access-list ip

Syntax to create an IPv4 ACL and enter its context. Plus syntax to remove an ACL:

access-list ip <ACL-NAME>

no access-list ip <ACL-NAME>

Syntax (within the ACL context) for creating or removing ACEs for protocols ah, gre, esp, igmp, ospf, pim (ip is available as an alias for any):

[<SEQUENCE-NUMBER>] {permit|deny} {any|ip|ah|gre|esp|igmp|ospf|pim|<IP-PROTOCOL-NUM>} {any|<SRC-IP-ADDRESS>[/{<PREFIX-LENGTH>|<SUBNET-MASK>}]|<ADDRESS-GROUP>} {any|<DST-IP-ADDRESS>[/{<PREFIX-LENGTH>|<SUBNET-MASK>}]|<ADDRESS-GROUP>} [dscp <DSCP-SPECIFIER>] [ecn <ECN-VALUE>] [ip-precedence <IP-PRECEDENCE-VALUE>] [tos <TOS-VALUE>] [fragment] [vlan <VLAN-ID>] [ttl <TTL-VALUE>] [count] [log] no <SEQUENCE-NUMBER>

[<SEQUENCE-NUMBER>] {permit|deny} {any|ip|ah|gre|esp|igmp|ospf|pim|

6100, 4100i omits: address-group, port-group, ecn, ttl.

<IP-PROTOCOL-NUM>} {any|<SRC-IP-ADDRESS>[/{<PREFIX-LENGTH>|<SUBNET-MASK>}]} {any|<DST-IP-ADDRESS>[/{<PREFIX-LENGTH>|<SUBNET-MASK>}]} [dscp <DSCP-SPECIFIER>] [ip-precedence <IP-PRECEDENCE-VALUE>] [tos <TOS-VALUE>] [fragment] [vlan <VLAN-ID>] [count] [log] no <SEQUENCE-NUMBER>

Syntax (within the ACL context) for creating or removing ACEs for protocols sctp, tcp, udp:

[<SEQUENCE-NUMBER>] {permit|deny} {sctp|tcp|udp} {any|<SRC-IP-ADDRESS>[/{<PREFIX-LENGTH>|<SUBNET-MASK>}]|<ADDRESS-GROUP>} [{eq|gt|lt} <PORT>|range <MIN-PORT> <MAX-PORT>|group <PORT-GROUP>] {any|<DST-IP-ADDRESS>[/{<PREFIX-LENGTH>|<SUBNET-MASK>}]|<ADDRESS-GROUP>} [{eq|gt|lt} <PORT>|range <MIN-PORT> <MAX-PORT>|group <PORT-GROUP>] [urg] [ack] [psh] [rst] [syn] [fin] [established] [dscp <DSCP-SPECIFIER>] [ecn <ECN-VALUE>] [ip-precedence <IP-PRECEDENCE-VALUE>] [tos <TOS-VALUE>] [fragment] [vlan <VLAN-ID>] [ttl <TTL-VALUE>] [count] [log] no <SEQUENCE-NUMBER>

[<SEQUENCE-NUMBER>]

6100, 4100i omits: address-group, port-group, ecn, ttl.

{permit|deny} {sctp|tcp|udp} {any|<SRC-IP-ADDRESS>[/{<PREFIX-LENGTH>|<SUBNET-MASK>}]} [{eq|gt|lt} <PORT>|range <MIN-PORT> <MAX-PORT>] {any|<DST-IP-ADDRESS>[/{<PREFIX-LENGTH>|<SUBNET-MASK>}]} [{eq|gt|lt} <PORT>|range <MIN-PORT> <MAX-PORT>] [urg] [ack] [psh] [rst] [syn] [fin] [established] [dscp <DSCP-SPECIFIER>] [ip-precedence <IP-PRECEDENCE-VALUE>] [tos <TOS-VALUE>] [fragment] [vlan <VLAN-ID>] [count] [log] no <SEQUENCE-NUMBER>

Syntax (within the ACL context) for creating or removing ACEs for protocol icmp:

