Configuration Commands : access-list
access-list
Description
Use the access-list command to configure Access Lists and their rules.
Use the no access-list command to delete a specific ACL rule or an entire ACL.
Syntax
access-list <acl name> <priority value> {permit | deny} protocol {<IP protocol number> | <protocol name>} {<source IP address/netmask> | any} {<destination IP address/netmask> | any} [dscp {<dscp value> | any}]
access-list <acl name> <priority value> {permit | deny} protocol {<IP protocol number> | <protocol name>} {<source IP address/netmask> | any} {<destination IP address/netmask> | any} [vlan {any | <1..4094> | <interface.tag> | <any.tag> | <interface.any> | <interface.native>}]
access-list <acl name> <priority value> {permit | deny} protocol ip {<source IP address/netmask> | any} {<destination IP address/netmask> | any} [app {<application name> | any}] [dscp {<dscp value> | any}][vlan {any | <1..4094> | <interface.tag> | <any.tag> | <interface.any> | <interface.native>}]
access-list <acl name> <priority value> {permit | deny} protocol ip {<source IP address/netmask> | any} {<destination IP address/netmask> | any} [app {<application name> | any}] [dscp {<dscp value> | any}]
access-list <acl name> <priority value> {permit | deny} protocol ip {<source IP address/netmask> | any} {<destination IP address/netmask> | any} [vlan {any | <1..4094> | <interface.tag> | <any.tag> | <interface.any> | <interface.native>}]
access-list <acl name> <priority value> {permit | deny} protocol {tcp | udp} {<source IP address/netmask> | any} {<destination IP address/netmask> | any} [{<source port number> | any} {<destination port number> | any}] [dscp {<dscp value> | any}]
access-list <acl name> <priority value> {permit | deny} protocol {tcp | udp} {<source IP address/netmask> | any} {<destination IP address/netmask> | any} [{<source port number> | any} {<destination port number> | any}] [vlan {any | <1..4094> | <interface.tag> | <any.tag> | <interface.any> | <interface.native>}]
access-list <acl name> <priority value> {permit | deny} app {<application name> | any}
access-list <acl name> <priority value> {permit | deny} dscp {<dscp value> | any} [vlan {any | <1..4094> | <interface.tag> | <any.tag> | <interface.any> | <interface.native>}]
access-list <acl name> <priority value> {permit | deny} vlan {any | <1..4094> | <interface.tag> | <any.tag> | <interface.any> | <interface.native>}
access-list <acl name> <priority value> comment <comment text>
no access-list <acl name> [<priority value>]
Arguments
access-list <acl name>
<priority value>
Specifies the name of the ACL and the priority value for the (ACL) rule that you want to add or modify. You can set any priority value between 1 and 65535.
permit
Permits access to this ACL rule.
deny
For traffic that matches this ACL rule, discontinue further processing by this ACL, and continue to look for a match in the subsequent policy entries.
comment
Add a comment for specified access list entry.
protocol {<IP protocol number> | <IP protocol name> | ip | tcp | udp}
Specifies the protocol to match:
The available IP protocol numbers include 1 through 254.
The available IP protocol names include:
 
ah
egp
eigrp
encap
esp
etherip
fc
gre
icmp
idpr
idpr-cmtp
idrp
igmp
igp
ip-comp
ip-mobility
ipip
ipip4
ipx-in-ip
irtp
iso-ip
iso-tp4
I2tp
mhrp
ospf
pim
rdp
rsvp
sctp
tlsp
vrrp
 
 
 
When you specify protocol ip, the assumption is that you are allowing any IP protocol. In that case, you also need to specify an application. If you don’t, the CLI defaults to specifying any application.
 
{<source IP address/netmask> | any}
Matches against traffic that has a specific source IP address and netmask (in slash notation). For example, enter 10.2.0.0 0.0.255.255 as 10.2.0.0/16.
If you want to include traffic to all destinations, use any.
{<destination IP address/netmask> | any}
Matches against traffic that has a specific destination IP address and netmask (in slash notation). For example, 10.2.0.0/16.
If you want to include traffic to all destinations, use any.
{<source port number> | any} {<destination port number> | any}
When you specify protocol tcp or protocol udp, you can limit the traffic to specific source and/or destination ports. any is a wildcard.
app {<application name> | any}
Specifies a default or user-defined application name, or the name of a user-defined application group. any is a wildcard.
dscp {<dscp value> | any}
 
Specifies a DSCP value. The available values include:
af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, be, cs1, cs2, cs3, cs4, cs5, cs6, cs7, or ef.
any is a wildcard.
vlan {any | <1..4094> | <interface.tag> | <any.tag> | <interface.any> | <interface.native>}
Matches an interface and 802.1q VLAN tag. The available values include:
<1..4094> the number assigned to a VLAN
<interface.tag> as in lan0.10
<any.tag> as in any.10
<interface.any> as in lan0.any
<interface.native> as in lan0.native
any is a wildcard.
any
Is a wildcard.
Defaults
None.
Command Mode
Global Configuration Mode
See Also
See “show access-list”.
Usage Guidelines
You name a rule with a priority, which not only identifies the rule, but also specifies its sequence in that ACL. Within an ACL, every priority value must be unique. In other words, no two rules in a given ACL can have the same priority value. We recommend that you don’t make the priority values contiguous, so that you can later insert a new rule between two existing rules, without needing to change the priority values you’ve already set. For example, you might create an ACL with rules (priorities) 10, 20, 30, and 40. If you need to add several rules at a later time, you can easily place them between any of the existing rules.
If you need to replace an existing rule, just name the new rule with the same priority as the one you want to replace. The CLI overwrites the existing rule with your new one.
If you specify a priority to create a rule for an ACL that doesn’t already exist, the CLI creates the new ACL and populates it with the new rule.
Use the no form of this command to delete a rule within an ACL. If you delete the last rule of an ACL, that ACL is removed. If you don’t specify a priority value in the no command, the entire ACL is deleted.
IP Address and Netmasks
Source and destination IP addresses are immediately followed by a netmask "/n" where n is the number of contiguous non-wildcard bits counting from the left-most bit. For example, 10.10.10.0 /24 refers to the 10.10.10 class C subnet. Use the keyword any to specify that all bits are wildcards.
Using Deny
Since access lists define the matching criteria and not the action, you should remember that deny in this context does not actually “drop” traffic. Rather, the deny keyword is effectively a sort of break statement, preventing further processing by that particular ACL, and sending the traffic to look for matches against subsequent policy entries.
For example, if you wanted to accelerate all IP traffic except for ICMP traffic, you could enter the following commands:
access-list a1 100 deny protocol icmp any any
access-list a1 200 permit protocol ip any any
.
.
.
route-map map1 10 match acl a1
route-map map1 10 set tunnel tun1.
.
.
In this example, any ICMP traffic that attempts to match the ACL, a1, would immediately stop processing at the deny statement and would pass through.
Examples
To create a rule for an ACL named acl2, that matches against all IGP traffic that has a DSCP value of be (best effort):
(config) # access-list acl2 10 permit protocol igp any any dscp be
To accelerate all IP traffic except for ICMP traffic:
(config) # access-list a1 100 deny protocol icmp any any
(config) # access-list a1 200 permit protocol ip any any
To create a rule to match all IP traffic coming from the source 10.2.0.0 0.0.255.255:
(config) # access-list a2 40 permit protocol ip 10.2.0.0/16 any
To create a rule to match all UDP traffic going to port 53:
(config) # access-list a1 500 protocol udp any any any 53
To delete the priority 100 rule from the ACL named ac18:
(config) # no access-list acl8 100
 
Please send comments or suggestions regarding user documentation to techpubs@silver-peak.com.