access-list ip
Syntax to create an IPv4 ACL and enter its context. Plus syntax to remove an ACL:
access-list ip <ACL-NAME>
no access-list ip <ACL-NAME>
Syntax (within the ACL context) for creating or removing ACEs for protocols ah, gre, esp, igmp, ospf, pim (ip is available as an alias for any):
[<SEQUENCE-NUMBER>]
{permit|deny}
{any|ip|ah|gre|esp|igmp|ospf|pim|<IP-PROTOCOL-NUM>}
{any|<SRC-IP-ADDRESS>[/{<PREFIX-LENGTH>|<SUBNET-MASK>}]|<ADDRESS-GROUP>}
{any|<DST-IP-ADDRESS>[/{<PREFIX-LENGTH>|<SUBNET-MASK>}]|<ADDRESS-GROUP>}
[dscp <DSCP-SPECIFIER>] [ecn <ECN-VALUE>] [ip-precedence <IP-PRECEDENCE-VALUE>]
[tos <TOS-VALUE>] [fragment] [vlan <VLAN-ID>] [ttl <TTL-VALUE>]
[<SEQUENCE-NUMBER>] {permit|deny} {any|ip|ah|gre|esp|igmp|ospf|pim|
6100, 4100i omits: address-group, port-group, ecn, ttl.
<IP-PROTOCOL-NUM>} {any|<SRC-IP-ADDRESS>[/{<PREFIX-LENGTH>|<SUBNET-MASK>}]} {any|<DST-IP-ADDRESS>[/{<PREFIX-LENGTH>|<SUBNET-MASK>}]} [dscp <DSCP-SPECIFIER>] [ip-precedence <IP-PRECEDENCE-VALUE>] [tos <TOS-VALUE>] [fragment] [vlan <VLAN-ID>] [count] [log] no <SEQUENCE-NUMBER>
Syntax (within the ACL context) for creating or removing ACEs for protocols sctp, tcp, udp:
[<SEQUENCE-NUMBER>]
{permit|deny}
{sctp|tcp|udp}
{any|<SRC-IP-ADDRESS>[/{<PREFIX-LENGTH>|<SUBNET-MASK>}]|<ADDRESS-GROUP>}
[{eq|gt|lt} <PORT>|range <MIN-PORT> <MAX-PORT>|group <PORT-GROUP>]
{any|<DST-IP-ADDRESS>[/{<PREFIX-LENGTH>|<SUBNET-MASK>}]|<ADDRESS-GROUP>}
[{eq|gt|lt} <PORT>|range <MIN-PORT> <MAX-PORT>|group <PORT-GROUP>]
[urg] [ack] [psh] [rst] [syn] [fin] [established]
[dscp <DSCP-SPECIFIER>] [ecn <ECN-VALUE>] [ip-precedence <IP-PRECEDENCE-VALUE>]
[tos <TOS-VALUE>] [fragment] [vlan <VLAN-ID>] [ttl <TTL-VALUE>]
[<SEQUENCE-NUMBER>]
6100, 4100i omits: address-group, port-group, ecn, ttl.
{permit|deny} {sctp|tcp|udp} {any|<SRC-IP-ADDRESS>[/{<PREFIX-LENGTH>|<SUBNET-MASK>}]} [{eq|gt|lt} <PORT>|range <MIN-PORT> <MAX-PORT>] {any|<DST-IP-ADDRESS>[/{<PREFIX-LENGTH>|<SUBNET-MASK>}]} [{eq|gt|lt} <PORT>|range <MIN-PORT> <MAX-PORT>] [urg] [ack] [psh] [rst] [syn] [fin] [established] [dscp <DSCP-SPECIFIER>] [ip-precedence <IP-PRECEDENCE-VALUE>] [tos <TOS-VALUE>] [fragment] [vlan <VLAN-ID>] [count] [log] no <SEQUENCE-NUMBER>
Syntax (within the ACL context) for creating or removing ACEs for protocol icmp:
[<SEQUENCE-NUMBER>]
{permit|deny}
{icmp}
{any|<SRC-IP-ADDRESS>[/{<PREFIX-LENGTH>|<SUBNET-MASK>}]|<ADDRESS-GROUP>}
{any|<DST-IP-ADDRESS>[/{<PREFIX-LENGTH>|<SUBNET-MASK>}]|<ADDRESS-GROUP>}
[icmp-type {echo|echo-reply|<ICMP-TYPE-VALUE>}] [icmp-code <ICMP-CODE-VALUE>]
[dscp <DSCP-SPECIFIER>] [ecn <ECN-VALUE>] [ip-precedence <IP-PRECEDENCE-VALUE>]
[tos <TOS-VALUE>] [fragment] [vlan <VLAN-ID>] [ttl <TTL-VALUE>]
[<SEQUENCE-NUMBER>]
6100, 4100i omits: address-group, port-group, ecn, ttl.
{permit|deny} {icmp} {any|<SRC-IP-ADDRESS>[/{<PREFIX-LENGTH>|<SUBNET-MASK>}]} {any|<DST-IP-ADDRESS>[/{<PREFIX-LENGTH>|<SUBNET-MASK>}]} [icmp-type {echo|echo-reply|<ICMP-TYPE-VALUE>}] [icmp-code <ICMP-CODE-VALUE>] [dscp <DSCP-SPECIFIER>] [ip-precedence <IP-PRECEDENCE-VALUE>] [tos <TOS-VALUE>] [fragment] [vlan <VLAN-ID>] [count] [log] no <SEQUENCE-NUMBER>
Syntax (within the ACL context) for ACE comments:
[<SEQUENCE-NUMBER>] comment <TEXT-STRING>
no <SEQUENCE-NUMBER> comment
Description
Creates an IPv4 Access Control List (ACL) comprised of one or more Access Control Entries (ACEs) ordered and prioritized by sequence number. The lowest sequence number is the highest prioritized ACE.
The no form of this command deletes the entire ACL, or deletes an ACE identified by sequence number, or deletes only the comment from the ACE identified by sequence number.
Parameter |
Description |
---|---|
<ACL-NAME> |
Specifies the name of this ACL. |
<SEQUENCE-NUMBER> |
Specifies a sequence number for the ACE. Range: 1 to 4294967295. |
{permit|deny} |
Specifies whether to permit or deny traffic matching this ACE. |
<IP-PROTOCOL-NUM> |
Specifies the protocol as its Internet Protocol number. For example, 2 corresponds to the IGMP protocol. Range: 0 to 255. |
{any|<SRC-IP-ADDRESS>[/{<PREFIX-LENGTH>
|<SUBNET-MASK>}] |
Specifies the source IPv4 address.
|
{any|<DST-IP-ADDRESS>[/{<PREFIX-LENGTH>
|<SUBNET-MASK>}] |
Specifies the destination IPv4 address.
|
[{eq|gt|lt} <PORT>|range <MIN-PORT>
<MAX-PORT> |
Specifies the port, or port range, or port group. Port numbers are in the range of 0 to 65535.
Upon application of the ACL, ACEs with L4 port ranges may consume more than one hardware entry. |
urg |
Specifies matching on the TCP Flag: Urgent. (Applies only to the "in" (ingress) direction.) |
ack |
Specifies matching on the TCP Flag: Acknowledgment. (Applies only to the "in" (ingress) direction.) |
psh |
Specifies matching on the TCP Flag: Push buffered data to receiving application. (Applies only to the "in" (ingress) direction.) |
rst |
Specifies matching on the TCP Flag: Reset the connection. (Applies only to the "in" (ingress) direction.) |
syn |
Specifies matching on the TCP Flag: Synchronize sequence numbers. (Applies only to the "in" (ingress) direction.) |
fin |
Specifies matching on the TCP Flag: Finish connection. (Applies only to the "in" (ingress) direction.) |
established |
Specifies matching on the TCP Flag: Established connection. (Applies only to the "in" (ingress) direction.) |
[icmp-type {echo|echo-reply| <ICMP-TYPE-VALUE>}] |
Specifies the ICMP type.
|
[icmp-code <ICMP-CODE-VALUE>] |
Specifies the ICMP code value. Range: 0 to 255. |
dscp DSCP-SPECIFIER> |
Specifies the Differentiated Services Code Point (DSCP), either a numeric <DSCP-VALUE> (0 to 63) or one of these keywords:
|
ecn <ECN-VALUE> |
Specifies an Explicit Congestion Notification value. Range: 0 to 3. |
ip-precedence <IP-PRECEDENCE-VALUE> |
Specifies an IP precedence value. Range: 0 to 7. |
tos <TOS-VALUE> |
Specifies the Type of Service value. Range: 0 to 31. |
fragment |
Specifies a fragment packet. |
vlan <VLAN-ID> |
Specifies VLAN tag to match on. 802.1Q VLAN ID.