[<SEQUENCE-NUMBER>] {permit|deny} {icmp} {any|<SRC-IP-ADDRESS>[/{<PREFIX-LENGTH>|<SUBNET-MASK>}]|<ADDRESS-GROUP>} {any|<DST-IP-ADDRESS>[/{<PREFIX-LENGTH>|<SUBNET-MASK>}]|<ADDRESS-GROUP>} [icmp-type {echo|echo-reply|<ICMP-TYPE-VALUE>}] [icmp-code <ICMP-CODE-VALUE>] [dscp <DSCP-SPECIFIER>] [ecn <ECN-VALUE>] [ip-precedence <IP-PRECEDENCE-VALUE>] [tos <TOS-VALUE>] [fragment] [vlan <VLAN-ID>] [ttl <TTL-VALUE>] [count] [log] no <SEQUENCE-NUMBER>

[<SEQUENCE-NUMBER>]

6100, 4100i omits: address-group, port-group, ecn, ttl.

{permit|deny} {icmp} {any|<SRC-IP-ADDRESS>[/{<PREFIX-LENGTH>|<SUBNET-MASK>}]} {any|<DST-IP-ADDRESS>[/{<PREFIX-LENGTH>|<SUBNET-MASK>}]} [icmp-type {echo|echo-reply|<ICMP-TYPE-VALUE>}] [icmp-code <ICMP-CODE-VALUE>] [dscp <DSCP-SPECIFIER>] [ip-precedence <IP-PRECEDENCE-VALUE>] [tos <TOS-VALUE>] [fragment] [vlan <VLAN-ID>] [count] [log] no <SEQUENCE-NUMBER>

Syntax (within the ACL context) for ACE comments:

[<SEQUENCE-NUMBER>] comment <TEXT-STRING>

no <SEQUENCE-NUMBER> comment

Description

Creates an IPv4 Access Control List (ACL) comprised of one or more Access Control Entries (ACEs) ordered and prioritized by sequence number. The lowest sequence number is the highest prioritized ACE.

The no form of this command deletes the entire ACL, or deletes an ACE identified by sequence number, or deletes only the comment from the ACE identified by sequence number.

Parameter

Description

<ACL-NAME>

Specifies the name of this ACL.

<SEQUENCE-NUMBER>

Specifies a sequence number for the ACE. Range: 1 to 4294967295.

{permit|deny}

Specifies whether to permit or deny traffic matching this ACE.

<IP-PROTOCOL-NUM>

Specifies the protocol as its Internet Protocol number. For example, 2 corresponds to the IGMP protocol. Range: 0 to 255.

{any|<SRC-IP-ADDRESS>[/{<PREFIX-LENGTH> |<SUBNET-MASK>}]|<ADDRESS-GROUP>}

Specifies the source IPv4 address.

  • any - specifies any source IPv4 address.
  • <SRC-IP-ADDRESS> - specifies the source IPv4 host address.
    • <PREFIX-LENGTH> - specifies the address bits to mask (CIDR subnet mask notation). Range: 1 to 32.
    • <SUBNET-MASK> - specifies the address bits to mask (dotted decimal notation).
  • <ADDRESS-GROUP> - specifies an IPv4 address group defined with object-group ip address.

{any|<DST-IP-ADDRESS>[/{<PREFIX-LENGTH> |<SUBNET-MASK>}]|<ADDRESS-GROUP>}

Specifies the destination IPv4 address.

  • any - specifies any destination IPv4 address.
  • <DST-IP-ADDRESS> - specifies the destination IPv4 host address.
    • <PREFIX-LENGTH> - specifies the address bits to mask (CIDR subnet mask notation). Range: 1 to 32.
    • <SUBNET-MASK> - specifies the address bits to mask (dotted decimal notation).
  • <ADDRESS-GROUP> - specifies an IPv4 address group that you defined earlier with object-group ip address.

[{eq|gt|lt} <PORT>|range <MIN-PORT> <MAX-PORT>|group <PORT-GROUP>]

Specifies the port, or port range, or port group. Port numbers are in the range of 0 to 65535.

  • eq <PORT> - specifies the Layer 4 port.
  • gt <PORT> - specifies any Layer 4 port greater than the indicated port.
  • lt <PORT> - specifies any Layer 4 port less than the indicated port.
  • range <MIN-PORT> <MAX-PORT> - specifies the Layer 4 port range.
  • group <PORT-GROUP> - specifies the Layer 4 port group that you defined earlier with object-group port.

