Document ID: 23602
Introduction Prerequisites Requirements Components Used Conventions ACL Concepts Masks ACL Summarization Process ACLs Define Ports and Message Types Apply ACLs Define In, Out, Inbound, Outbound, Source, and Destination Edit ACLs Troubleshoot Types of IP ACLs Network Diagram Standard ACLs Extended ACLs Lock and Key (Dynamic ACLs) IPNamed ACLs Reflexive ACLs Time−Based ACLs Using Time Ranges Commented IP ACL Entries Context−Based Access Control Authentication Proxy Turbo ACLs Distributed Time−Based ACLs Receive ACLs Infrastructure Protection ACLs Transit ACLs Related Information
This document describes how IP access control lists (ACLs) can filter network traffic. It also contains brief descriptions of the IP ACLtypes, feature availability, and an example of use in a network. Access the Software Advisor (registered customers only) tool in order to determine the support of some of the more advanced Cisco IOS® IP ACL features. RFC 1700 contains assigned numbers of well−known ports. RFC 1918 contains address allocation for private Internets, IP addresses which should not normally be seen on the Internet.Note: ACLs might also be used for purposes other than to filter IP traffic, for example, defining traffic to Network Address Translate (NAT) or encrypt, or filtering non−IP protocols such as AppleTalk or IPX. A discussion of these functions is outside the scope of this document.
There are no specific prerequisites for this document. The concepts discussed are presentin Cisco IOS® Software Releases 8.3 or later. This is noted under each access list feature.
This document discusses various types of ACLs. Some of these are present since Cisco IOS Software Releases 8.3 and others were introduced in later software releases. This is noted in the discussion of each type. The information in this document was created from the devices in a specificlab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to Cisco Technical Tips Conventions for more information on document conventions.
This section describes ACL concepts.
Masks are used with IP addressesin IP ACLs to specify what should be permitted and denied. Masks in order to configure IP addresses on interfaces start with 255 and have the large values on the left side, for example, IP address 126.96.36.199 with a 255.255.255.224 mask. Masks for IP ACLs are the reverse, for example, mask 0.0.0.255. This is sometimes called an inverse mask or a wildcard mask. When the value of the mask isbroken down into binary (0s and 1s), the results determine which address bits are to be considered in processing the traffic. A 0 indicates that the address bits must be considered (exact match); a 1 in the mask is a "don't care". This table further explains the concept. Mask Example network address (traffic that is to be processed) mask network address (binary) mask (binary)
10.1.1.0 0.0.0.25500001010.00000001.00000001.00000000 00000000.00000000.00000000.11111111
Based on the binary mask, you can see that the first three sets (octets) must match the given binary network address exactly (00001010.00000001.00000001). The last set of numbers are "don't cares" (.11111111). Therefore, all traffic that begins with 10.1.1. matches since the last octet is "don't care". Therefore, with thismask, network addresses 10.1.1.1 through 10.1.1.255 (10.1.1.x) are processed. Subtract the normal mask from 255.255.255.255 in order to determine the ACL inverse mask. In this example,
the inverse mask is determined for network address 172.16.1.0 with a normal mask of 255.255.255.0. • 255.255.255.255 − 255.255.255.0 (normal mask) = 0.0.0.255 (inverse mask) Note these ACL equivalents. • The...