access-list
Access list rules (ACL) are used in several system components for classifying IP traffic based on parameters such as addresses, protocols and ports. The primary usage of access lists is for filtering unwanted traffic on the system's interfaces.
You can assign up to 200 ACL rules to a single access group.
You can also configure multiple access lists (up to 16) per IPSec tunnel, enabling multiple subnets to "reside" behind an IPSec tunnel. For example, this multiple traffic selectors feature allows you to connect multiple subnets on both sides of the IPSec tunnel (remote and local). Per subnet-to-subnet connectivity rule, you can define a separate access list rule.
Access list processing is sequential; for each traffic flow, the list is scanned from the top until a matching rule is found. When configuring an access list, rules should be entered in appropriate order.
To attach an access list to an IP interface, see the "access-group" command documentation.
To remove an access list, use the "no" format of the command.
Syntax
access-list <acl-id> {permit|deny} <protocol> <source-selector> <dest-selector> <options> <options>
For compatibility purposes, access lists numbered 1-99 and 1300-1999 are defined as limited ("basic") access lists. These access lists cannot contain protocol and port definitions.
|
Command |
Description |
|||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
acl-id |
Defines the Access List name identifier for this access list. It can be a number or a name. |
|||||||||||||||||||||||||||
|
permit|deny |
Defines the access to the packet: permit - Allows access to packets that match the criteria defined. deny - Blocks access to packets that match the source and destination IP addresses and service ports defined. |
|||||||||||||||||||||||||||
|
protocol |
Defines a traffic protocol:
|
|||||||||||||||||||||||||||
|
source-selector dest-selector |
Defines the source address and destination address of packets sent or received by the device. Select an address or a name from the list to apply the rule on the corresponding host, or Any to apply the rule on all the device's LAN hosts. Select traffic by IP addresses and ports, in one of the following formats: any - Defines all traffic. host a.b.c.d - Defines Traffic to/from single host, specified by the IP address. When an access list (see configure data > access-list) is created for management using the protocols SNMP, Telnet, SSH or CWMP, it is possible to use a DNS name instead of an IP address. In this case, an FQDN can be configured for the host. local- Defines the Local IP address. a.b.c.d - Traffic to/from a subnet, specified by an IP address and a mask (e.g., 0.0.255.255). Note: The eq and range parameters are only used if <protocol> is set to "tcp" or "udp". eq <port> - Defines traffic to/from a single port. range <start> <end> - Defines traffic to/from multiple ports, specified by range. If the port selector is not defined, the rule will match all ports. |
|||||||||||||||||||||||||||
|
dscp options |
The following options can be used: dscp - Match by Differentiated Services Code Point value and mask. Defines the packets by matching the Differentiated Services Code Point (DSCP) field of the IP header. The format of this option is: dscp <c> mask <m> The packet's DSCP value is compared to <c> under bit mask <m> (both must be specified in hexadecimal). For example: dscp 10 mask 3F established -Accepts connections. stateless - Accepts packets. log - Logs matches. precedence - Matches by IP Precedence value (0 high – 7 low) Note: "precedence" is applicable to MSBR devices – Mediant 500, Mediant 500L and Mediant 800. |
|||||||||||||||||||||||||||
|
options |
Defines one or more of the following options:
established -Accepts connection |
Default
The default access list behavior is "deny", i.e. if a flow doesn't match any of the rules it is assumed to be unwanted traffic.
Related Commands
SNMP Community strings can be associated with an ACL rule using the snmp-acl command.
Command Mode
Privileged User
Example
| ■ | Defines an access list that allows all TCP connections originating in a full subnet, with the exception of a single host: |
(config-data)# access-list 2001 deny tcp host 10.31.4.50 any (config-data)# access-list 2001 permit tcp 10.31.0.0 0.0.255.255 any stateless
| ■ | Multiple access lists per IPSec tunnel - example of connecting two subnets on each side of an IPSec tunnel, where the local subnets are 150.150.150.0/24 101.101.101.0/24, and the remote subnets are 200.200.200.0/24 201.201.201.0/24: |
(config-data)# access-list 101 permit ip 150.150.150.0 0.0.0.255 200.200.200.0 0.0.0.255
(config-data)# access-list 101 permit ip 101.101.101.0 0.0.0.255 201.201.201.0 0.0.0.255
(config-data)# access-list 101 permit ip 150.150.150.0 0.0.0.255 201.201.201.0 0.0.0.255
(config-data)# access-list 101 permit ip 101.101.101.0 0.0.0.255 200.200.200.0 0.0.0.255