Cisco IOS XR IP Addresses and Services Command Reference, Release 3.6
Access List Commands on Cisco IOS XR Software
Download this chapter
Access List Commands on Cisco IOS XR SoftwareAccess List Commands on Cisco IOS XR Software
Download the complete book
Book-level PDF: Cisco IOS XR IP Addresses and Services Command ReferenceBook-level PDF: Cisco IOS XR IP Addresses and Services Command Reference (PDF - 9 MB)
give_us_feedback

Table Of Contents

Access List Commands on Cisco IOS XR Software

clear access-list ipv4

clear access-list ipv6

copy access-list ipv4

copy access-list ipv6

deny (IPv4)

deny (IPv6)

ipv4 access-group

ipv4 access-list

ipv4 access-list log-update rate

ipv4 access-list log-update threshold

ipv4 access-list maximum ace threshold

ipv4 access-list maximum acl threshold

ipv6 access-group

ipv6 access-list

ipv6 access-list log-update rate

ipv6 access-list log-update threshold

ipv6 access-list maximum ace threshold

ipv6 access-list maximum acl threshold

permit (IPv4)

permit (IPv6)

remark (IPv4)

remark (IPv6)

resequence access-list ipv4

resequence access-list ipv6

show access-lists afi-all

show access-lists ipv4

show access-lists ipv6


Access List Commands on Cisco IOS XR Software

This chapter describes the Cisco IOS XR software commands used to configure IP Version 4 (IPv4) and IP Version 6 (IPv6) access lists.

An access control list (ACL) consists of one or more access control entries (ACEs) that collectively define the network traffic profile. This profile can then be referenced by Cisco IOS XR software features such as traffic filtering, priority or custom queueing, and dynamic access control. Each ACL includes an action element (permit or deny) and a filter element based on criteria such as source address, destination address, protocol, and protocol-specific parameters.

For detailed information about ACL concepts, configuration tasks, and examples, see the Cisco IOS XR IP Addresses and Services Configuration Guide.

clear access-list ipv4

To clear IPv4 access list counters, use the clear access-list ipv4 command in EXEC mode.

clear access-list ipv4 access-list-name [sequence-number | hardware {ingress | egress}] [interface type instance] [location node-id | sequence number]

Syntax Description

access-list-name

Name of a particular IPv4 access list. The name cannot contain a spaces or quotation marks, but can include numbers.

sequence-number

(Optional) Specific sequence number with which counters are cleared for an access list. Range is 1 to 2147483646.

hardware

Identifies the access list as an access group for an interface.

ingress

Specifies an inbound direction.

egress

Specifies an outbound direction.

interface

(Optional) Clears the interface statistics.

type

Interface type. For more information, use the question mark (?) online help function.

instance

Either a physical interface instance or a virtual interface instance as follows:

Physical interface instance. Naming notation is rack/slot/module/port and a slash between values is required as part of the notation.

rack: Chassis number of the rack.

slot: Physical slot number of the modular services card or line card.

module: Module number. A physical layer interface module (PLIM) is always 0.

port: Physical port number of the interface.

Note In references to a Management Ethernet interface located on a route processor card, the physical slot number is alphanumeric (RP0 or RP1) and the module is CPU0.
Example: interface MgmtEth0/RP1/CPU0/0.

Virtual interface instance. Number range varies depending on interface type.

For more information about the syntax for the router, use the question mark (?) online help function.

location node-id

(Optional) Clears hardware resource counters from the designated node. The node-id argument is entered in the rack/slot/module notation.

sequence number

(Optional) Clears counters for an access list with a specific sequence number. Range is 1 to 2147483646.


Defaults

The default clears the specified IPv4 access list.

Command Modes

EXEC

Command History

Release
Modification

Release 2.0

This command was introduced on the Cisco CRS-1.

Release 3.0

No modification.

Release 3.2

This command was supported on the Cisco XR 12000 Series Router. The range for the sequence-number argument was changed from 2147483646 to 2147483644. The command name was changed from clear ipv4 access-list to clear access-list ipv4.

Release 3.3.0

No modification.

