Access List
Access lists are security and traffic control mechanisms that filter network traffic based on various criteria including source and destination IP addresses, ports, protocols, and other packet characteristics. They serve as fundamental building blocks for implementing security policies, Quality of Service (QoS), and network access control by permitting or denying traffic that matches specific conditions. Access lists can be applied to interfaces, routing protocols, and various network services to enforce granular traffic filtering and policy enforcement throughout the network infrastructure.
Diagram
Section titled “Diagram”
Classes
Section titled “Classes”configuration (iosxe.devices)
Section titled “configuration (iosxe.devices)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| access_lists | Class | [access_lists] | No |
access_lists (iosxe.devices.configuration)
Section titled “access_lists (iosxe.devices.configuration)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| standard | List | [standard] | No | |
| extended | List | [extended] | No | |
| role_based | List | [role_based] | No | |
| as_path | List | [as_path] | No |
standard (iosxe.devices.configuration.access_lists)
Section titled “standard (iosxe.devices.configuration.access_lists)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Yes | ||
| entries | List | [entries] | No |
extended (iosxe.devices.configuration.access_lists)
Section titled “extended (iosxe.devices.configuration.access_lists)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Yes | ||
| entries | List | [entries] | No |
role_based (iosxe.devices.configuration.access_lists)
Section titled “role_based (iosxe.devices.configuration.access_lists)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Yes | ||
| entries | List | [entries] | No |
as_path (iosxe.devices.configuration.access_lists)
Section titled “as_path (iosxe.devices.configuration.access_lists)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| number | Integer | min: 1, max: 500 | Yes | |
| entries | List | [entries] | No |
entries (iosxe.devices.configuration.access_lists.standard)
Section titled “entries (iosxe.devices.configuration.access_lists.standard)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| sequence | Integer | Yes | ||
| remark | String | No | ||
| action | Choice | deny, permit | No | |
| prefix | IP | No | ||
| prefix_mask | IP | No | ||
| any | Boolean | true, false | No | |
| host | IP | No | ||
| log | Boolean | true, false | No |
entries (iosxe.devices.configuration.access_lists.extended)
Section titled “entries (iosxe.devices.configuration.access_lists.extended)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| sequence | Integer | Yes | ||
| remark | String | No | ||
| action | Choice | deny, permit | No | |
| protocol | Any | Choice[ahp, eigrp, esp, gre, icmp, igmp, ip, ipinip, nos, object-group, ospf, pcp, pim, tcp, udp] or Integer[min: 0, max: 255] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| service_object_group | String | No | ||
| source | Class | [source] | No | |
| destination | Class | [destination] | No | |
| tcp_flags | Any | List[Choice[ack, fin, psh, rst, syn, urg]] | No | |
| established | Boolean | true, false | No | |
| fragments | Boolean | true, false | No | |
| dscp | Any | Choice[af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, cs6, cs7, default, dscp, ef, precedence] or Integer[min: 0, max: 63] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| precedence | Any | Choice[critical, flash, flash-override, immediate, internet, network, priority, routine] or Integer[min: 0, max: 7] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| tos | Any | Choice[max-reliability, max-throughput, min-delay, min-monetary-cost, normal] or Integer[min: 0, max: 15] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| icmp_message_type | Any | String or Integer[min: 0, max: 255] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| icmp_message_code | Integer | min: 0, max: 255 | No | |
| log | Boolean | true, false | No | |
| log_input | Boolean | true, false | No |
entries (iosxe.devices.configuration.access_lists.role_based)
Section titled “entries (iosxe.devices.configuration.access_lists.role_based)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| sequence | Integer | min: 1, max: 2147483647 | Yes | |
| remark | String | No | ||
| action | Choice | deny, permit | No | |
| protocol | Any | Choice[ahp, eigrp, esp, gre, icmp, igmp, ip, ipinip, nos, object-group, ospf, pcp, pim, tcp, udp] or Integer[min: 0, max: 255] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| tcp_flags | Any | List[Choice[ack, fin, psh, rst, syn, urg]] | No | |