This parameter cannot be used in any ACL that will be applied to a VLAN. |
ttl <TTL-VALUE> |
Specifies a time-to-live (hop limit) value. Range: 0 to 255. Not supported for ACLs. |
ttl <TTL-VALUE> |
Specifies a time-to-live (hop limit) value. Range: 0 to 255. |
ip-option <ANY> |
Specifies the IP option. |
count |
Keeps the hit counts of the number of packets matching this ACE. |
log |
Keeps a log of the number of packets matching this ACE. Works with both permit and deny actions. Works with ACLs applied on ingress, egress, or Control Plane. Keeps a log of the number of packets matching this ACE. Works with both permit and deny actions. Works with ACLs applied on ingress, or Control Plane, but not with ACLs applied on egress. Keeps a log of the number of packets matching this ACE. Works with deny actions but not with permit actions. Works with ACLs applied on ingress, egress, or Control Plane. Keeps a log of the number of packets matching this ACE. Works with deny actions but not with permit actions. Works with ACLs applied on ingress, or Control Plane, but not with ACLs applied on egress. |
[<SEQUENCE-NUMBER>] comment <TEXT-STRING> |
Adds a comment to an ACE. The no form removes only the comment from the ACE. |
Usage
- If the <IP-PROTOCOL-NUM> parameter is used instead of a protocol name, ensure that any needed ACE-definition parameters specific to the selected protocol are also provided.
- When using multiple ACL types (IPv4, IPv6, or MAC) with logging on the same interface, the first packet that matches an ACE with log option is logged. Until the log-timer wait-period is over, any packets matching other ACL types do not create a log. At the end of the wait-period, the switch creates a summary log for all the ACLs that were matched, regardless of type.
Examples
Creating an IPv4 ACL with four entries:
switch(config)# access-list ip MY_IP_ACL switch(config-acl-ip)# 10 permit udp any 172.16.1.0/24 switch(config-acl-ip)# 20 permit tcp 172.16.2.0/16 gt 1023 any switch(config-acl-ip)# 30 permit tcp 172.26.1.0/24 any syn ack dscp 10 switch(config-acl-ip)# 40 deny any any any count
switch(config-acl-ip)# exit switch(config)# show access-list Type Name Sequence Comment Action L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s)
Additional Parameters ------------------------------------------------------------------------------- IPv4 MY_IP_ACL 10 permit udp any 172.16.1.0/255.255.255.0 20 permit tcp 172.16.2.0/255.255.0.0 > 1023 any 30 permit tcp 172.26.1.0/255.255.255.0 any dscp: AF11 ack syn 40 deny any any any Hit-counts: enabled
Adding a comment to an existing IPv4 ACE:
switch(config)# access-list ip MY_IP_ACL switch(config-acl-ip)# 20 comment Permit all TCP ephemeral ports switch(config-acl-ip)# exit switch(config)# show access-list Type Name Sequence Comment Action L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------- IPv4 MY_IP_ACL 10 permit udp any 172.16.1.0/255.255.255.0 20 Permit all TCP ephemeral ports permit tcp 172.16.2.0/255.255.0.0 > 1023 any 30 permit tcp 172.26.1.0/255.255.255.0 any dscp: AF11 ack syn 40 deny any any any Hit-counts: enabled
Removing a comment from an existing IPv4 ACE:
switch(config)# access-list ip MY_IP_ACL switch(config-acl-ip)# no 20 comment switch(config-acl-ip)# exit switch(config)# show access-list Type Name Sequence Comment Action L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------- IPv4 MY_IP_ACL 10 permit udp any 172.16.1.0/255.255.255.0 20 permit tcp 172.16.2.0/255.255.0.0 > 1023 any 30 permit tcp 172.26.1.0/255.255.255.0 any dscp: AF11 ack syn 40 deny any any any Hit-counts: enabled
Adding an ACE (insert line 25) to an existing IPv4 ACL:
switch(config)# access-list ip MY_IP_ACL switch(config-acl-ip)# 25 permit icmp 172.16.2.0/16 any switch(config-acl-ip)# exit switch(config)# show access-list Type Name Sequence Comment Action L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------- IPv4 MY_IP_ACL 10 permit udp any 172.16.1.0/255.255.255.0 20 permit tcp 172.16.2.0/255.255.0.0 > 1023 any 25 permit icmp 172.16.2.0/255.255.0.0 any 30 permit tcp 172.26.1.0/255.255.255.0 any dscp: AF11 ack syn 40 deny any any any Hit-counts: enabled
Replacing an ACE in an existing IPv4 ACL:
