access-list configuration command directory
This command can be used in IP access list configuration mode to configure prohibit regulations. Add a prefix “no” in front of the command to delete “deny” regulation from the ip access-list.
deny source [source-mask] [log]
no deny source [source-mask] [log]
deny protocol source source-mask destination destination-mask [precedence precedence] [tos tos] [log]
no deny protocol source source-mask destination destination-mask [precedence precedence] [tos tos] [log]
The following syntax can also be used for internet control massage protocol(ICMP):
deny icmp source source-mask destination destination-mask [icmp-type] [precedence precedence] [tos tos] [log]
The following syntax can be used for internet group management protocol (ICMP):
deny igmp source source-mask destination destination-mask [igmp-type] [precedence precedence] [tos tos] [log]
The following syntax can be used for TCP:
deny tcp source source-mask [operator port] destination destination-mask [operator port ] [established] [precedence precedence] [tos tos] [log]
The following syntax can be used for data gram protocol(UDP):
deny udp source source-mask [operator port] destination destination-mask [operator port] [precedence precedence] [tos tos] [log]
Parameter:
protocol |
Protocol name or protocol number. It can be a key
word like icmp, igmp, igrp, ip, ospf, tcp or udp. It can also be a whole
number among 0-255 that refers to the IP protocol number. Use key word “ip”
to match any Internet protocol (including ICMP, TCP and UDP). Some protocols
are allowed to be restricted further as the following. |
source |
Source
network or host number. There are 2 ways to designate the source: 32-digit
binary number, decimal number separated with 4 dots. Use key word “any” to be
the abbreviation of source and source Mask of 0.0.0.0 0.0.0.0 |
source-mask |
Source
address network mask. Use key word “any” to be the abbreviation of source and
source Mask of 0.0.0.0 0.0.0.0 . |
destination |
Destination
or host number. There are 2 ways to designate: Decimal
number separated with 4 dots and 32-digit binary number. Use
key word “any” to be the abbreviation of destination and destination Mask of
0.0.0.0 0.0.0.0 . |
destination-mask
|
Destination
address network mask. Use key word “any” to be the abbreviation of
destination address and destination address Mask of 0.0.0.0 0.0.0.0 . |
precedence
precedence |
(Optional) Package can be filtered by priority and designated
by a number among 0-7. |
tos
tos |
(Optional) Data package can use service level filter. Use a
number among 0-15 to designate. |
icmp-type |
(Optional) ICMP
package can be filtered by ICMP packet type. The type is a number among
0-255. |
igmp-type |
(Optional) ICMP
package can be filtered by ICMP packet type or name. The type is a number
among 0-15. |
operator |
(Optional)
Compare source or destination interface. Operations include lt (smaller
than), gt (bigger than), eq
(equals to),
neq (doesn’t
equal to). If operating symbol is placed
after source and source-mask, it
should match the source interface. If operating symbol is placed after
destination and destination-mask,
it should match the destination interface. |
port |
(Optional)
Decimal number or name of TCP or UDP interface. Interface number is a number
among 0-65535. TCP interface name is listed in the part “Using Guideline”.
TCP interface name can be used only to filter TCP. UDP interface name is also
listed in the part “Using Instruction”. Only TCP interface name can be used
to filter UDP. |
established |
(Optional)
Indicates an established connection for TCP protocol only. Matching will
occur where ACK or RST location of TCP data gram is set. Initiate TCP data
gram in non-match situation to form a connection. |
log |
(Optional) Log
can be recorded. |
Command mode:
IP access-list configuration state
Explanation:
Access-list
can be used to control the transmission of data package on the interface,
control line access to virtual terminals. Stop checking extended access-list
after the matching occurs. It is IP packages divided by sections but not
initial sections that will be received by any extended IP access-list at once.
Extended access-list is used to control accessing virtual terminal line or
restricting routes from choosing update content. It is not necessary to match
TCP source interface, type of service value and priority of package.
Note: After the initial establishment of an access-list, any follow-up addition (can be keyed in at a terminal) should be placed at the end of the list.
