access-list configuration command directory

deny

ip access-group

ip access-list

permit

show ip access-list

 

deny

This command can be used in IP access list configuration mode to configure prohibit regulations. Add a prefix “no” in front of the command to delete “deny” regulation from the ip access-list.

deny source [source-mask] [log]
no deny
source [source-mask] [log]

deny protocol source source-mask destination destination-mask [precedence precedence] [tos tos] [log]

no deny protocol source source-mask destination destination-mask [precedence precedence] [tos tos] [log]

The following syntax can also be used for internet control massage protocol(ICMP):

deny icmp source source-mask destination destination-mask [icmp-type] [precedence precedence] [tos tos] [log]

The following syntax can be used for internet group management protocol (ICMP):

deny igmp source source-mask destination destination-mask [igmp-type] [precedence precedence] [tos tos] [log]

The following syntax can be used for TCP:

deny tcp source source-mask [operator port] destination destination-mask [operator port ] [established] [precedence precedence] [tos tos] [log]

The following syntax can be used for data gram protocol(UDP):

deny udp source source-mask [operator port] destination destination-mask [operator port] [precedence precedence] [tos tos] [log]

 

Parameter:

protocol

Protocol name or protocol number. It can be a key word like icmp, igmp, igrp, ip, ospf, tcp or udp. It can also be a whole number among 0-255 that refers to the IP protocol number. Use key word “ip” to match any Internet protocol (including ICMP, TCP and UDP). Some protocols are allowed to be restricted further as the following.

source

Source network or host number. There are 2 ways to designate the source: 32-digit binary number, decimal number separated with 4 dots. Use key word “any” to be the abbreviation of source and source Mask of 0.0.0.0 0.0.0.0

source-mask

Source address network mask. Use key word “any” to be the abbreviation of source and source Mask of 0.0.0.0 0.0.0.0 .

destination

Destination or host number. There are 2 ways to designate:

Decimal number separated with 4 dots and 32-digit binary number.

Use key word “any” to be the abbreviation of destination and destination Mask of 0.0.0.0 0.0.0.0 .

destination-mask

Destination address network mask. Use key word “any” to be the abbreviation of destination address and destination address Mask of 0.0.0.0 0.0.0.0 .

precedence precedence

(Optional) Package can be filtered by priority and designated by a number among 0-7.

tos tos

(Optional) Data package can use service level filter. Use a number among 0-15 to designate.

icmp-type

 (Optional) ICMP package can be filtered by ICMP packet type. The type is a number among 0-255.

igmp-type

 (Optional) ICMP package can be filtered by ICMP packet type or name. The type is a number among 0-15.

operator

 (Optional) Compare source or destination interface. Operations include lt (smaller than), gt (bigger than), eq (equals to), neq (doesn’t equal to). If operating symbol is placed after source and source-mask, it should match the source interface. If operating symbol is placed after destination and destination-mask, it should match the destination interface.

port

 (Optional) Decimal number or name of TCP or UDP interface. Interface number is a number among 0-65535. TCP interface name is listed in the part “Using Guideline”. TCP interface name can be used only to filter TCP. UDP interface name is also listed in the part “Using Instruction”. Only TCP interface name can be used to filter UDP.

established

 (Optional) Indicates an established connection for TCP protocol only. Matching will occur where ACK or RST location of TCP data gram is set. Initiate TCP data gram in non-match situation to form a connection.

log

 (Optional) Log can be recorded.

 

Command mode:

IP access-list configuration state

 

Explanation:

Access-list can be used to control the transmission of data package on the interface, control line access to virtual terminals. Stop checking extended access-list after the matching occurs. It is IP packages divided by sections but not initial sections that will be received by any extended IP access-list at once. Extended access-list is used to control accessing virtual terminal line or restricting routes from choosing update content. It is not necessary to match TCP source interface, type of service value and priority of package.

 Note: After the initial establishment of an access-list, any follow-up addition (can be keyed in at a terminal) should be placed at the end of the list.