| established | Boolean | true, false | No | |
| fragments | Boolean | true, false | No | |
| dscp | Any | Choice[af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, cs6, cs7, default, dscp, ef, precedence] or Integer[min: 0, max: 63] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| precedence | Any | Choice[critical, flash, flash-override, immediate, internet, network, priority, routine] or Integer[min: 0, max: 7] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| tos | Any | Choice[max-reliability, max-throughput, min-delay, min-monetary-cost, normal] or Integer[min: 0, max: 15] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| option | Any | Choice[add-ext, any-options, com-security, dps, encode, eool, ext-ip, ext-security, finn, imitd, lsr, mtup, mtur, no-op, nsapa, record-route, router-alert, sdb, security, ssr, stream-id, timestamp, traceroute, ump, visa, zsu] or Integer[min: 0, max: 255] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| time_range | String | No | ||
| log | Boolean | true, false | No | |
| log_input | Boolean | true, false | No | |
| match_all | List | Choice[+ack, +fin, +psh, +rst, +syn, +urg, -ack, -fin, -psh, -rst, -syn, -urg] | No | |
| match_any | List | Choice[+ack, +fin, +psh, +rst, +syn, +urg, -ack, -fin, -psh, -rst, -syn, -urg] | No |
entries (iosxe.devices.configuration.access_lists.as_path)
Section titled “entries (iosxe.devices.configuration.access_lists.as_path)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| action | Choice | permit, deny | Yes | |
| regex | String | Yes |
source (iosxe.devices.configuration.access_lists.extended.entries)
Section titled “source (iosxe.devices.configuration.access_lists.extended.entries)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| prefix | IP | No | ||
| prefix_mask | IP | No | ||
| any | Boolean | true, false | No | |
| host | IP | No | ||
| object_group | String | No | ||
| port_type | Choice | equal, greater_than, lesser_than, range | No | |
| port | Any | Integer or String[Regex: ^.*[\$\%]\{.*$] or String | No | |
| port_range_from | Integer | No | ||
| port_range_to | Integer | No |
destination (iosxe.devices.configuration.access_lists.extended.entries)
Section titled “destination (iosxe.devices.configuration.access_lists.extended.entries)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| prefix | IP | No | ||
| prefix_mask | IP | No | ||
| any | Boolean | true, false | No | |
| host | IP | No | ||
| object_group | String | No | ||
| port_type | Choice | equal, greater_than, lesser_than, range | No | |
| port | Any | Integer or String[Regex: ^.*[\$\%]\{.*$] or String | No | |
| additional_equal_ports | List | Integer | No | |
| port_range_from | Integer | No | ||
| port_range_to | Integer | No |
By defining granular rules for traffic filtering, Access Lists enhance network security, control resource access, and ensure efficient network operation. They are crucial for implementing security policies at the network edge and within internal segments.
Access List Parameters:
Section titled “Access List Parameters:”- ACL Name (Standard/Extended)
- Entry Sequence Number
- Action (Permit/Deny)
- Source IP Address/Network
- Source Wildcard Mask
- Destination IP Address/Network (Extended ACLs)
- Destination Wildcard Mask (Extended ACLs)
- Protocol (Extended ACLs)
- Port Numbers (Extended ACLs)
You can use these Access List parameters to define precise traffic filtering rules for your network devices. Customize the type, entries, and matching criteria to fit your network’s security and operational needs. Adjusting these parameters lets you tailor access control for your environment.
Sample Configuration:
Section titled “Sample Configuration:”The following configuration describes how to set up Standard and Extended IP Access Lists on an IOS-XE device. It lists how to define rules for permitting and denying traffic based on various criteria.
ip access-list standard StandardAccessList1 10 permit 10.0.0.0 0.0.0.255 20 permit 20.0.0.0 0.0.0.255!ip access-list extended ExtendedAccessList1 10 permit ip any any 20 deny ip any anyExample Code:
Section titled “Example Code:”iosxe: devices: - name: Device1 configuration: access_lists: standard: - name: StandardAccessList1 entries: - sequence: 10 action: permit prefix: 10.0.0.0 prefix_mask: 0.0.0.255 - sequence: 20 action: permit prefix: 20.0.0.0 prefix_mask: 0.0.0.255 extended: - name: ExtendedAccessList1 entries: - sequence: 10 action: permit protocol: ip source: any: true destination: any: true - sequence: 20 action: deny protocol: tcp tcp_flags: [syn, ack] source: any: true destination: any: true