TCP interface name used to replace interface number is shown as
below. Find out reference related to these protocols regarding current
allocation number RFC. Interface number relevant to these protocols can also be
found out by keying in a “?” to
replace interface number.
bgp
ftp
ftp-data
login
pop2
pop3
smtp
telnet
www
UDP interface name
used to replace interface number is shown as below. Find out reference related
to these protocols regarding current allocation number RFC. Interface number
relevant to these protocols can also be found out by keying in a “?” to
replace interface number.
domain
snmp
syslog
tftp
Example:
The following example prohibits the network 192.168.5.0:
ip access-list standard filter
deny 192.168.5.0 255.255.255.0
Note: IP access-list ends with connotative “deny” regulation.
Ralated command:
ip access-group
ip access-list
permit
show ip access-list
Use interface configuration command “ip access-group” to control accessing an interface. Use “no” format command to delete this designated access group.
ip access-group {access-list-name}{in | out}
no ip access-group {access-list-name}{in | out}
Parameter:
Access-list-name |
Name of access-list. This is a character string with 20
characters at most. |
in
|
Use access-list when entering in the interface. |
out
|
Use access-list when going out of the interface. |
Command mode:
interface configuration state
Explanation:
Access-list
can be used either in the out-interface or in the in-interface. For standard
entrance access-list, source address of the package will be checked regarding
to access-list after the package is received. For extended access-list, this
router also checks destination address. If the address is permitted by
access-list, the software will continue to work on the package. If the address
is not permitted by the access-list, this software will give up the package and
return a packet showing ICMP host is not reachable.
For
standard exit access-list, source address of the package will be checked by
software regarding to access-list after receiving and routing a package to the
control interface. For extended access-list, this router also checks
access-list at the receiving end. If the address is permitted by access-list,
it will transmit the package. If the address is not permitted by the
access-list, this software will give up the package and return a packet showing
ICMP host is not reachable.
If the designated access-list doesn’t exist, all packages are
permitted to pass.
Example:
In the below example, list filter is applied on the package
exist of Ethernet interface 1/0:
interface ethernet 1/0
ip access-group filter out
Ralated command:
ip access-list
show ip access-list
Entering the IP access-list configuration mode after using this command. Access regulations can be added or deleted. Command “exit” is used to return to configuration state.
Use prefix “no” to delete IP access-list.
ip access-list {standard | extended} name
no ip access-list {standard | extended} name
Parameter:
standard |
Designated as standard access-list. |
extended |
Designated as extended access-list. |
name |
Name of access-list. It is a character string of 20
characters at most. |
Default:
No IP access-list is defined.
Command mode:
global configuration mode
Explanation:
Use this command to enter IP access-list configuration mode. Command “deny” or “permit” can be used to configure access regulation.
Example:
The following example is the configuration of a standard access-list.
ip access-list standard filter
deny 192.168.1.0 255.255.255.0
permit any
Ralated command:
deny
ip access-group
permit
show ip access-list
This command can be used to configure permit regulation in IP access-list configuration mode. Add a prefix “no” in the front of the command to delete permit regulation from IP access-list.
permit source [source-mask] [log]
no permit source [source-mask] [log]
permit protocol source source-mask destination destination-mask [precedence precedence] [tos tos] [log]
no permit protocol source source-mask destination destination-mask [precedence precedence] [tos tos] [log]
For internet control massage protocol (ICMP), the following syntax
can also be used:
permit icmp source source-mask destination destination-mask [icmp-type] [precedence precedence] [tos tos] [log]
For internet group management protocol (IGMP), the following
syntax can also be used:
permit igmp source source-mask destination destination-mask [igmp-type] [precedence precedence] [tos tos] [log]
For TGP, the following syntax can also be used:
permit tcp source source-mask [operator port] destination destination-mask [operator port ] [established] [precedence precedence] [tos tos] [log]
For data gram protocol (UDP), the following syntax can also be used:
permit udp source source-mask [operator port [port]] destination destination-mask [operator port] [precedence precedence] [tos tos] [log]
Parameter:
protocol |
Protocol name or protocol number. It can be key
word like icmp, igmp, igrp, ip, ospf, tcp or udp. It can also be a whole
number among 0-255 that refers to the IP protocol number. Use key word “ip”
to match any Internet protocol (including ICMP, TCP and UDP). Some protocols are allowed to be
restricted further as the following. |
source |
Source
network or host number. There are 2 ways to designate the source: 32-digit
binary number, decimal number separated with 4 dots. Use key word “any” to be
the abbreviation of source and source Mask of 0.0.0.0 0.0.0.0 |
source-mask |
Source
address network mask. Use key word “any” to be the abbreviation of source and
source Mask of 0.0.0.0 0.0.0.0 . |
destination |
Destination
or host number. There are 2 ways to designate: Decimal
number separated with 4 dots and 32-digit binary number. Use
key word “any” to be the abbreviation of source and source Mask of 0.0.0.0
0.0.0.0 . |
destination-mask
|
Destination
address network mask. Use key word “any” to be the abbreviation of
destination address and
destination address Mask of 0.0.0.0 0.0.0.0 . |
precedence
precedence |
(Optional)
Package can be filtered by priority and designated by a number among 0-7. |
tos
tos |
(Optional) Data package can use service level filter. Use a
number among 0-15 to designate. |
icmp-type |
(Optional) ICMP package can be filtered by ICMP packet type.
The type is a number among 0-255. |
igmp-type |
(Optional) ICMP
package can be filtered by ICMP packet type or name. The type is a number
among 0-15. |
operator |
(Optional) Compare source or destination interface.
Operations include lt(smaller than), gt(bigger
than), eq(equals to), neq(doesn’t
equal to). If operating symbol is placed
after source and source-mask, it
should match the source interface. If operating symbol is placed after
destination and destination-mask,
it should match the destination interface. |
port |
(Optional)
Decimal number or name of TCP or UDP interface. Interface number is a number
among 0-65535. TCP interface name is listed in the part “Using the
Guideline”. TCP interface name
can be used only to filter TCP. UDP interface name is also listed in the part
“Using Instruction”. Only TCP interface name can be used to filter UDP. |
established |
(Optional)
Indicates an established connection for TCP protocol only. Matching will
occur where ACK or RST location of TCP data gram is set. Initiate TCP data
gram in non-match situation to form a connection. |
log |
(Optional) Log
can be recorded. |
Command mode:
IP access-list configuration mode
Explanation:
Access-list can be used to control the transmission of data package on the interface, control line access to virtual terminals. Stop checking extended access-list after the matching occurs.
It is IP packages divided by sections but not initial sections that will be received by any extended IP access-list at once. Extended access-list is used to control accessing virtual terminal line or restrict routes from choosing update content. It is not necessary to match TCP source interface, type of service value and priority of package.
Note: After the initial establishment of an access-list, any
follow-up addition (can be keyed in at a terminal) should be placed at the end
of the list.
TCP interface name used to replace interface number is shown as
below. Find out reference related to these protocols regarding current
allocation number RFC. Interface number relevant to these protocols can also be
found out by keying in a “?” to replace interface number.
bgp
ftp
ftp-data
login
pop2
pop3
smtp
telnet
www
UDP interface name used to replace interface number is shown as
below. Find out reference related to these protocols regarding the current
allocation number RFC. Interface number relevant to these protocols can also be
found out by keying in a “?” to replace interface number.
domain
snmp
syslog
tftp
Example:
The following example permits the network 192.168.5.0:
ip access-list standard filter
permit 192.168.5.0 255.255.255.0
Note: IP access-list is ended with connotative “deny” regulation.
Ralated command:
deny
ip access-group
ip access-list
show ip access-list
Use command “show ip access-list” to show current IP access-list content.
show ip access-list[access-list-name]
Parameter:
access-list-name |
Name of access-list. This is a character string of 20 characters at most. |
Default:
Show all standards and extended IP access-lists.
Command mode:
Supervisor mode
Explanation:
Command “show ip access-list” allows you to designate a specific access-list.
Example:
The following is an example output of command “show ip access-list” when the name is not designated.
Router# show ip access-list
ip access-list standard aaa
permit 192.2.2.1
permit 192.3.3.0 255.255.255.0
ip access-list extended bbb
permit tcp any any eq www
permit ip any any
The following is an example output of command “show ip access-list” when the name is designated.
ip access-list extended bbb
permit tcp any any eq www
permit ip any any