TCP interface name used to replace interface number is shown as below. Find out reference related to these protocols regarding current allocation number RFC. Interface number relevant to these protocols can also be found out by keying in a ? to replace interface number.

bgp

ftp

ftp-data

login

pop2

pop3

smtp

telnet

www

UDP interface name used to replace interface number is shown as below. Find out reference related to these protocols regarding current allocation number RFC. Interface number relevant to these protocols can also be found out by keying in a ? to replace interface number.

domain

snmp

syslog

tftp

 

Example:

The following example prohibits the network 192.168.5.0:

ip access-list standard filter

deny 192.168.5.0 255.255.255.0

Note: IP access-list ends with connotative “deny” regulation.

  

Ralated command:

ip access-group

ip access-list

permit

show ip access-list

 

ip access-group

Use interface configuration command “ip access-group to control accessing an interface. Use “no” format command to delete this designated access group.

ip access-group {access-list-name}{in | out}

no ip access-group {access-list-name}{in | out}

 

Parameter: 

Access-list-name

Name of access-list. This is a character string with 20 characters at most.

in

Use access-list when entering in the interface.

out

Use access-list when going out of the interface.

 

Command mode:

interface configuration state

 

Explanation:

Access-list can be used either in the out-interface or in the in-interface. For standard entrance access-list, source address of the package will be checked regarding to access-list after the package is received. For extended access-list, this router also checks destination address. If the address is permitted by access-list, the software will continue to work on the package. If the address is not permitted by the access-list, this software will give up the package and return a packet showing ICMP host is not reachable.

For standard exit access-list, source address of the package will be checked by software regarding to access-list after receiving and routing a package to the control interface. For extended access-list, this router also checks access-list at the receiving end. If the address is permitted by access-list, it will transmit the package. If the address is not permitted by the access-list, this software will give up the package and return a packet showing ICMP host is not reachable.

If the designated access-list doesn’t exist, all packages are permitted to pass.

 

Example:

In the below example, list filter is applied on the package exist of Ethernet interface 1/0:

interface ethernet 1/0

ip access-group filter out

 

Ralated command:

ip access-list

show ip access-list

 

ip access-list

Entering the IP access-list configuration mode after using this command. Access regulations can be added or deleted. Command exit is used to return to configuration state.

Use prefix “no” to delete IP access-list.

ip access-list {standard | extended} name

no ip access-list {standard | extended} name

 

Parameter:

standard

Designated as standard access-list.

extended

Designated as extended access-list.

name

Name of access-list. It is a character string of 20 characters at most.

 

Default:

No IP access-list is defined.

Command mode:

global configuration mode

 

Explanation:

Use this command to enter IP access-list configuration mode. Command deny or permit can be used to configure access regulation.

 

Example:

The following example is the configuration of a standard access-list.

ip access-list standard filter

deny 192.168.1.0 255.255.255.0

permit any

 

Ralated command:

deny

ip access-group

permit

show ip access-list

 

permit

This command can be used to configure permit regulation in IP access-list configuration mode. Add a prefix “no” in the front of the command to delete permit regulation from IP access-list.

permit source [source-mask] [log]
no permit
source [source-mask] [log]

permit protocol source source-mask destination destination-mask [precedence precedence] [tos tos] [log]

no permit protocol source source-mask destination destination-mask [precedence precedence] [tos tos] [log]

For internet control massage protocol (ICMP), the following syntax can also be used:

permit icmp source source-mask destination destination-mask [icmp-type] [precedence precedence] [tos tos] [log]

For internet group management protocol (IGMP), the following syntax can also be used:

permit igmp source source-mask destination destination-mask [igmp-type] [precedence precedence] [tos tos] [log]

For TGP, the following syntax can also be used:

permit tcp source source-mask [operator port] destination destination-mask [operator port ] [established] [precedence precedence] [tos tos] [log]

For data gram protocol (UDP), the following syntax can also be used:

 permit udp source source-mask [operator port [port]] destination destination-mask [operator port] [precedence precedence] [tos tos] [log]

 

Parameter:

protocol

Protocol name or protocol number. It can be key word like icmp, igmp, igrp, ip, ospf, tcp or udp. It can also be a whole number among 0-255 that refers to the IP protocol number. Use key word “ip” to match any Internet protocol (including ICMP, TCP and UDP).  Some protocols are allowed to be restricted further as the following.

source

Source network or host number. There are 2 ways to designate the source: 32-digit binary number, decimal number separated with 4 dots. Use key word “any” to be the abbreviation of source and source Mask of 0.0.0.0 0.0.0.0

source-mask

Source address network mask. Use key word “any” to be the abbreviation of source and source Mask of 0.0.0.0 0.0.0.0 .

destination

Destination or host number. There are 2 ways to designate:

Decimal number separated with 4 dots and 32-digit binary number.

