Access lists

From Cisco Wiki
Jump to: navigation, search

Contents

Doc CD

12.4T Configuration Guides -> Security, Services, and VPN -> Securing the Data Plane Configuration Guide Library, Cisco IOS Release 12.4T -> Security Configuration Guide: Access Control Lists, Cisco IOS Release 12.4T -> IP Access List Overview

Introduction

Access lists are a mechanism to permit or deny hosts from being matched against a criteria. This can be used in the of the IOS firewall or route filtering in route-maps, or matching packets for QoS.

There are a number of forms of access lists including;

  • IPv4
  • IPv6
  • VLAN
  • Standard
  • Extended
  • Named
  • Object-Group
  • Time based
  • Reflexive
  • Dynamic
  • Authentication Proxy
  • Context Based

Standard IP access lists allow you to math against a source host and that is it. Extended access allow you to match against a source and destination as well as additional attributes such as QoS markings, and the TCP state of the packet (Syn, Ack, etc...).

Named access lists allow you to give an access list a logical name to help with maintaining the list. This allows the configuration to document itself to an extent.

Object groups allow you to reduce the complexity of access lists by grouping sets of rules into logical groups instead of writing the same rule several times for a set of hosts.

Dynamic access lists include those rules dynamically generated by the router in lock and key configurations as well as a number of other scenarios.

Context based access control provides a stateful dynamic firewall which will allow traffic that has initiated from an inside interface to have return traffic come back in the outside interface.

Time based access lists allow you to configure rules to be active during certain periods of the day.

The Doc-CD has a good breakdown of the types of access lists and their configuration.

Verification

Show ip access-lists

The show ip access-lists command gives you a breakdown of all non-dynamic IPv4 access lists.

R1#sh ip access-lists 
Standard IP access list 1
    10 permit 192.168.200.0, wildcard bits 0.0.0.255 (56324 matches)
    20 permit 192.168.202.0, wildcard bits 0.0.0.255 (1424 matches)
    30 permit 192.168.203.0, wildcard bits 0.0.0.255

Show ipv6 access-list

The show ipv6 access-list command gives you a breakdown of all non-dynamic IPv6 access lists.

R1#sh ipv6 access-list  
IPv6 access list MATCH_ICMP
    permit icmp any any (2127 matches) sequence 10
    deny ipv6 any any (8879 matches) sequence 40

See Also

  1. Cisco on access lists
Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox