access-list (standard)

Description                                                    Configure a standard Access Control List (ACL) to permit or deny source IP addresses.

Syntax                                                                  [no] access-list acl-num [seq-num]
{permit | deny | l3-vlan-fwd-disable | remark string}
{any | host host-ipaddr | src-ipaddr {filter-mask | /mask-length}}
[log [transparent-session-only]]

Parameter

Description

acl-num

Standard ACL number (1-99).

seq-num

Sequence number of this rule in the ACL. You can use this option to re-sequence the rules in the ACL.

permit

Allows traffic for ACLs applied to interfaces or used for management access.

For ACLS used for IP source NAT, this option is also used to specify the inside host addresses to be translated into external addresses.

NOTE: If you are configuring an ACL for source NAT, use the permit action. For ACLs used with source NAT, the deny action does not drop traffic, it simply does not use the denied addresses for NAT translations.

deny

Drops traffic for ACLs applied to interfaces or used for management access.

l3-vlan-fwd-disable

Disables Layer 3 forwarding between VLANs for IP addresses that match the ACL rule.

remark string

Adds a remark to the ACL. The remark appears at the top of the ACL when you display it in the CLI.

NOTE: An ACL and its individual rules can have multiple remarks.

To use blank spaces in the remark, enclose the entire remark string in double quotes. The ACL must already exist before you can configure a remark for it.

any

Denies or permits traffic received from any source host.

host host-ipaddr

Denies or permits traffic received from a specific, single host.

src-ipaddr 
{
filter-mask |
/mask-length}

Denies or permits traffic received from the specified host or subnet. The filter-mask speci­fies the portion of the address to filter:

  Use 0 to match.

  Use 255 to ignore.

For example, the filter-mask 0.0.0.255 filters on a 24-bit subnet.

Alternatively, you can use /mask-length to specify the portion of the address to filter. For example, you can specify “/24” instead “0.0.0.255” to filter on a 24-bit subnet.

log [transparent-session-only]

Configures the ACOS device to generate log messages when traffic matches the ACL.

The transparent-session-only option limits logging for an ACL rule to creation and deletion of transparent sessions for traffic that matches the ACL rule.

Default                                                                No ACLs are configured by default. When you configure one, the log option is disabled by default.

Mode                                                                   Configuration mode

Usage                                                                  An ACL can contain multiple rules. Each access-list command configures one rule. Rules are added to the ACL in the order you configure them. The first rule you add appears at the top of the ACL.

Rules are applied to the traffic in the order they appear in the ACL (from the top, which is the first rule, downward). The first rule that matches traffic is used to permit or deny that traffic. After the first rule match, no additional rules are compared against the traffic.

To move a rule within the sequence, delete the rule, then re-add it with a new sequence number.

Access lists do not take effect until you apply them.

     To use an ACL to filter traffic on an interface, see the access-list command in the “Config Commands: Interface” chapter in the Network Configuration Guide.

     To use an ACL to filter traffic on a virtual server port, see “access-list” in the Command Line Interface Reference for ADC.

     To use an ACL to control management access, see disable-management and enable-management.

     To use an ACL with source NAT, see the ip nat inside source command in the “Config Commands: IP” chapter in the Network Configuration Guide.

The syntax shown in this section configures a standard ACL, which filters based on source IP address. To filter on additional values such as destination address, IP protocol, or TCP/UDP ports, configure an extended ACL. (See access-list (extended).)

Support for Non-Contiguous Masks in IPv4 ACLs

A contiguous comparison mask is one that, when converted to its binary format, consists entirely of ones. A non-contiguous mask, however, contains at least one zero. Table 3 shows some examples of IPv4 addresses with each of the ACL mask types, a contiguous mask and a non-contiguous mask. The addresses and masks are shown in both their decimal and binary formats.

The “F” column indicates the format, decimal (D) or binary (B).

TABLE 10    IPv4 Address and Mask Examples 

F

Address

Mask

D

10

10

10

0

0

255

255

255

B

00001010

00001010

00001010

00000000

00000000

11111111

11111111

11111111

D

10

10

10

0

0

255

0

255

B

00001010

00001010

00001010

00000000

00000000

11111111

00000000

11111111

D

172

0

3

0

0

255

255

255

B

10101100

00000000

00000010

00000000

00000000

11111111

11111111

11111111

D

172

0

3

0

0

255

0

255

B

10101100

00000000

00000010

00000000

00000000

11111111

00000000

11111111

The non-contiguous masks are shown in italics.

Example                                                            The following commands configure a standard ACL and use it to deny traffic sent from sub­net 10.10.10.x, and apply the ACL to inbound traffic received on Ethernet interface 4:

ACOS(config)#access-list 1 deny 10.10.10.0 0.0.0.255

ACOS(config)#interface ethernet 4

ACOS(config-if:ethernet:4)#access-list 1 in

 

Example                                                            The commands in this example configure an ACL that uses a non-contiguous mask, and applies the ACLto a data interface:

ACOS(config)#access-list 3 deny 172.0.3.0 0.255.0.255

Info: Configured a non-contiguous subnet mask.*

ACOS(config)#access-list 20 permit any

ACOS(config)#show access-list

access-list 3 4 deny 172.0.3.0 0.255.0.255  Data plane hits: 0

access-list 20 4 permit any  Data plane hits: 0

ACOS(config)#interface ethernet 1

ACOS(config-if:ethernet:1)#access-list 3 in

 

Based on this configuration, attempts to ping or open an SSH session with destination IP address 172.17.3.130 from source 172.16.3.131 are denied. However, attempts from 172.16.4.131 are permitted.

*.   This message appears a maximum of 2 times within a given CLI session.

Table of Contents

Index

Glossary

-Search-

Back