Skip to content

Access List

Access lists are security and traffic control mechanisms that filter network traffic based on various criteria including source and destination IP addresses, ports, protocols, and other packet characteristics. They serve as fundamental building blocks for implementing security policies, Quality of Service (QoS), and network access control by permitting or denying traffic that matches specific conditions. Access lists can be applied to interfaces, routing protocols, and various network services to enforce granular traffic filtering and policy enforcement throughout the network infrastructure.

Diagram

Diagram

Classes

configuration (iosxe.devices)

NameTypeConstraintMandatoryDefault Value
access_listsClass[access_lists]No

access_lists (iosxe.devices.configuration)

NameTypeConstraintMandatoryDefault Value
standardList[standard]No
extendedList[extended]No
as_pathList[as_path]No

standard (iosxe.devices.configuration.access_lists)

NameTypeConstraintMandatoryDefault Value
nameStringYes
entriesList[entries]No

extended (iosxe.devices.configuration.access_lists)

NameTypeConstraintMandatoryDefault Value
nameStringYes
entriesList[entries]No

as_path (iosxe.devices.configuration.access_lists)

NameTypeConstraintMandatoryDefault Value
numberIntegermin: 1, max: 500Yes
entriesList[entries]No

entries (iosxe.devices.configuration.access_lists.standard)

NameTypeConstraintMandatoryDefault Value
sequenceIntegerYes
remarkStringNo
actionChoicedeny, permitNo
prefixIPNo
prefix_maskIPNo
anyBooleantrue, falseNo
hostIPNo
logBooleantrue, falseNo

entries (iosxe.devices.configuration.access_lists.extended)

NameTypeConstraintMandatoryDefault Value
sequenceIntegerYes
remarkStringNo
actionChoicedeny, permitNo
protocolChoicetcp, udp, icmp, gre, esp, ah, ip, igmp, pim, ospf, eigrp, vrrp, ahp, sctp, ospfigp, l2tp, pim6, rip, igrp, ipinip, ipv6, ipv6-icmpNo
service_object_groupStringNo
sourceClass[source]No
destinationClass[destination]No
ackBooleantrue, falseNo
finBooleantrue, falseNo
pshBooleantrue, falseNo
rstBooleantrue, falseNo
synBooleantrue, falseNo
urgBooleantrue, falseNo
establishedBooleantrue, falseNo
dscpIntegerNo
fragmentsBooleantrue, falseNo
precedenceIntegerNo
tosIntegerNo
logBooleantrue, falseNo
log_inputBooleantrue, falseNo

entries (iosxe.devices.configuration.access_lists.as_path)

NameTypeConstraintMandatoryDefault Value
actionChoicepermit, denyYes
regexStringYes

source (iosxe.devices.configuration.access_lists.extended.entries)

NameTypeConstraintMandatoryDefault Value
prefixIPNo
prefix_maskIPNo
anyBooleantrue, falseNo
hostIPNo
object_groupStringNo
port_typeChoiceequal, greater_than, lesser_than, rangeNo
portAnyInteger or String[Regex: ^.*[\$\%]\{.*$] or StringNo
port_range_fromIntegerNo
port_range_toIntegerNo

destination (iosxe.devices.configuration.access_lists.extended.entries)

NameTypeConstraintMandatoryDefault Value
prefixIPNo
prefix_maskIPNo
anyBooleantrue, falseNo
hostIPNo
object_groupStringNo
port_typeChoiceequal, greater_than, lesser_than, rangeNo
portAnyInteger or String[Regex: ^.*[\$\%]\{.*$] or StringNo
port_range_fromIntegerNo
port_range_toIntegerNo

By defining granular rules for traffic filtering, Access Lists enhance network security, control resource access, and ensure efficient network operation. They are crucial for implementing security policies at the network edge and within internal segments.

Access List Parameters:

  • ACL Name (Standard/Extended)
  • Entry Sequence Number
  • Action (Permit/Deny)
  • Source IP Address/Network
  • Source Wildcard Mask
  • Destination IP Address/Network (Extended ACLs)
  • Destination Wildcard Mask (Extended ACLs)
  • Protocol (Extended ACLs)
  • Port Numbers (Extended ACLs)

You can use these Access List parameters to define precise traffic filtering rules for your network devices. Customize the type, entries, and matching criteria to fit your network’s security and operational needs. Adjusting these parameters lets you tailor access control for your environment.

Sample Configuration:

The following configuration describes how to set up Standard and Extended IP Access Lists on an IOS-XE device. It lists how to define rules for permitting and denying traffic based on various criteria.

ip access-list standard StandardAccessList1
10 permit 10.0.0.0 0.0.0.255
20 permit 20.0.0.0 0.0.0.255
!
ip access-list extended ExtendedAccessList1
10 permit ip any any
20 deny ip any any

Example Code:

iosxe:
devices:
- name: Device1
configuration:
access_lists:
standard:
- name: StandardAccessList1
entries:
- sequence: 10
action: permit
prefix: 10.0.0.0
prefix_mask: 0.0.0.255
- sequence: 20
action: permit
prefix: 20.0.0.0
prefix_mask: 0.0.0.255
extended:
- name: ExtendedAccessList1
entries:
- sequence: 10
action: permit
protocol: ip
source:
any: true
destination:
any: true
- sequence: 20
action: deny
protocol: ip
source:
any: true
destination:
any: true