Access Lists
Access Lists Overview
Access lists specify a collection of permit and deny conditions that apply to prefixes. They perform a sequential lookup and return the first matched entry as the true match. Access lists are referred to by name from other configuration elements, such as route maps and distribute lists. The assigned name must be unique among all other access lists.
access-list
Name
access-list - configures an access list
Syntax
access-list list_id [seq seq_value]? [deny | permit]
[(ip4_addr (wildcard)?] ?
no access-list list_id [seq seq_value]? [[deny | permit]
[ ip4_addr (wildcard)?] ?
Mode
Global Configuration
Parameters
list_id - specify a string of characters for this access list name
seq seq_value - this is specified as an integer between 0 and 65535, inclusive. Note: Sequence numbers are generated automatically in increments of 5 unless automatic generation is turned off. If automatic generation is disabled, then the sequence number must be specified. (See "access-list sequence-number" for more information on automatic generation.) Otherwise, specifying this command is optional.
deny | permit - denies or permits the specified source address
[ip4_addr (wildcard)?] - specify a valid IPv4 address with an optional wildcard to be included in this access list
Description
Use the access-list command to configure an access list. List entries are in the order specified by their sequence number. The first match determines whether the address is permitted or denied. If no conditions match, then the policy engine declares it as a failed match.
Every entry in the Access List is associated with a permit/deny indicator. It is used to indicate to the filter/route-map containing the list as a match element whether the match element succeeded or not. A permit indicates a successful match whereas a deny result causes the match element to fail.
When creating an access list, by default, the end of the access list contains an implicit deny statement for everything. Further, if a wildcard is omitted from an associated IPv4 host address access list specification, 0.0.0.0 is assumed to be the wildcard.
Use the negative form of this command to delete all entries or specific entries in an access list. One way to remove a specific entry from an access list is to specify all parameters that were specified when the entry was created. Another way is to specify the sequence number of the entry, which is either automatically generated or explicitly configured.
Default
Access lists are not configured by default.
Command History
NGC 2.2 - This command was introduced.
Examples
Example 1
The following example configures an access list called "abc" that denies all prefixes matching 128.0.0.0/8.
(config)# access-list abc deny 128.0.0.0 0.255.255.255
Example 2
The following example configures three entries in access list number 1. The first list entry permits the single address 10.11.0.12. The second list entry denies all other addresses in 10.11/16. The third entry permits all addresses in 10/8.
(config)# access-list 1 permit 10.11.0.12 0.0.0.0
(config)# access-list 1 deny 10.11.0.0 0.0.255.255
(config)# access-list 1 permit 10.0.0.0 0.255.255.255
Example 3
The following example deletes the first entry configured in access list number 1, shown in Example 2.
(config)# no access-list 1 permit 10.11.0.12 0.0.0.0
Example 4
The following example shows another way to delete the first entry configured in access list number 1, shown in Example 2.
(config)# no access-list 1 seq 5
See Also
"access-list sequence-number"
"access-list sequence-number"
access-list sequence-number
Name
access-list sequence-number - specifies whether Advanced Routing Suite should use automatic sequence numbering when configuring access lists
Syntax
access-list sequence-number
no access-list sequence-number
Mode
Global Configuration
Parameters
none
Description
Sequence values are generated in increments of 5, with the first sequence value generated being 5, then 10, then 15, and so on. If a sequence value is specified for an entry, and then not specified for subsequent entries, the assigned (generated) sequence values are then incremented in units of 5 based on the highest sequence number present in the list.
Note: Sequence numbers are generated automatically in increments of 5 unless automatic generation is turned off. If automatic generation is disabled, then the sequence number must be specified. Otherwise, specifying this command is optional. Use the negative form of the sequence command, no access-list sequence-number, to turn off automatic sequence number generation.
Default
Sequence numbers are generated automatically by Advanced Routing Suite. Therefore, if access-list sequence-number is not specified, it is the same as if the user had specified the following:
(config)# access-list sequence-number
Command History
NGC 2.2 - This command was introduced.
Examples
The following example configures four entries in access list "abc." The first entry explicitly configures sequence number 3. The two subsequent entries will, therefore, have automatically generated sequence numbers of 8 and 13 respectively. Sequence numbering is then turned off; therefore, sequence numbers must be explicitly configured for the remainder of the access list.
(config)# access-list abc seq 3 permit 10.11.0.12 0.0.0.0
(config)# access-list abc deny 10.11.0.0 0.0.255.255
(config)# access-list abc permit 10.0.0.0 0.255.255.255
(config)# no access-list sequence-number
(config)# access-list abc seq 20 permit 192.168.0.0 0.0.255.255
ip access-list sequence-number
Name
ip access-list sequence-number - specifies whether Advanced Routing Suite should use automatic sequence numbering when configuring access lists in Standard ACL Configuration mode
Syntax
ip access-list sequence-number
no ip access-list sequence-number
Mode
Global Configuration
Parameters
none
Description
Sequence values are generated in increments of 5, with the first sequence value generated being 5, then 10, then 15, and so on. If a sequence value is specified for an entry, and then not specified for subsequent entries, the assigned (generated) sequence values are then incremented in units of 5 based on the highest sequence number present in the list.
Note: Sequence numbers are generated automatically in increments of 5 unless automatic generation is turned off. If automatic generation is disabled, then the sequence number must be specified. Otherwise, specifying this command is optional. Use the negative form of the sequence command, no ip access-list sequence-number, to turn off automatic sequence number generation.
Default
Sequence numbers are generated automatically by Advanced Routing Suite. Therefore, if ip access-list sequence-number is not specified, it is the same as if the user had specified the following:
(config)# ip access-list sequence-number
Command History
NGC 2.2 - This command was introduced.
Examples
The following example configures four entries in access list "abc." The first entry explicitly configures sequence number 3. The two subsequent entries will, therefore, have automatically generated sequence numbers of 8 and 13 respectively. Sequence numbering is then turned off; therefore, sequence numbers must be explicitly configured for the remainder of the access list.
(config)# ip access-list standard abc
(config-std-nacl)# seq 3 permit 10.11.0.12 0.0.0.0
(config-std-nacl)# deny 10.11.0.0 0.0.255.255
(config-std-nacl)# permit 10.0.0.0 0.255.255.255
(config-std-nacl)# exit
(config)# no ip access-list sequence-number
(config)# ip access-list standard abc
(config-std-nacl)# seq 20 permit 192.168.0.0 0.0.255.255
(config-std-nacl)# exit
(config)#
ip access-list standard
Name
ip access-list standard - enters standard configuration mode for a specified access list
Syntax
ip access-list standard list_name
Mode
Global Configuration
Parameters
list_name - specify a string of characters for this access list name
Description
Use ip access-list standard command to enter Standard Access List Configuration mode. This configuration mode provides an alternative to configuring access lists using the access-list command in Global Configuration mode.
Default
none
Command History
NGC 2.2 - This command was introduced.
Examples
The following example enters standard access list configuration mode for the access list labeled abc.
(config)# ip access-list standard abc
(config-std-nacl)#
permit | deny
Name
permit | deny - specifies whether to allow or deny entries in an access list
Syntax
[seq seq_value] [deny | permit]
[ (ip4_addr [wildcard]? ]
no [seq seq_value] [deny | permit]
[ (ip4_addr [wildcard]?]?
Mode
Standard ACL Configuration
Parameters
seq seq_value - this is specified as an integer between 0 and 65535, inclusive. Note: Sequence numbers are generated automatically in increments of 5 unless automatic generation is turned off. If automatic generation is disabled, then the sequence number must be specified. Otherwise, specifying this command is optional.
deny | permit - denies or permits the specified access list
(ipv4_addr [wildcard]?) - specify a valid IPv4 address with an optional wildcard to be included in this access list
Description
Use the above access lists commands in ACL Configuration Mode to configure an access list for the specified entry. Entries are evaluated according to their list entry sequence. The first match determines whether the address is permitted or denied. If no conditions match, then the policy engine declares it as a failed match.
Every entry in the Access List is associated with a permit/deny indicator. It is used to indicate to the filter/route-map containing the list as a match element whether the match element succeeded or not. A permit indicates a successful match whereas a deny result causes the match element to fail.
When creating an access list, by default, the end of the access list contains an implicit deny statement for everything. Further, if a wildcard is omitted from an associated IPv4 host address access list specification, then 0.0.0.0 is assumed to be the wildcard.
Use the negative form of this command to delete all entries or specific entries in an access list. One way to remove a specific entry from an access list is to specify all parameters that were specified when the entry was created. Another way is to specify the sequence number of the entry, which is either automatically generated or explicitly configured.
Default
Access list entries are not configured by default.
Command History
NGC 2.2 - This command was introduced.
Examples
Example 1
The following example configures access list "abc" with three entries. The first entry permits the single address 10.11.0.12. The second entry denies all other addresses in 10.11/16. The third entry permits all other addresses in 10/8.