Use key word “any” to be the abbreviation of source and source Mask of 0.0.0.0 0.0.0.0 .

destination-mask

Destination address network mask. Use key word “any” to be the abbreviation of destination  address and destination address Mask of 0.0.0.0 0.0.0.0 .

precedence precedence

 (Optional) Package can be filtered by priority and designated by a number among 0-7.

tos tos

(Optional) Data package can use service level filter. Use a number among 0-15 to designate.

icmp-type

(Optional) ICMP package can be filtered by ICMP packet type. The type is a number among 0-255.

igmp-type

 (Optional) ICMP package can be filtered by ICMP packet type or name. The type is a number among 0-15.

operator

(Optional) Compare source or destination interface. Operations include lt(smaller than),  gt(bigger than), eq(equals to), neq(doesn’t equal to). If operating symbol is placed after source and source-mask, it should match the source interface. If operating symbol is placed after destination and destination-mask, it should match the destination interface.

port

 (Optional) Decimal number or name of TCP or UDP interface. Interface number is a number among 0-65535. TCP interface name is listed in the part “Using the Guideline”.  TCP interface name can be used only to filter TCP. UDP interface name is also listed in the part “Using Instruction”. Only TCP interface name can be used to filter UDP.

established

 (Optional) Indicates an established connection for TCP protocol only. Matching will occur where ACK or RST location of TCP data gram is set. Initiate TCP data gram in non-match situation to form a connection.

log

 (Optional) Log can be recorded.

 

Command mode:

IP access-list configuration mode

 

Explanation:

Access-list can be used to control the transmission of data package on the interface, control line access to virtual terminals. Stop checking extended access-list after the matching occurs.

It is IP packages divided by sections but not initial sections that will be received by any extended IP access-list at once. Extended access-list is used to control accessing virtual terminal line or restrict routes from choosing update content. It is not necessary to match TCP source interface, type of service value and priority of package.

Note: After the initial establishment of an access-list, any follow-up addition (can be keyed in at a terminal) should be placed at the end of the list.

TCP interface name used to replace interface number is shown as below. Find out reference related to these protocols regarding current allocation number RFC. Interface number relevant to these protocols can also be found out by keying in a “?” to replace interface number.

 

bgp

ftp

ftp-data

login

pop2

pop3

smtp

telnet

www

UDP interface name used to replace interface number is shown as below. Find out reference related to these protocols regarding the current allocation number RFC. Interface number relevant to these protocols can also be found out by keying in a “?” to replace interface number.

 

domain

snmp

syslog

tftp

 

Example:

The following example permits the network 192.168.5.0:

ip access-list standard filter

permit 192.168.5.0 255.255.255.0

Note: IP access-list is ended with connotative “deny” regulation.

 

Ralated command:

deny

ip access-group

ip access-list

show ip access-list

 

show ip access-list

Use command “show ip access-list to show current IP access-list content.

show ip access-list[access-list-name]

 

Parameter:

access-list-name

Name of access-list. This is a character string of 20 characters at most.

 

Default:

Show all standards and extended IP access-lists.

 

Command mode:

Supervisor mode

 

Explanation:

Command show ip access-list allows you to designate a specific access-list.

 

Example:

The following is an example output of command show ip access-list when the name is not designated.

Router# show ip access-list

ip access-list standard aaa

permit 192.2.2.1

permit 192.3.3.0 255.255.255.0

ip access-list extended bbb

permit tcp any any eq www

permit ip any any

 

The following is an example output of command show ip access-list when the name is designated.

ip access-list extended bbb

permit tcp any any eq www

permit ip any any