specified RST or ACK bits are set in the TCP header. Two rules are installed in the hardware when the established option is specified.

[icmp-type icmp-type [icmp-code icmp-code] | icmp-message icmp-message] This option is available only if the protocol is icmp.

Specifies a match condition for ICMP (Internet Control Message Protocol) packets.

When icmp-type is specified, the IP ACL rule matches on the specified ICMP message type, a number from 0 to 255.

When icmp-code is specified, the IP ACL rule matches on the specified ICMP message code, a number from 0 to 255.

Specifying icmp-message implies that both icmp-type and icmp-code are specified. The following icmp-messages are supported: echo, echo-reply, host-redirect, mobile-redirect, net-redirect, net-unreachable, redirect, packet-too-big, port-unreachable, source-quench, router-solicitation, router-advertisement, time-exceeded, ttl-exceeded and unreachable.

igmp-type igmp-type This option is available only if the protocol is igmp.

When igmp-type is specified, the IP ACL rule matches on the specified IGMP (Internet Group Management Protocol) message type, a number from 0 to 255.

fragments Specifies that the IP ACL rule matches on fragmented IP packets.
[log] Specifies that this rule is to be logged.
[time-range time-range-name] Allows imposing time limitation on the ACL rule as defined by the parameter time-range-name. If a time range with the specified name does not exist and the ACL containing this ACL rule is applied to an interface or bound to a VLAN, then the ACL rule is applied immediately. If a time range with specified name exists and the ACL containing this ACL rule is applied to an interface or bound to a VLAN, the ACL rule is applied when the time-range with specified name becomes active. The ACL rule is removed when the time-range with specified name becomes inactive. For information about configuring time ranges, see Time Range Commands for Time-Based ACLs.
[assign-queue queue-id] Specifies the assign-queue, which is the queue identifier to which packets matching this rule are assigned.
[rate-limit rate burst-size] Specifies the allowed rate of traffic as per the configured rate in kbps, and burst-size in kbytes.