NOTE: Upon application of the ACL, ACEs with L4 port ranges may consume more than one hardware entry.

urg

Specifies matching on the TCP Flag: Urgent. (Applies only to the "in" (ingress) direction.)

ack

Specifies matching on the TCP Flag: Acknowledgment. (Applies only to the "in" (ingress) direction.)

psh

Specifies matching on the TCP Flag: Push buffered data to receiving application. (Applies only to the "in" (ingress) direction.)

rst

Specifies matching on the TCP Flag: Reset the connection. (Applies only to the "in" (ingress) direction.)

syn

Specifies matching on the TCP Flag: Synchronize sequence numbers. (Applies only to the "in" (ingress) direction.)

fin

Specifies matching on the TCP Flag: Finish connection. (Applies only to the "in" (ingress) direction.)

established

Specifies matching on the TCP Flag: Established connection. (Applies only to the "in" (ingress) direction.)

[icmp-type {echo|echo-reply| <ICMP-TYPE-VALUE>}]

Specifies the ICMP type.

  • echo - specifies an ICMP echo request packet.
  • echo-reply - specifies an ICMP echo reply packet.
  • <ICMP-TYPE-VALUE> - specifies an ICMP type value. Range: 0 to 255.

[icmp-code <ICMP-CODE-VALUE>]

Specifies the ICMP code value. Range: 0 to 255.

dscp DSCP-SPECIFIER>

Specifies the Differentiated Services Code Point (DSCP), either a numeric <DSCP-VALUE> (0 to 63) or one of these keywords:

  • AF11 - DSCP 10 (Assured Forwarding Class 1, low drop probability)
  • AF12 - DSCP 12 (Assured Forwarding Class 1, medium drop probability)
  • AF13 - DSCP 14 (Assured Forwarding Class 1, high drop probability)
  • AF21 - DSCP 18 (Assured Forwarding Class 2, low drop probability)
  • AF22 - DSCP 20 (Assured Forwarding Class 2, medium drop probability)
  • AF23 - DSCP 22 (Assured Forwarding Class 2, high drop probability)
  • AF31 - DSCP 26 (Assured Forwarding Class 3, low drop probability)
  • AF32 - DSCP 28 (Assured Forwarding Class 3, medium drop probability)
  • AF33 - DSCP 30 (Assured Forwarding Class 3, high drop probability)
  • AF41 - DSCP 34 (Assured Forwarding Class 4, low drop probability)
  • AF42 - DSCP 36 (Assured Forwarding Class 4, medium drop probability)
  • AF43 - DSCP 38 (Assured Forwarding Class 4, high drop probability)
  • CS0 - DSCP 0 (Class Selector 0: Default)
  • CS1 - DSCP 8 (Class Selector 1: Scavenger)
  • CS2 - DSCP 16 (Class Selector 2: OAM)
  • CS3 - DSCP 24 (Class Selector 3: Signaling)
  • CS4 - DSCP 32 (Class Selector 4: Real time)
  • CS5 - DSCP 40 (Class Selector 5: Broadcast video)
  • CS6 - DSCP 48 (Class Selector 6: Network control)
  • CS7 - DSCP 56 (Class Selector 7)
  • EF - DSCP 46 (Expedited Forwarding)

ecn <ECN-VALUE>

Specifies an Explicit Congestion Notification value. Range: 0 to 3.

ip-precedence <IP-PRECEDENCE-VALUE>

Specifies an IP precedence value. Range: 0 to 7.

tos <TOS-VALUE>

Specifies the Type of Service value. Range: 0 to 31.

fragment

Specifies a fragment packet.

vlan <VLAN-ID>

Specifies VLAN tag to match on. 802.1Q VLAN ID.

NOTE:

This parameter cannot be used in any ACL that will be applied to a VLAN.

ttl <TTL-VALUE>

Specifies a time-to-live (hop limit) value. Range: 0 to 255. Not supported for ACLs.

ttl <TTL-VALUE>

Specifies a time-to-live (hop limit) value. Range: 0 to 255.

count

Keeps the hit counts of the number of packets matching this ACE.

log

Keeps a log of the number of packets matching this ACE. Works with both permit and deny actions. Works with ACLs applied on ingress, egress, or Control Plane.

Keeps a log of the number of packets matching this ACE. Works with both permit and deny actions. Works with ACLs applied on ingress, or Control Plane, but not with ACLs applied on egress.

Keeps a log of the number of packets matching this ACE. Works with deny actions but not with permit actions. Works with ACLs applied on ingress, egress, or Control Plane.

Keeps a log of the number of packets matching this ACE. Works with deny actions but not with permit actions. Works with ACLs applied on ingress, or Control Plane, but not with ACLs applied on egress.

[<SEQUENCE-NUMBER>] comment <TEXT-STRING>

Adds a comment to an ACE. The no form removes only the comment from the ACE.

Usage

  • If the <IP-PROTOCOL-NUM> parameter is used instead of a protocol name, ensure that any needed ACE-definition parameters specific to the selected protocol are also provided.
  • When using multiple ACL types (IPv4, IPv6, or MAC) with logging on the same interface, the first packet that matches an ACE with log option is logged. Until the log-timer wait-period is over, any packets matching other ACL types do not create a log. At the end of the wait-period, the switch creates a summary log for all the ACLs that were matched, regardless of type.

Examples

Creating an IPv4 ACL with four entries:

switch(config)# access-list ip MY_IP_ACL switch(config-acl-ip)# 10 permit udp any 172.16.1.0/24 switch(config-acl-ip)# 20 permit tcp 172.16.2.0/16 gt 1023 any switch(config-acl-ip)# 30 permit tcp 172.26.1.0/24 any syn ack dscp 10 switch(config-acl-ip)# 40 deny any any any count

switch(config-acl-ip)# exit switch(config)# show access-list Type Name Sequence Comment Action L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s)

Additional Parameters ------------------------------------------------------------------------------- IPv4 MY_IP_ACL 10 permit udp any 172.16.1.0/255.255.255.0 20 permit tcp 172.16.2.0/255.255.0.0 > 1023 any 30 permit tcp 172.26.1.0/255.255.255.0 any dscp: AF11 ack syn 40 deny any any any Hit-counts: enabled

Adding a comment to an existing IPv4 ACE:

switch(config)# access-list ip MY_IP_ACL switch(config-acl-ip)# 20 comment Permit all TCP ephemeral ports switch(config-acl-ip)# exit switch(config)# show access-list Type Name Sequence Comment Action L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------- IPv4 MY_IP_ACL 10 permit udp any 172.16.1.0/255.255.255.0 20 Permit all TCP ephemeral ports permit tcp 172.16.2.0/255.255.0.0 > 1023 any 30 permit tcp 172.26.1.0/255.255.255.0 any dscp: AF11 ack syn 40 deny any any any Hit-counts: enabled

Removing a comment from an existing IPv4 ACE:

switch(config)# access-list ip MY_IP_ACL switch(config-acl-ip)# no 20 comment switch(config-acl-ip)# exit switch(config)# show access-list Type Name Sequence Comment Action L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------- IPv4 MY_IP_ACL 10 permit udp any 172.16.1.0/255.255.255.0 20 permit tcp 172.16.2.0/255.255.0.0 > 1023 any 30 permit tcp 172.26.1.0/255.255.255.0 any dscp: AF11 ack syn 40 deny any any any Hit-counts: enabled

Adding an ACE (insert line 25) to an existing IPv4 ACL:

switch(config)# access-list ip MY_IP_ACL switch(config-acl-ip)# 25 permit icmp 172.16.2.0/16 any switch(config-acl-ip)# exit switch(config)# show access-list Type Name Sequence Comment Action L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------- IPv4 MY_IP_ACL 10 permit udp any 172.16.1.0/255.255.255.0 20 permit tcp 172.16.2.0/255.255.0.0 > 1023 any 25 permit icmp 172.16.2.0/255.255.0.0 any 30 permit tcp 172.26.1.0/255.255.255.0 any dscp: AF11 ack syn 40 deny any any any Hit-counts: enabled