Release 3.4.0

No modification.

Release 3.5.0

The interface keyword was added.

Release 3.6.0

No modification.


Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

Use the clear access-list ipv4 command to clear counters for a specified configured access list. Use a sequence number to clear counters for an access list with a specific sequence number.

Use the hardware keyword to clear counters for an access list that was enabled using the ipv4 access-group command.

Use an asterisk (*) in place of the access-list-name argument to clear all access lists.

Note An access list can be shared among multiple interfaces. Clearing hardware counters clears all counters for all interfaces that use the specified access list in a given direction (ingress or egress).

Task ID
Task ID
Operations

basic-services

read, write

acl

read, write

bgp

read, write, execute


Examples

In the following example, counters for an access list named marketing are cleared: 

RP/0/RP0/CPU0:router# show access-lists ipv4 marketing


ipv4 access-list marketing

  10 permit ip 192.168.34.0 0.0.0.255 any (51 matches)

  20 permit ip 172.16.0.0 0.0.255.255 any (26 matches)

  30 deny tcp host 172.16.0.0 eq bgp host 192.168.202.203 30 (5 matches)


RP/0/RP0/CPU0:router# clear access-list ipv4 marketing


RP/0/RP0/CPU0:router# show access-lists ipv4 marketing


ipv4 access-list marketing

  10 permit ip 192.168.34.0 0.0.0.255 any

  20 permit ip 172.16.0.0 0.0.255.255 any 

  30 deny tcp host 172.16.0.0 eq bgp host 192.168.202.203 30

In the following example, counters for an access list named acl_hw_1 in the outbound direction are cleared: 

RP/0/RP0/CPU0:router# show access-lists ipv4 acl_hw_1 hardware egress location 0/2/cp0


ipv4 access-list acl_hw_1

  10 permit icmp 192.168.36.0 0.0.0.255 any (251 hw matches)

  20 permit ip 172.16.3.0 0.0.255.255 any (29 hw matches)

  30 deny tcp any any (58 hw matches)


RP/0/RP0/CPU0:router# clear access-list ipv4 acl_hw_1 hardware egress location 0/2/cp0


RP/0/RP0/CPU0:router# show access-lists ipv4 acl_hw_1 hardware egress location 0/2/cp0


ipv4 access-list acl_hw_1

  10 permit icmp 192.168.36.0 0.0.0.255 any

  20 permit ip 172.16.3.0 0.0.255.255 any 

  30 deny tcp any any

Related Commands

Command
Description

ipv4 access-group

Filters incoming or outgoing IPv4 traffic on an interface.

ipv4 access-list

Defines an IPv4 access list and enters IPv4 access list configuration mode.

resequence access-list ipv4

Renumbers an existing statement and increments subsequent statements to allow a new IPv4 access list statements.


clear access-list ipv6

To clear IPv6 access list counters, use the clear access-list ipv6 command in EXEC mode.

clear access-list ipv6 access-list-name [sequence-number | hardware {ingress | egress}] [interface type instance] [location node-id | sequence number]

Syntax Description

access-list-name

Name of a particular IPv6 access list. The name cannot contain a spaces or quotation marks, but can include numbers.

sequence-number

(Optional) Specific sequence number for a particular access control entry (ACE) with which counters are cleared for an access list. Range is 1 to 2147483644.

hardware

Identifies the access list as an access group for an interface.

ingress

Specifies an inbound direction.

egress

Specifies an outbound direction.

interface

(Optional) Clears the interface statistics.

type

Interface type. For more information, use the question mark (?) online help function.

instance

Either a physical interface instance or a virtual interface instance as follows:

Physical interface instance. Naming notation is rack/slot/module/port and a slash between values is required as part of the notation.

rack: Chassis number of the rack.

slot: Physical slot number of the modular services card or line card.

module: Module number. A physical layer interface module (PLIM) is always 0.

port: Physical port number of the interface.

Note In references to a Management Ethernet interface located on a route processor card, the physical slot number is alphanumeric (RP0 or RP1) and the module is CPU0.
Example: interface MgmtEth0/RP1/CPU0/0.

