Ctrlk
For the complete documentation index, see llms.txt. This page is also available as Markdown.

ACLs 101

An ACL contains one or more ACEs (Entries) that permit or deny traffic and have an implicit deny any at the end.

Numbered ACLs

Standard ACLs

R(config)# access-list ACL-NUMBER {permit|deny} {IP-ADDRESS [WILDCARD] | any} [log]
! ACL-NUMBER: 1-99, 1300-1999
! when the wildcard is missing, a default of 0.0.0.0 is considered
! any <=> IP-ADDRESS 255.255.255.255
! log = adds an entry in the log (one entry every 5 minutes)
R(config)# access-list ACL-NUMBER remark COMMENT

You cannot edit one individual entry in a numbered ACL. The ACL must be deleted and re-created.

Extended ACLs

R(config)# access-list ACL-NUMBER {permit|deny} PROTOCOL {any|SRC-IP SRC-WILDCARD} {any|DST-IP DST-WILDCARD} [OPTIONS] [log|log-input]
! ACL-NUMBER: 100-199, 2000-2699
! PROTOCOL = ip, tcp, upd, protocol number, etc
! any <=> IP 255.255.255.255
! host IP <=> IP 0.0.0.0
! log = adds an entry in the log (one entry every 5 minutes)
! log-input = adds additional info to the log (input interface, source MAC)
! OPTIONS: dscp, precedence, tos, IP Options, fragments, ttl...
R(config)# access-list ACL-NUMBER remark COMMENT

Established

One option for TCP traffic is to allow only packets that are part of an established connection. Packets that are part of an established TCP connection have the ACK or RST bit set. When using the established keyword at the end of TCP extended ACL, you can match only these packets:

This is useful when you don’t want one side to initiate the connection, but you need it to be able to respond to connections initiated from the other side.

Matching Tips

Here are some tips for matching traffic with extended ACLs:

To see a list of the most used well-known ports, use:

Named ACLs

Standard ACLs

Extended ACLs

Since ACEs can have a custom seq-numbere, they can be re-sequenced to allow other insertions:

Using ACLs

Filter traffic on an interface

Limit CLI access

Fragments

By default, an ACL without the fragments keyword works in the following manner:

  • If the ACL contains only Layer 3 information (SRC-IP, DEST-IP) the entry is applied to nonfragmented packets, initial fragments and non-initial fragments

  • If the ACL contains both Layer 3 and Layer 4 information (SRC-IP, DEST-IP, Layer 4 protocol):

    • The entry is applied to nonfragmented packets and initial fragments

    • If the entry is a permit, it will be applied to non-initial fragments, but since the Layer 4 information is missing, it will only match on Layer 3 information, and will ignore Layer 4 information.

    • If the entry is a deny, it will be ignored for non-initial fragments, and the next ACE is processed

When using the fragments keyword, the entry is applied only to non-initial fragments. Non-fragmented packets and initial fragments are not matched. This keyword cannot be used on entries that use Layer 4 information.

Logging ACLs

You must use the log keyword at the end of an ACE to enable generation of syslog messages when the ACE is hit. One message will be generated every 5 minutes. You can set the number of hits that will generate a log entry using:

For extended ACLs, you can use log-input keyword to add more information to the log (input interface, source MAC). You can add custom tags to the logs by using the log keyword followed by the tag, or you can generate automatic hashtags for each ACE by setting:

These hashtags will identify the ACE that generated them in the log output.

PreviousNAT for Overlapping NetworksNextACLs 102

Last updated