Access lists

From Cisco Wiki
Jump to: navigation, search


Doc CD

12.4T Configuration Guides -> Security, Services, and VPN -> Securing the Data Plane Configuration Guide Library, Cisco IOS Release 12.4T -> Security Configuration Guide: Access Control Lists, Cisco IOS Release 12.4T -> IP Access List Overview


Access lists are a mechanism to permit or deny hosts from being matched against a criteria. This can be used in the of the IOS firewall or route filtering in route-maps, or matching packets for QoS.

There are a number of forms of access lists including;

  • IPv4
  • IPv6
  • VLAN
  • Standard
  • Extended
  • Named
  • Object-Group
  • Time based
  • Reflexive
  • Dynamic
  • Authentication Proxy
  • Context Based

Standard IP access lists allow you to math against a source host and that is it. Extended access allow you to match against a source and destination as well as additional attributes such as QoS markings, and the TCP state of the packet (Syn, Ack, etc...).

Named access lists allow you to give an access list a logical name to help with maintaining the list. This allows the configuration to document itself to an extent.

Object groups allow you to reduce the complexity of access lists by grouping sets of rules into logical groups instead of writing the same rule several times for a set of hosts.

Dynamic access lists include those rules dynamically generated by the router in lock and key configurations as well as a number of other scenarios.

Context based access control provides a stateful dynamic firewall which will allow traffic that has initiated from an inside interface to have return traffic come back in the outside interface.

Time based access lists allow you to configure rules to be active during certain periods of the day.

The Doc-CD has a good breakdown of the types of access lists and their configuration.


Show ip access-lists

The show ip access-lists command gives you a breakdown of all non-dynamic IPv4 access lists.

R1#sh ip access-lists 
Standard IP access list 1
    10 permit, wildcard bits (56324 matches)
    20 permit, wildcard bits (1424 matches)
    30 permit, wildcard bits

Show ipv6 access-list

The show ipv6 access-list command gives you a breakdown of all non-dynamic IPv6 access lists.

R1#sh ipv6 access-list  
IPv6 access list MATCH_ICMP
    permit icmp any any (2127 matches) sequence 10
    deny ipv6 any any (8879 matches) sequence 40

See Also

  1. Cisco on access lists
Personal tools