Virtual interface instance. Number range varies depending on interface type.

For more information about the syntax for the router, use the question mark (?) online help function.

location node-id

Clears counters for an access list enabled on a card interface. The node-id argument is entered in the rack/slot/module notation.

sequence number

(Optional) Specifies a specific sequence number that clears access list counters. Range is 1 to 2147483644.


Defaults

The default clears the specified IPv6 access list.

Command Modes

EXEC

Command History

Release
Modification

Release 2.0

This command was introduced on the Cisco CRS-1.

Release 3.0

No modification.

Release 3.2

This command was supported on the Cisco XR 12000 Series Router. The range for the sequence-number argument was changed from 2147483646 to 2147483644. The command name was changed from clear ipv6 access-list to clear access-list ipv6.

Release 3.3.0

No modification.

Release 3.4.0

No modification.

Release 3.5.0

The interface keyword was added.

Release 3.6.0

No modification.


Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

The clear access-list ipv6 command is similar to the clear access-list ipv4 command, except that it is IPv6 specific.

Use the clear access-list ipv6 command to clear counters for a specified configured access list. Use a sequence number to clear counters for an access list with a specific sequence number

Use the hardware keyword to clear counters for an access list that was enabled using the ipv6 access-group command.

Use an asterisk (*) in place of the access-list-name argument to clear all access lists.

Note An access list can be shared among multiple interfaces. Clearing hardware counters clears all counters for all interfaces that use the specified access list in a given direction (ingress or egress).

Task ID
Task ID
Operations

basic-services

read, write

acl

read, write

network

read, write


Examples

In the following example, counters for an access list named marketing are cleared: 

RP/0/RP0/CPU0:router# show access-lists ipv6 marketing


ipv6 access-list marketing

  10 permit ipv6 3333:1:2:3::/64 any (51 matches)

  20 permit ipv6 4444:1:2:3::/64 any (26 matches)

  30 permit ipv6 5555:1:2:3::/64 any (5 matches)


RP/0/RP0/CPU0:router# clear access-list ipv6 marketing


RP/0/RP0/CPU0:router# show access-lists ipv6 marketing


ipv6 access-list marketing

  10 permit ipv6 3333:1:2:3::/64 any

  20 permit ipv6 4444:1:2:3::/64 any

  30 permit ipv6 5555:1:2:3::/64 any

In the following example, counters for an access list named acl_hw_1 in the outbound direction are cleared: 

RP/0/RP0/CPU0:router# show access-lists ipv6 acl_hw_1 hardware egress location 0/2/cp0


ipv6 access-list acl_hw_1

  10 permit ipv6 3333:1:2:3::/64 any (251 hw matches)

  20 permit ipv6 4444:1:2:3::/64 any (29 hw matches)

  30 deny tcp any any (58 hw matches)


RP/0/RP0/CPU0:router# clear access-list ipv6 acl_hw_1 hardware egress location 0/2/cp0


RP/0/RP0/CPU0:router# show access-lists ipv6 acl_hw_1 hardware egress location 0/2/cp0


ipv6 access-list acl_hw_1

  10 permit ipv6 3333:1:2:3::/64 any

  20 permit ipv6 4444:1:2:3::/64 any

  30 deny tcp any any

Related Commands

Command
Description

ipv6 access-group

Filters incoming or outgoing IPv6 traffic on an interface.

ipv6 access-list

Defines an IPv6 access list and enters IPv6 access list configuration mode.

show access-lists ipv6

Displays the contents of all current IPv6 access lists.


copy access-list ipv4

To create a copy of an existing IPv4 access list, use the copy access-list ipv4 command in EXEC mode.

copy access-list ipv4 source-acl destination-acl

Syntax Description

source-acl

Name of the access list to be copied.

destination-acl

Name of the destination access list where the contents of the source-acl argument is copied.


Defaults

No default behavior or values

Command Modes

EXEC

Command History

Release
Modification

Release 2.0

This command was introduced on the Cisco CRS-1.

Release 3.0

No modification.

Release 3.2

This command was supported on the Cisco XR 12000 Series Router. The command name was changed from copy ipv4 access-list to copy access-list ipv4.