Replacing an ACE in an existing IPv4 ACL:

switch(config)# access-list ip MY_IP_ACL switch(config-acl-ip)# 25 permit icmp 172.17.1.0/16 any switch(config-acl-ip)# exit switch(config)# show access-list Type Name Sequence Comment Action L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------- IPv4 MY_IP_ACL 10 permit udp any 172.16.1.0/255.255.255.0 20 permit tcp 172.16.2.0/255.255.0.0 > 1023 any 25 permit icmp 172.17.1.0/255.255.0.0 30 permit tcp 172.26.1.0/255.255.255.0 any dscp: AF11 ack syn 40 deny any any any Hit-counts: enabled Type Name Sequence Comment Action L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------- IPv4 MY_IP_ACL 10 permit udp any 172.16.1.0/255.255.255.0 20 permit tcp 172.16.2.0/255.255.0.0 > 1023 any 25 permit icmp 172.17.1.0/255.255.0.0 30 permit tcp 172.26.1.0/255.255.255.0 any dscp: AF11 ack syn 40 deny any any any Hit-counts: enabled

Removing an ACE from an IPv4 ACL:

switch(config)# access-list ip MY_IP_ACL switch(config-acl-ip)# no 25 switch(config-acl-ip)# exit switch(config)# show access-list Type Name Sequence Comment Action L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------- IPv4 MY_IP_ACL 10 permit udp any 172.16.1.0/255.255.255.0 20 permit tcp 172.16.2.0/255.255.0.0 > 1023 any 30 permit tcp 172.26.1.0/255.255.255.0 any dscp: AF11 ack syn 40 deny any any any Hit-counts: enabled Type Name Sequence Comment Action L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------- IPv4 MY_IP_ACL 10 permit udp any 172.16.1.0/255.255.255.0 20 permit tcp 172.16.2.0/255.255.0.0 > 1023 any 30 permit tcp 172.26.1.0/255.255.255.0 any dscp: AF11 ack syn 40 deny any any any Hit-counts: enabled

Copy an IPv4 ACL:

switch(config)# access-list ip MY_IP_ACL copy MY_IP_ACL2 switch(config)# show access-list Type Name Sequence Comment Action L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------- IPv4 MY_IP_ACL 10 permit udp any 172.16.1.0/255.255.255.0 20 permit tcp 172.16.2.0/255.255.0.0 > 1023 any 30 permit tcp 172.26.1.0/255.255.255.0 any dscp: AF11 ack syn 40 deny any any any Hit-counts: enabled ------------------------------------------------------------------------------- IPv4 MY_IP_ACL2 10 permit udp any 172.16.1.0/255.255.255.0 20 permit tcp 172.16.2.0/255.255.0.0 > 1023 any 30 permit tcp 172.26.1.0/255.255.255.0 any dscp: AF11 ack syn 40 deny any any any Hit-counts: enabled switch(config)# access-list ip MY_IP_ACL copy MY_IP_ACL2 switch(config)# show access-list Type Name Sequence Comment Action L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------- IPv4 MY_IP_ACL 10 permit udp any 172.16.1.0/255.255.255.0 20 permit tcp 172.16.2.0/255.255.0.0 > 1023 any 30 permit tcp 172.26.1.0/255.255.255.0 any dscp: AF11 ack syn 40 deny any any any Hit-counts: enabled ------------------------------------------------------------------------------- IPv4 MY_IP_ACL2 10 permit udp any 172.16.1.0/255.255.255.0 20 permit tcp 172.16.2.0/255.255.0.0 > 1023 any 30 permit tcp 172.26.1.0/255.255.255.0 any dscp: AF11 ack syn 40 deny any any any Hit-counts: enabled

Removing an IPv4 ACL:

switch(config)# no access-list ip MY_IP_ACL switch(config)# show access-list Type Name Sequence Comment Action L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------- IPv4 MY_IP_ACL2 1 permit udp any 172.16.1.0/255.255.255.0 2 permit tcp 172.16.2.0/255.255.0.0 > 1023 any 3 permit tcp 172.26.1.0/255.255.255.0 any dscp: AF11 ack syn 4 deny any any any Hit-counts: enabled

For more information on features that use this command, refer to the ACLs and Classifiers Policy Guide for your switch model.

Command History

Release

Modification

10.12

Allow ACLs applied to the Control Plane to be logged.

10.07 or earlier

--

Command Information

Platforms

Command context

Authority

All platforms

config

The access-list ip <ACL-NAME> command takes you into the named ACL context where you enter the ACEs.

Administrators or local user group members with execution rights for this command.