(config)# ip access-list standard abc
(config-std-nacl)# permit 10.11.0.12 0.0.0.0
(config-std-nacl)# deny 10.11.0.0 0.0.255.255
(config-std-nacl)# permit 10.0.0.0 0.255.255.255
(config-std-nacl)# exit
(config)#
Example 2
In the following example, the first list entry from Example 1 is deleted from access list abc.
(config)# ip access-list standard abc
(config-std-nacl)# no permit 10.11.0.12 0.0.0.0
(config-std-nacl)# exit
(config)#
Example 3
The following example shows another way to delete the first entry configured in access list abc, shown in Example 1.
(config)# ip access-list standard abc
(config-std-nacl)# no seq 5
(config-std-nacl)# exit
(config)#
See Also
"ip access-list standard"
show access-list
Name
show access-list - displays information about access lists that were configured in Global Configuration mode
Syntax
show access-list [ detail | summary ]? [ list_id ]?
Mode
Privileged Execution
Parameters
detail | summary - optionally specify whether you want the query to respond with a more verbose format. Summary information is returned by default.
list_id - a string of characters or an integer that represents the ID of a configured access list. Specifying this is optional. Advanced Routing Suite will return information for all configured access lists if a list_id is not specified.
Description
The show access-list query displays information about all or specific access lists configured in Global Configuration mode (i.e, using the access-list command). (Use the show ip access-list command to display information about access lists configured with the ip access-list command.)
This query has two forms. If it is issued without arguments, then information about all configured access lists is returned. Alternatively, the query can be issued naming a specific access list. In this case, the reply will contain information pertaining only to the referenced access list.
Command History
NGC 2.2 - This command was introduced.
Examples
Example 1
The following query is a request for summary information for all configured access lists.
# show access-list
Standard IP access-list acl1: 3 entries
seq 3 permit 10.10.0.0, wildcard bits 0.0.255.255
seq 8 deny 10.0.0.0, wildcard bits 0.255.255.255
seq 13 permit 12.12.0.0, wildcard bits 0.0.255.255
Standard IP access-list acl2: 3 entries
seq 3 permit 10.11.0.12, wildcard bits 0.0.0.0
seq 10 deny 10.11.0.0, wildcard bits 0.0.255.255
seq 15 permit 10.0.0.0, wildcard bits 0.255.255.255
Example 2
The following query is a request for detail information about a specific access list named "acl1".
# show access-list detail acl1
Standard IP access-list acl1:
count: 3, sequences 3 - 13
seq 3 permit 10.10.0.0, wildcard bits 0.0.255.255
seq 8 deny 10.0.0.0, wildcard bits 0.255.255.255
seq 13 permit 12.12.0.0, wildcard bits 0.0.255.255
show ip access-list
Name
show ip access-list - displays information about access lists configured in Standard ACL Configuration mode
Syntax
show ip access-list [ detail | summary ]? [ list_id ]?
Mode
Privileged Execution
Parameters
detail | summary - optionally specify whether you want the query to respond with a more verbose format. Summary information is returned by default.
list_id - a string of characters or an integer that represents the ID of a configured access list. Specifying this is optional. Advanced Routing Suite will return information for all configured access lists if a list_id is not specified.
Description
The show ip access-list query displays information about all or specific access lists configured in Standard ACL Configuration mode (i.e, using the ip access-list command).
This query has two forms. If it is issued without arguments, then information about all configured access lists is returned. Alternatively, the query can be issued naming a specific access list. In this case, the reply will contain information pertaining only to the referenced access list.
Command History
NGC 2.2 - This command was introduced.
Examples
Example 1
The following query is a request for summary information for all configured access lists.
# show ip access-list
Standard IP access-list acl1: 3 entries
seq 3 permit 10.10.0.0, wildcard bits 0.0.255.255
seq 8 deny 10.0.0.0, wildcard bits 0.255.255.255
seq 13 permit 12.12.0.0, wildcard bits 0.0.255.255
Standard IP access-list acl2: 3 entries
seq 3 permit 10.11.0.12, wildcard bits 0.0.0.0
seq 10 deny 10.11.0.0, wildcard bits 0.0.255.255
seq 15 permit 10.0.0.0, wildcard bits 0.255.255.255
Example 2
The following query is a request for detail information about a specific access list named "acllist1".
# show ip access-list detail acllist1
Standard IP access-list acllist1:
count: 3, sequences 3 - 13
seq 3 permit 10.10.0.0, wildcard bits 0.0.255.255
seq 8 deny 10.0.0.0, wildcard bits 0.255.255.255
seq 13 permit 12.12.0.0, wildcard bits 0.0.255.255
|
