Access List
Access lists are security and traffic control mechanisms that filter network traffic based on various criteria including source and destination IP addresses, ports, protocols, and other packet characteristics. They serve as fundamental building blocks for implementing security policies, Quality of Service (QoS), and network access control by permitting or denying traffic that matches specific conditions. Access lists can be applied to interfaces, routing protocols, and various network services to enforce granular traffic filtering and policy enforcement throughout the network infrastructure.
Diagram
Section titled “Diagram”
Classes
Section titled “Classes”configuration (iosxe.devices)
Section titled “configuration (iosxe.devices)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| access_lists | Class | [access_lists] | No |
access_lists (iosxe.devices.configuration)
Section titled “access_lists (iosxe.devices.configuration)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| standard | List | [standard] | No | |
| extended | List | [extended] | No | |
| role_based | List | [role_based] | No | |
| as_path | List | [as_path] | No |
standard (iosxe.devices.configuration.access_lists)
Section titled “standard (iosxe.devices.configuration.access_lists)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Yes | ||
| entries | List | [entries] | No |
extended (iosxe.devices.configuration.access_lists)
Section titled “extended (iosxe.devices.configuration.access_lists)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Yes | ||
| entries | List | [entries] | No |
role_based (iosxe.devices.configuration.access_lists)
Section titled “role_based (iosxe.devices.configuration.access_lists)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Yes | ||
| entries | List | [entries] | No |
as_path (iosxe.devices.configuration.access_lists)
Section titled “as_path (iosxe.devices.configuration.access_lists)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| number | Integer | min: 1, max: 500 | Yes | |
| entries | List | [entries] | No |
entries (iosxe.devices.configuration.access_lists.standard)
Section titled “entries (iosxe.devices.configuration.access_lists.standard)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| sequence | Integer | Yes | ||
| remark | String | No | ||
| action | Choice | deny, permit | No | |
| prefix | IP | No | ||
| prefix_mask | IP | No | ||
| any | Boolean | true, false | No | |
| host | IP | No | ||
| log | Boolean | true, false | No |
entries (iosxe.devices.configuration.access_lists.extended)
Section titled “entries (iosxe.devices.configuration.access_lists.extended)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| sequence | Integer | Yes | ||
| remark | String | No | ||
| action | Choice | deny, permit | No | |
| protocol | Any | Choice[ahp, eigrp, esp, gre, icmp, igmp, ip, ipinip, nos, object-group, ospf, pcp, pim, tcp, udp] or Integer[min: 0, max: 255] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| service_object_group | String | No | ||
| source | Class | [source] | No | |
| destination | Class | [destination] | No | |
| tcp_flags | Any | List[Choice[ack, fin, psh, rst, syn, urg]] | No | |
| established | Boolean | true, false | No | |
| fragments | Boolean | true, false | No | |
| dscp | Any | Choice[af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, cs6, cs7, default, dscp, ef, precedence] or Integer[min: 0, max: 63] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| precedence | Any | Choice[critical, flash, flash-override, immediate, internet, network, priority, routine] or Integer[min: 0, max: 7] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| tos | Any | Choice[max-reliability, max-throughput, min-delay, min-monetary-cost, normal] or Integer[min: 0, max: 15] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| icmp_message_type | Any | String or Integer[min: 0, max: 255] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| icmp_message_code | Integer | min: 0, max: 255 | No | |
| log | Boolean | true, false | No | |
| log_input | Boolean | true, false | No |
entries (iosxe.devices.configuration.access_lists.role_based)
Section titled “entries (iosxe.devices.configuration.access_lists.role_based)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| sequence | Integer | min: 1, max: 2147483647 | Yes | |
| remark | String | No | ||
| action | Choice | deny, permit | No | |
| protocol | Any | Choice[ahp, eigrp, esp, gre, icmp, igmp, ip, ipinip, nos, object-group, ospf, pcp, pim, tcp, udp] or Integer[min: 0, max: 255] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| tcp_flags | Any | List[Choice[ack, fin, psh, rst, syn, urg]] | No | |
| established | Boolean | true, false | No | |
| fragments | Boolean | true, false | No | |
| dscp | Any | Choice[af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, cs6, cs7, default, dscp, ef, precedence] or Integer[min: 0, max: 63] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| precedence | Any | Choice[critical, flash, flash-override, immediate, internet, network, priority, routine] or Integer[min: 0, max: 7] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| tos | Any | Choice[max-reliability, max-throughput, min-delay, min-monetary-cost, normal] or Integer[min: 0, max: 15] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| option | Any | Choice[add-ext, any-options, com-security, dps, encode, eool, ext-ip, ext-security, finn, imitd, lsr, mtup, mtur, no-op, nsapa, record-route, router-alert, sdb, security, ssr, stream-id, timestamp, traceroute, ump, visa, zsu] or Integer[min: 0, max: 255] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| time_range | String | No | ||
