Access List

Access lists are security and traffic control mechanisms that filter network traffic based on various criteria including source and destination IP addresses, ports, protocols, and other packet characteristics. They serve as fundamental building blocks for implementing security policies, Quality of Service (QoS), and network access control by permitting or denying traffic that matches specific conditions. Access lists can be applied to interfaces, routing protocols, and various network services to enforce granular traffic filtering and policy enforcement throughout the network infrastructure.

Diagram

Classes

configuration (iosxe.devices)

Name	Type	Constraint	Mandatory	Default Value
access_lists	Class	`[access_lists]`	No

access_lists (iosxe.devices.configuration)

Name	Type	Constraint	Mandatory
standard	List	`[standard]`	No
extended	List	`[extended]`	No
as_path	List	`[as_path]`	No

standard (iosxe.devices.configuration.access_lists)

Name	Type	Constraint	Mandatory	Default Value
name	String		Yes
entries	List	`[entries]`	No

extended (iosxe.devices.configuration.access_lists)

Name	Type	Constraint	Mandatory	Default Value
name	String		Yes
entries	List	`[entries]`	No

as_path (iosxe.devices.configuration.access_lists)

Name	Type	Constraint	Mandatory	Default Value
number	Integer	min: `1`, max: `500`	Yes
entries	List	`[entries]`	No

entries (iosxe.devices.configuration.access_lists.standard)

Name	Type	Constraint	Mandatory
sequence	Integer		Yes
remark	String		No
action	Choice	`deny`, `permit`	No
prefix	IP		No
prefix_mask	IP		No
any	Boolean	`true`, `false`	No
host	IP		No
log	Boolean	`true`, `false`	No

entries (iosxe.devices.configuration.access_lists.extended)

Name	Type	Constraint	Mandatory
sequence	Integer		Yes
remark	String		No
action	Choice	`deny`, `permit`	No
protocol	Choice	`tcp`, `udp`, `icmp`, `gre`, `esp`, `ah`, `ip`, `igmp`, `pim`, `ospf`, `eigrp`, `vrrp`, `ahp`, `sctp`, `ospfigp`, `l2tp`, `pim6`, `rip`, `igrp`, `ipinip`, `ipv6`, `ipv6-icmp`	No
service_object_group	String		No
source	Class	`[source]`	No
destination	Class	`[destination]`	No
ack	Boolean	`true`, `false`	No
fin	Boolean	`true`, `false`	No
psh	Boolean	`true`, `false`	No
rst	Boolean	`true`, `false`	No
syn	Boolean	`true`, `false`	No
urg	Boolean	`true`, `false`	No
established	Boolean	`true`, `false`	No
dscp	Integer		No
fragments	Boolean	`true`, `false`	No
precedence	Integer		No
tos	Integer		No
log	Boolean	`true`, `false`	No
log_input	Boolean	`true`, `false`	No

entries (iosxe.devices.configuration.access_lists.as_path)

Name	Type	Constraint	Mandatory	Default Value
action	Choice	`permit`, `deny`	Yes
regex	String		Yes

source (iosxe.devices.configuration.access_lists.extended.entries)

Name	Type	Constraint	Mandatory
prefix	IP		No
prefix_mask	IP		No
any	Boolean	`true`, `false`	No
host	IP		No
object_group	String		No
port_type	Choice	`equal`, `greater_than`, `lesser_than`, `range`	No
port	Any	Integer or String[Regex: `^.[\$\%]\{.$`] or String	No
port_range_from	Integer		No
port_range_to	Integer		No

destination (iosxe.devices.configuration.access_lists.extended.entries)

Name	Type	Constraint	Mandatory
prefix	IP		No
prefix_mask	IP		No
any	Boolean	`true`, `false`	No
host	IP		No
object_group	String		No
port_type	Choice	`equal`, `greater_than`, `lesser_than`, `range`	No
port	Any	Integer or String[Regex: `^.[\$\%]\{.$`] or String	No
port_range_from	Integer		No
port_range_to	Integer		No

By defining granular rules for traffic filtering, Access Lists enhance network security, control resource access, and ensure efficient network operation. They are crucial for implementing security policies at the network edge and within internal segments.

Access List Parameters:

ACL Name (Standard/Extended)
Entry Sequence Number
Action (Permit/Deny)
Source IP Address/Network
Source Wildcard Mask
Destination IP Address/Network (Extended ACLs)
Destination Wildcard Mask (Extended ACLs)
Protocol (Extended ACLs)
Port Numbers (Extended ACLs)

You can use these Access List parameters to define precise traffic filtering rules for your network devices. Customize the type, entries, and matching criteria to fit your network’s security and operational needs. Adjusting these parameters lets you tailor access control for your environment.

Sample Configuration:

The following configuration describes how to set up Standard and Extended IP Access Lists on an IOS-XE device. It lists how to define rules for permitting and denying traffic based on various criteria.

ip access-list standard StandardAccessList1
 10 permit 10.0.0.0 0.0.0.255
 20 permit 20.0.0.0 0.0.0.255
!
ip access-list extended ExtendedAccessList1
 10 permit ip any any
 20 deny ip any any

Example Code:

iosxe:
  devices:
    - name: Device1
      configuration:
        access_lists:
          standard:
            - name: StandardAccessList1
              entries:
                - sequence: 10
                  action: permit
                  prefix: 10.0.0.0
                  prefix_mask: 0.0.0.255
                - sequence: 20
                  action: permit
                  prefix: 20.0.0.0
                  prefix_mask: 0.0.0.255
          extended:
            - name: ExtendedAccessList1
              entries:
                - sequence: 10
                  action: permit
                  protocol: ip
                  source:
                    any: true
                  destination:
                    any: true
                - sequence: 20
                  action: deny
                  protocol: ip
                  source:
                    any: true
                  destination:
                    any: true