access-list (extended)

Description                                                    Configure an extended Access Control List (ACL) to permit or deny traffic based on source and destination IP addresses, IP protocol, and TCP/UDP ports.

Syntax                                                                  [no] access-list acl-num [seq-num]
{permit | deny | l3-vlan-fwd-disable | remark string} ip

{any | host host-src-ipaddr | object-group src-group-name |
net-src-ipaddr {filter-mask | /mask-length}}

{any | host host-dst-ipaddr | object-group dst-group-name |
net-dst-ipaddr {filter-mask | /mask-length}}

[fragments] [vlan vlan-id] [dscp num]

[log [transparent-session-only]]

or

[no] access-list acl-num [seq-num]
{permit | deny | l3-vlan-fwd-disable | remark string} icmp

[type icmp-type [code icmp-code]]

{any | host host-src-ipaddr | object-group src-group-name |
net-src-ipaddr {filter-mask | /mask-length}}

{any | host host-dst-ipaddr | object-group dst-group-name |
net-dst-ipaddr {filter-mask | /mask-length}}

[fragments] [vlan vlan-id] [dscp num]

[log [transparent-session-only]]

or

[no] access-list acl-num [seq-num]
{permit | deny | l3-vlan-fwd-disable | remark string}
object-group svc-group-name

{any | host host-src-ipaddr | object-group src-group-name |
net-src-ipaddr {filter-mask | /mask-length}}

{any | host host-dst-ipaddr | object-group dst-group-name |
net-dst-ipaddr {filter-mask | /mask-length}}

[fragments] [vlan vlan-id] [dscp num]

[log [transparent-session-only]]

or

[no] access-list acl-num [seq-num]
{permit | deny | l3-vlan-fwd-disable | remark string} {tcp | udp}

{any | host host-src-ipaddr | net-src-ipaddr
  {filter-mask | /mask-length}}
  [
eq src-port | gt src-port | lt src-port |
  
range start-src-port end-src-port]

{any | host host-dst-ipaddr | net-dst-ipaddr
  {filter-mask | /mask-length}}
  [
eq dst-port | gt dst-port | lt dst-port |
  
range start-dst-port end-dst-port]

[fragments] [vlan vlan-id] [dscp num][established]

[log [transparent-session-only]]

Parameter

Description

acl-num

Extended ACL number (100-199).

seq-num

Sequence number of this rule in the ACL. You can use this option to re-sequence the rules in the ACL.

permit

Allows traffic that matches the ACL.

deny

Drop the traffic that matches the ACL.

l3-vlan-fwd-disable

Disables Layer 3 forwarding between VLANs for IP addresses that match the ACL rule.

remark string

Adds a remark to the ACL. The remark appears at the top of the ACL when you display it in the CLI.

NOTE: An ACL and its individual rules can have multiple remarks.

To use blank spaces in the remark, enclose the entire remark string in double quotes. The ACL must already exist before you can configure a remark for it.

ip

Filters on IP packets only.

icmp

Filters on ICMP packets only.

tcp | udp

Filters on TCP or UDP packets, as specified. These options also allow you to filter based on protocol port numbers.

object-group

Service object group name.

For more information, see object-group service.

type icmp-type

This option is applicable if the protocol type is icmp. Matches based on the specified ICMP type. You can specify one of the following. Enter the type name or the type num­ber (for example, “dest-unreachable” or “3”).

  any-type – Matches on any ICMP type.

  dest-unreachable, or 3 – destination is unreachable.

  echo-reply, or 0 – echo reply.

  echo-request, or 8 – echo request.

  info-reply, or 16 – information reply.

  info-request, or 15 – information request.

  mask-reply, or 18 – address mask reply.

  mask-request, or 17 – address mask request.

  parameter-problem, or 12 – parameter problem.

  redirect, or 5 – redirect message.

  source-quench, or 4 – source quench.

  time-exceeded, or 11 – time exceeded.

  timestamp, or 14 – timestamp.

  timestamp-reply, or 13 – timestamp reply.

code icmp-code

This option is applicable if the protocol type is icmp. Matches based on the specified ICMP code.