| log | Boolean | true, false | No | |
| log_input | Boolean | true, false | No | |
| match_all | List | Choice[+ack, +fin, +psh, +rst, +syn, +urg, -ack, -fin, -psh, -rst, -syn, -urg] | No | |
| match_any | List | Choice[+ack, +fin, +psh, +rst, +syn, +urg, -ack, -fin, -psh, -rst, -syn, -urg] | No |
entries (iosxe.devices.configuration.access_lists.as_path)
Section titled “entries (iosxe.devices.configuration.access_lists.as_path)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| action | Choice | permit, deny | Yes | |
| regex | String | Yes |
source (iosxe.devices.configuration.access_lists.extended.entries)
Section titled “source (iosxe.devices.configuration.access_lists.extended.entries)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| prefix | IP | No | ||
| prefix_mask | IP | No | ||
| any | Boolean | true, false | No | |
| host | IP | No | ||
| object_group | String | No | ||
| port_type | Choice | equal, greater_than, lesser_than, range | No | |
| port | Any | Integer or String[Regex: ^.*[\$\%]\{.*$] or String | No | |
| port_range_from | Integer | No | ||
| port_range_to | Integer | No |
destination (iosxe.devices.configuration.access_lists.extended.entries)
Section titled “destination (iosxe.devices.configuration.access_lists.extended.entries)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| prefix | IP | No | ||
| prefix_mask | IP | No | ||
| any | Boolean | true, false | No | |
| host | IP | No | ||
| object_group | String | No | ||
| port_type | Choice | equal, greater_than, lesser_than, range | No | |
| port | Any | Integer or String[Regex: ^.*[\$\%]\{.*$] or String | No | |
| additional_equal_ports | List | Integer | No | |
| port_range_from | Integer | No | ||
| port_range_to | Integer | No |
By defining granular rules for traffic filtering, Access Lists enhance network security, control resource access, and ensure efficient network operation. They are crucial for implementing security policies at the network edge and within internal segments.
Access List Parameters:
Section titled “Access List Parameters:”- ACL Name (Standard/Extended)
- Entry Sequence Number
- Action (Permit/Deny)
- Source IP Address/Network
- Source Wildcard Mask
- Destination IP Address/Network (Extended ACLs)
- Destination Wildcard Mask (Extended ACLs)
- Protocol (Extended ACLs)
- Port Numbers (Extended ACLs)
You can use these Access List parameters to define precise traffic filtering rules for your network devices. Customize the type, entries, and matching criteria to fit your network’s security and operational needs. Adjusting these parameters lets you tailor access control for your environment.
Guidelines and Limitations
Section titled “Guidelines and Limitations”Port Attribute Dependencies:
- When defining port-specific attributes on extended ACL entries, the
port_typeattribute must be explicitly defined with an appropriate value:- If using
port_range_fromorport_range_to,port_typemust be set torange - If using
port,port_typemust be set to one of:equal,greater_than, orlesser_than - If using
additional_equal_ports(destination only),port_typemust be set toequal
- If using
- This requirement applies to both source and destination port configurations
- Failure to define
port_typewhen using port attributes will result in validation errors
Sample Configuration:
Section titled “Sample Configuration:”The following configuration describes how to set up Standard and Extended IP Access Lists on an IOS-XE device. It lists how to define rules for permitting and denying traffic based on various criteria, including port-based filtering.
ip access-list standard StandardAccessList1 10 permit 10.0.0.0 0.0.0.255 20 permit 20.0.0.0 0.0.0.255!ip access-list extended ExtendedAccessList1 10 permit ip any any 20 deny tcp any any syn ack 30 deny tcp any any eq 80 40 permit tcp any range 8000 8080 any 50 deny tcp any any gt 1024 60 permit tcp any any eq 443 www 8443Example Code:
Section titled “Example Code:”iosxe: devices: - name: Device1 configuration: access_lists: standard: - name: StandardAccessList1 entries: - sequence: 10 action: permit prefix: 10.0.0.0 prefix_mask: 0.0.0.255 - sequence: 20 action: permit prefix: 20.0.0.0 prefix_mask: 0.0.0.255 extended: - name: ExtendedAccessList1 entries: # Basic permit all IP traffic - sequence: 10 action: permit protocol: ip source: any: true destination: any: true # Deny TCP traffic with SYN and ACK flags set - sequence: 20 action: deny protocol: tcp tcp_flags: [syn, ack] source: any: true destination: any: true # Deny HTTP traffic (port 80) - demonstrates 'equal' port_type - sequence: 30 action: deny protocol: tcp source: any: true destination: any: true port_type: equal port: 80 # Permit traffic from ports 8000-8080 - demonstrates 'range' port_type - sequence: 40 action: permit protocol: tcp source: any: true port_type: range port_range_from: 8000 port_range_to: 8080 destination: any: true # Deny traffic to ports greater than 1024 - demonstrates 'greater_than' port_type - sequence: 50 action: deny protocol: tcp source: any: true destination: any: true port_type: greater_than port: 1024 # Permit HTTPS and HTTP traffic - demonstrates multiple equal ports - sequence: 60 action: permit protocol: tcp source: any: true destination: any: true port_type: equal port: 443 additional_equal_ports: [80, 8443]