switch(config)# access-list ip MY_IP_ACL switch(config-acl-ip)# 25 permit icmp 172.17.1.0/16 any switch(config-acl-ip)# exit switch(config)# show access-list Type Name Sequence Comment Action L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------- IPv4 MY_IP_ACL 10 permit udp any 172.16.1.0/255.255.255.0 20 permit tcp 172.16.2.0/255.255.0.0 > 1023 any 25 permit icmp 172.17.1.0/255.255.0.0 30 permit tcp 172.26.1.0/255.255.255.0 any dscp: AF11 ack syn 40 deny any any any Hit-counts: enabled Type Name Sequence Comment Action L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------- IPv4 MY_IP_ACL 10 permit udp any 172.16.1.0/255.255.255.0 20 permit tcp 172.16.2.0/255.255.0.0 > 1023 any 25 permit icmp 172.17.1.0/255.255.0.0 30 permit tcp 172.26.1.0/255.255.255.0 any dscp: AF11 ack syn 40 deny any any any Hit-counts: enabled
Removing an ACE from an IPv4 ACL:
switch(config)# access-list ip MY_IP_ACL switch(config-acl-ip)# no 25 switch(config-acl-ip)# exit switch(config)# show access-list Type Name Sequence Comment Action L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------- IPv4 MY_IP_ACL 10 permit udp any 172.16.1.0/255.255.255.0 20 permit tcp 172.16.2.0/255.255.0.0 > 1023 any 30 permit tcp 172.26.1.0/255.255.255.0 any dscp: AF11 ack syn 40 deny any any any Hit-counts: enabled Type Name Sequence Comment Action L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------- IPv4 MY_IP_ACL 10 permit udp any 172.16.1.0/255.255.255.0 20 permit tcp 172.16.2.0/255.255.0.0 > 1023 any 30 permit tcp 172.26.1.0/255.255.255.0 any dscp: AF11 ack syn 40 deny any any any Hit-counts: enabled
Copy an IPv4 ACL:
switch(config)# access-list ip MY_IP_ACL copy MY_IP_ACL2 switch(config)# show access-list Type Name Sequence Comment Action L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------- IPv4 MY_IP_ACL 10 permit udp any 172.16.1.0/255.255.255.0 20 permit tcp 172.16.2.0/255.255.0.0 > 1023 any 30 permit tcp 172.26.1.0/255.255.255.0 any dscp: AF11 ack syn 40 deny any any any Hit-counts: enabled ------------------------------------------------------------------------------- IPv4 MY_IP_ACL2 10 permit udp any 172.16.1.0/255.255.255.0 20 permit tcp 172.16.2.0/255.255.0.0 > 1023 any 30 permit tcp 172.26.1.0/255.255.255.0 any dscp: AF11 ack syn 40 deny any any any Hit-counts: enabled switch(config)# access-list ip MY_IP_ACL copy MY_IP_ACL2 switch(config)# show access-list Type Name Sequence Comment Action L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------- IPv4 MY_IP_ACL 10 permit udp any 172.16.1.0/255.255.255.0 20 permit tcp 172.16.2.0/255.255.0.0 > 1023 any 30 permit tcp 172.26.1.0/255.255.255.0 any dscp: AF11 ack syn 40 deny any any any Hit-counts: enabled ------------------------------------------------------------------------------- IPv4 MY_IP_ACL2 10 permit udp any 172.16.1.0/255.255.255.0 20 permit tcp 172.16.2.0/255.255.0.0 > 1023 any 30 permit tcp 172.26.1.0/255.255.255.0 any dscp: AF11 ack syn 40 deny any any any Hit-counts: enabled
Removing an IPv4 ACL:
switch(config)# no access-list ip MY_IP_ACL switch(config)# show access-list Type Name Sequence Comment Action L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------- IPv4 MY_IP_ACL2 1 permit udp any 172.16.1.0/255.255.255.0 2 permit tcp 172.16.2.0/255.255.0.0 > 1023 any 3 permit tcp 172.26.1.0/255.255.255.0 any dscp: AF11 ack syn 4 deny any any any Hit-counts: enabled
Configuring an ACE with a source L4 port group and a destination L4 port group to match on any ip-option:
switch(config-acl-ip)# permit sctp any group my_port_group any ip-option ?
any Any IP option
For more information on features that use this command, refer to the ACLs and Classifiers Policy Guide for your switch model.
Command History
Release |
Modification |
---|---|
10.15 |
The ip-option parameter is introduced on the 8325 and 10000 switches. |
10.12 |
Allow ACLs applied to the Control Plane to be logged. |
10.07 or earlier |
-- |
Command Information
Platforms |
Command context |
Authority |
---|---|---|
All platforms |
config The access-list ip <ACL-NAME> command takes you into the named ACL context where you enter the ACEs. |
Administrators or local user group members with execution rights for this command. |