Replace code-num with an ICMP code number (0-254), or specify any-code to match on any ICMP code.

any |
host host-src-ipaddr |
net-src-ipaddr {
 
filter-mask |
 /mask-length}

The source IP addresses to filter.

  any - the ACL matches on any source IP address.

  host host-src-ipaddr - the ACL matches only on the specified host IP address.

  net-src-ipaddr {filter-mask | /mask-length} - the ACL matches on any host in the specified subnet. The filter-mask specifies the portion of the address to fil­ter:

  Use 0 to match.

  Use 255 to ignore.

For example, the filter-mask 0.0.0.255 filters on a 24-bit subnet.

Alternatively, you can use /mask-length to specify the portion of the address to fil­ter. For example, you can specify “/24” instead “0.0.0.255” to filter on a 24-bit subnet.

eq src-port |
gt src-port |
lt src-port |
range
 start-src-port
 end-src-port

The source protocol ports to filter for TCP and UDP:

  eq src-port - The ACL matches on traffic from the specified source port.

  gt src-port - The ACL matches on traffic from any source port with a higher number than the specified port.

  lt src-port - The ACL matches on traffic from any source port with a lower num­ber than the specified port.

  range start-src-port end-src-port - The ACL matches on traffic from any source port within the specified range.

any |
host host-dst-ipaddr |
net-dst-ipaddr {
 
filter-mask |
 /mask-length}

The destination IP addresses to filter.

  any - the ACL matches on any destination IP address.

  host host-dst-ipaddr - the ACL matches only on the specified host IP address.

  net-dst-ipaddr {filter-mask | /mask-length} - the ACL matches on any host in the specified subnet. The filter-mask specifies the portion of the address to fil­ter:

  Use 0 to match.

  Use 255 to ignore.

For example, the filter-mask 0.0.0.255 filters on a 24-bit subnet.

Alternatively, you can use /mask-length to specify the portion of the address to fil­ter. For example, you can specify “/24” instead “0.0.0.255” to filter on a 24-bit subnet.

eq dst-port |
gt dst-port |
lt dst-port |
range
 start-dst-port
 end-dst-port

The destination protocol ports to filter for TCP and UDP:

  eq src-port - The ACL matches on traffic from the specified destination port.

  gt src-port - The ACL matches on traffic from any destination port with a higher number than the specified port.

  lt src-port - The ACL matches on traffic from any destination port with a lower number than the specified port.

  range start-src-port end-src-port - The ACL matches on traffic from any destination port within the specified range.

fragments

Matches on packets in which the More bit in the header is set (1) or has a non-zero off­set.

vlan vlan-id

Matches on the specified VLAN. VLAN matching occurs for incoming traffic only.

dscp num

Matches on the 6-bit Diffserv value in the IP header, 1-63.

established

Matches on TCP packets in which the ACK or RST bit is set.

This option is useful for protecting against attacks from outside. Since a TCP connec­tion from the outside does not have the ACK bit set (SYN only), the connection is dropped. Similarly, a connection established from the inside always has the ACK bit set. (The first packet to the network from outside is a SYN/ACK.)

log
[transparent-session-only]

Configures the ACOS device to generate log messages when traffic matches the ACL.

The transparent-session-only option limits logging for an ACL rule to creation and deletion of transparent sessions for traffic that matches the ACL rule.

Default                                                                No ACLs are configured by default. When you configure one, the log option is disabled by default.

Mode                                                                   Configuration mode

Usage                                                                  An ACL can contain multiple rules. Each access-list command configures one rule. Rules are added to the ACL in the order you configure them. The first rule you add appears at the top of the ACL.

Rules are applied to the traffic in the order they appear in the ACL (from the top, which is the first, rule downward). The first rule that matches traffic is used to permit or deny that traffic. After the first rule match, no additional rules are compared against the traffic.

To move a rule within the sequence, delete the rule, then re-add it with a new sequence number.

Access lists do not take effect until you apply them:

     To use an ACL to filter traffic on an interface, see the interface command in the”Con­fig Commands: Interface” chapter in the Network Configuration Guide.

     To use an ACL to filter traffic on a virtual server port, see “access-list” in the Command Line Interface Reference for ADC.

     To use an ACL with source NAT, see the ip nat inside source command in “Con­fig Commands: IP” chapter in the Network Configuration Guide.

Table of Contents

Index

Glossary

-Search-

Back