Cisco access lists ACL and wildcard mask

From Ever changing code
Jump to navigation Jump to search

Wild card mask

WILDCARD                    NETWORK MASK
0 - means match             0 - hosts part of a network address
1 - means ignore            1 - match, identifies network bits that need matching for all hosts in the same subnet


Calculate wild card mask

  subnet mask     -
 wild card mask      0.  0. 63.255


                        pattern     wildcard
access-list 33 permit
ip packet evaluated

in binary
ACL IP pattern 11000110.00110011.01100100.00111010
Wildcard mask           0. 0.  0.63 00000000.00000000.00000000.00111111
Logic applied                       \   these bits must match   /\ ignore,it/
                                     \ ________________________/  | can be |
                                                                  | 0 or 1 |
Range of addresses
matching         from  11000110.00110011.01100100.00000000
the rule:          to 11000110.00110011.01100100.00111111

Ip packet evaluated  11000110.00110011.01100100.00000011  MATCH!

ACL abbrivations

any  =      # wildcard ignores all address bits
host = eg:              # wildcard requires that all bits need to match

Standard numbered ACL

Router(config)# access-list access-list-number { deny | permit | remark } source [ source-wildcard ][ log ]
Router(config-if)# ip access-group { access-list-number | access-list-name } { in | out }      !activates the numbered IP ACL on an interface

Standard named ACL

ACL name cannot contain special characters or spaces, it is advised to be UPPER CASES.

Router(config)# ip access-list standard name
Router(config-std-nacl)# [permit | deny | remark] {source [source-wildcard]} [log]
Router(config-if)# ip access-group name [in | out]     !activates the named IP ACL on an interface

Extended ACLs

Extended numbered ACL are from 100 to 199 and 2000 to 2699 range.

The internal logic applied to the ordering of standard ACL statement does not apply to extended ACLs. The order in which the statements are entered during configuration is the order they are displayed and processed.

access-list access-list-number  {deny | permit | remark} protocol source [source-wildcard] [operator operand] [port port-number or name] destination [destination-wildcard] [operator operand] [port port-number or name] [established]
  • protocol - name or number of Internet protocol, eg: icmp, tcp or udp. ip - matches any Internet protocol
  • operator - equal (eq), not equal (neq), greater than (gt), and less than (lt)
  • established - (optional) TCP protocol only, matches established connection where TCP segment has ACK or reset (RST) bits set

ACL to Control VTY Access

Because the access-class command is used to filter incoming or outgoing Telnet/SSH sessions by source address, a standard ACL can be used. Standard and extended access lists apply to packets that travel through a router. An outbound Telnet extended ACL does not prevent router-initiated Telnet sessions, by default.

Router(config-line)# access-class access-list-number { in [ vrf-also ] | out }


clear access-list counters {access-list name | access-list number}


IPv6 has only one type of ACL, which is equivalent to an IPv4 extended named ACL, there is no numbered IPv6 ACL. An IPv4 ACL and an IPv6 ACL cannot share the same name.

Differences between IPv4 and IPv6

Applying an IPv6 ACL
router(config-if)# ip access-group acl-name {in | out}
router(config-if)# ipv6 traffic-filter access-list-name ( in | out}
No Wildcard Masks in IPv6 ACL

Unlike IPv4 ACLs, IPv6 ACLs do not use wildcard masks. Instead, the prefix-length is used to indicate how much of an IPv6 source or destination address should be matched.

Additional Default Statements
        IPv6                         IPv4
permit icmp any any nd-na        deny any any
permit icmp any any nd-ns
deny ipv6 any any

These allow the router to participate in the IPv6 equivalent of ARP for IPv4. Like ARP is used in IPv4 to resolve Layer 3 addresses to Layer 2 MAC addresses, IPv6 uses ICMP Neighbor Discovery (ND) messages to accomplish the same thing. ND uses Neighbor Solicitation (NS) and Neighbor Advertisement (NA) messages.

ND messages are encapsulated in IPv6 packets and require the services of the IPv6 network layer while ARP for IPv4 does not use Layer 3. Because IPv6 uses the Layer 3 service for neighbor discovery, IPv6 ACLs need to implicitly permit ND packets to be sent and received on an interface. Specifically, both:

  • Neighbor Discovery - Neighbor Advertisement (nd-na)
  • Neighbor Discovery - Neighbor Solicitation (nd-ns)

messages are permitted.

ACL configuration

router(config) ipv6 access-list access-list name
router(config-ipv6-acl)# deny | permit protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator [port-number]]] {destination-ipv6-pregix/prefix-length | any | host destination-ipv6-address} [operator [port-number]]
  • any - abbreviation of IPv6 prefix ::/0, matches all addresses


show ipv6 interface gi0/0
show access-lists         !sequence numbers are displayed at the of line, remark entries do not show therefore sequence numbers may have gaps