Introduction Prerequisites Requirements Components Used Conventions ACL Concepts Masks ACL Summarization Process ACLs Define Ports and Message Types Apply ACLs Define In, Out, Inbound, Outbound, Source, and Destination Edit ACLs Troubleshoot Types of IP ACLs Network Diagram Standard ACLs Extended ACLs Lock and Key (Dynamic ACLs) IP Named ACLs Reflexive ACLsTime-Based ACLs Using Time Ranges Commented IP ACL Entries Context-Based Access Control Authentication Proxy Turbo ACLs Distributed Time-Based ACLs Receive ACLs Infrastructure Protection ACLs Transit ACLs Cisco Support Community - Featured Conversations Related Information
TAC Notice: What's Changing on TAC Web
Help us help you.
Please rate this document. Excellent Good Average Fair PoorThis document solved my problem. Yes No Just browsing Suggestions for improvement:
(256 character limit)
This document explains how IP access control lists (ACLs) can filter network traffic. It also contains brief descriptions of the IP ACL types, feature availability, and an example of use in a network.
Access the Software Advisor ( registered customers only) tool inorder to determine the support of some of the more advanced Cisco IOS® IP ACL features. RFC 1700 contains assigned numbers of well-known ports. RFC 1918 contains address allocation for private Internets, IP addresses which should not normally be seen on the Internet. Note: ACLs might also be used for purposes other than to filter IP traffic, for example, defining traffic to Network AddressTranslate (NAT) or encrypt, or filtering non-IP protocols such as AppleTalk or IPX. A discussion of these functions is outside the scope of this document.
There are no specific prerequisites for this document. The concepts discussed are present in Cisco IOS® Software Releases 8.3 or later. This is noted under each access list feature.
This documentdiscusses various types of ACLs. Some of these are present since Cisco IOS Software Releases 8.3 and others were introduced in later software releases. This is noted in the discussion of each type. The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network islive, make sure that you understand the potential impact of any command.
Refer to Cisco Technical Tips Conventions for more information on document conventions.
This section describes ACL concepts.
Masks are used with IP addresses in IP ACLs to specify what should be permitted and denied. Masks in order to configure IP addresses on interfaces start with 255and have the large values on the left side, for example, IP address 188.8.131.52 with a 255.255.255.224 mask. Masks for IP ACLs are the reverse, for example, mask 0.0.0.255. This is sometimes called an inverse mask or a wildcard mask. When the value of the mask is broken down into binary (0s and 1s), the results determine which address bits are to be considered in processing the traffic. A 0indicates that the address bits must be considered (exact match); a 1 in the mask is a "don't care". This table further explains the concept. Mask Example network address
(traffic that is to 10.1.1.0 be processed) mask 0.0.0.255 network address 00001010.00000001.00000001.00000000 (binary) mask (binary) 00000000.00000000.00000000.11111111
Based on the binary mask, you can see that the firstthree sets (octets) must match the given binary network address exactly (00001010.00000001.00000001). The last set of numbers are "don't cares" (.11111111). Therefore, all traffic that begins with 10.1.1. matches since the last octet is "don't care". Therefore, with this mask, network addresses 10.1.1.1 through 10.1.1.255 (10.1.1.x) are processed. Subtract the normal mask from 255.255.255.255 in...