Download to read offline
![IOS IPV4 ACCESS LISTS packetlife.net
Standard ACL Syntax Actions
! Legacy syntax permit Allow matched packets
access-list <number> {permit | deny} <source> [log] deny Deny matched packets
! Modern syntax remark Record a configuration comment
ip access-list standard {<number> | <name>}
[<sequence>] {permit | deny} <source> [log] evaluate Evaluate a reflexive ACL
Extended ACL Syntax
! Legacy syntax
access-list <number> {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>]
! Modern syntax
ip access-list extended {<number> | <name>}
[<sequence>] {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>]
ACL Numbers Source/Destination Definitions
1-99 any Any address
IP standard
1300-1999
host <address> A single address
100-199
IP extended <network> <mask> Any address matched by the wildcard mask
2000-2699
200-299 Protocol IP Options
300-399 DECnet dscp <DSCP> Match the specified IP DSCP
400-499 XNS fragments Check non-initial fragments
500-599 Extended XNS option <option> Match the specified IP option
600-699 Appletalk precedence {0-7} Match the specified IP precedence
700-799 Ethernet MAC ttl <count> Match the specified IP time to live (TTL)
800-899 IPX standard
TCP/UDP Port Definitions
900-999 IPX extended
eq <port> Equal to neq <port> Not equal to
1000-1099 IPX SAP
lt <port> Less than gt <port> Greater than
1100-1199 MAC extended
range <port> <port> Matches a range of port numbers
1200-1299 IPX summary
Miscellaneous Options
TCP Options
reflect <name> Create a reflexive ACL entry
ack Match ACK flag
time-range <name> Enable rule only during the given time range
fin Match FIN flag
psh Match PSH flag Applying ACLs to Restrict Traffic
rst Match RST flag interface FastEthernet0/0
ip access-group {<number> | <name>} {in | out}
syn Match SYN flag
urg Match URG flag Troubleshooting
Match packets in an show access-lists [<number> | <name>]
established
established session
show ip access-lists [<number> | <name>]
Logging Options show ip access-lists interface <interface>
log Log ACL entry matches show ip access-lists dynamic
Log matches including
show ip interface [<interface>]
log-input ingress interface and
source MAC address show time-range [<name>]
by Jeremy Stretch v2.0](https://image.slidesharecdn.com/iosipv4accesslists-130211054210-phpapp01/75/Ios-i-pv4_access_lists-1-2048.jpg)
Uploaded bySwapnil Kapate
Ios i pv4_access_lists
This document provides an overview of IPV4 access control lists (ACLs) for IOS, including the syntax for standard and extended ACLs, available actions, source/destination definitions, port definitions, options, applying ACLs to restrict traffic, and troubleshooting ACLs. Standard ACLs filter based on source IP address while extended ACLs can filter on source/destination IP address, protocol, port and some TCP/UDP options. ACLs are configured using access-list commands and applied to interfaces using the ip access-group command.
More Related Content
![20 access lists[1]](https://cdn.slidesharecdn.com/ss_thumbnails/20accesslists1-160420033146-thumbnail.jpg?width=640&height=640&fit=bounds)
Ios i pv4_access_lists
- 1. IOS IPV4 ACCESSLISTS packetlife.net Standard ACL Syntax Actions ! Legacy syntax permit Allow matched packets access-list <number> {permit | deny} <source> [log] deny Deny matched packets ! Modern syntax remark Record a configuration comment ip access-list standard {<number> | <name>} [<sequence>] {permit | deny} <source> [log] evaluate Evaluate a reflexive ACL Extended ACL Syntax ! Legacy syntax access-list <number> {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>] ! Modern syntax ip access-list extended {<number> | <name>} [<sequence>] {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>] ACL Numbers Source/Destination Definitions 1-99 any Any address IP standard 1300-1999 host <address> A single address 100-199 IP extended <network> <mask> Any address matched by the wildcard mask 2000-2699 200-299 Protocol IP Options 300-399 DECnet dscp <DSCP> Match the specified IP DSCP 400-499 XNS fragments Check non-initial fragments 500-599 Extended XNS option <option> Match the specified IP option 600-699 Appletalk precedence {0-7} Match the specified IP precedence 700-799 Ethernet MAC ttl <count> Match the specified IP time to live (TTL) 800-899 IPX standard TCP/UDP Port Definitions 900-999 IPX extended eq <port> Equal to neq <port> Not equal to 1000-1099 IPX SAP lt <port> Less than gt <port> Greater than 1100-1199 MAC extended range <port> <port> Matches a range of port numbers 1200-1299 IPX summary Miscellaneous Options TCP Options reflect <name> Create a reflexive ACL entry ack Match ACK flag time-range <name> Enable rule only during the given time range fin Match FIN flag psh Match PSH flag Applying ACLs to Restrict Traffic rst Match RST flag interface FastEthernet0/0 ip access-group {<number> | <name>} {in | out} syn Match SYN flag urg Match URG flag Troubleshooting Match packets in an show access-lists [<number> | <name>] established established session show ip access-lists [<number> | <name>] Logging Options show ip access-lists interface <interface> log Log ACL entry matches show ip access-lists dynamic Log matches including show ip interface [<interface>] log-input ingress interface and source MAC address show time-range [<name>] by Jeremy Stretch v2.0