Release 3.3.0

No modification.

Release 3.4.0

No modification.

Release 3.5.0

No modification.

Release 3.6.0

No modification.


Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

Use the copy access-list ipv4 command to copy a configured access list. Use the source-acl argument to specify the access list to be copied and the destination-acl argument to specify where to copy the contents of the source access list. The destination-acl argument must be a unique name; if the destination-acl argument name exists for an access list or prefix list, the access list is not copied. The copy access-list ipv4 command checks that the source access list exists then checks the existing list names to prevent overwriting existing access lists or prefix lists.

Task ID
Task ID
Operations

acl

read, write

filesystem

execute


Examples

In the following example, a copy of access list list-1 is created: 

RP/0/RP0/CPU0:router# show access-lists ipv4 list-1


ipv4 access-list list-1

  10 permit tcp any any log

  20 permit ip any any

RP/0/RP0/CPU0:router# copy access-list ipv4 list-1 list-2

RP/0/RP0/CPU0:router# show access-lists ipv4 list-2


ipv4 access-list list-2

  10 permit tcp any any log

  20 permit ip any any

In the following example, copying the access list list-1 to list-3 is denied because a list-3 access list already exists: 

RP/0/RP0/CPU0:router# copy access-list ipv4 list-1 list-3


list-3 exists in access-list


RP/0/RP0/CPU0:router# show access-lists ipv4 list-3


ipv4 access-list list-3

  10 permit ip any any 

  20 deny tcp any any log

Related Commands

Command
Description

ipv4 access-list

Defines an IPv4 access list and enters IPv4 access list configuration mode.

show access-lists ipv4

Displays the contents of all current IPv4 access lists.


copy access-list ipv6

To create a copy of an existing IPv6 access list, use the copy access-list ipv6 command in EXEC mode.

copy access-list ipv6 source-acl destination-acl

Syntax Description

source-acl

Name of the access list to be copied.

destination-acl

Destination access list where the contents of the source-acl argument is copied.


Defaults

No default behavior or value

Command Modes

EXEC

Command History

Release
Modification

Release 2.0

This command was introduced on the Cisco CRS-1.

Release 3.0

No modification.

Release 3.2

This command was supported on the Cisco XR 12000 Series Router. The command name was changed from copy ipv6 access-list to copy access-list ipv6.

Release 3.3.0

No modification.

Release 3.4.0

No modification.

Release 3.5.0

No modification.

Release 3.6.0

No modification.


Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

Use the copy access-list ipv6 command to copy a configured access list. Use the source-acl argument to specify the access list to be copied and the destination-acl argument to specify where to copy the contents of the source access list. The destination-acl argument must be a unique name; if the destination-acl argument name exists for an access list or prefix list, the access list is not copied. The copy access-list ipv6 command checks that the source access list exists then checks the existing list names to prevent overwriting existing access lists or prefix lists.

Task ID
Task ID
Operations

acl

read, write

filesystem

execute


Examples

In the following example, a copy of access list list-1 is created: 

RP/0/RP0/CPU0:router# show access-lists ipv6 list-1


ipv6 access-list list-1

  10 permit tcp any any log

  20 permit ipv6 any any


RP/0/RP0/CPU0:router# copy access-list ipv6 list-1 list-2

RP/0/RP0/CPU0:router# show access-lists ipv6 list-2


ipv6 access-list list-2

  10 permit tcp any any log

  20 permit ipv6 any any

In the following example, copying access list list-1 to list-3 is denied because a list-3 access list already exists: 

RP/0/RP0/CPU0:router# copy access-list ipv6 list-1 list-3


list-3 exists in access-list


RP/0/RP0/CPU0:router# show access-lists ipv6 list-3


ipv6 access-list list-3

  10 permit ipv6 any any 

  20 deny tcp any any log

Related Commands

Command
Description

ipv6 access-list

Defines an IPv6 access list and enters IPv6 access list configuration mode.

show access-lists ipv6

Displays the contents of all current IPv6 access lists.


deny (IPv4)

To set conditions for an IPv4 access list, use the deny command in access list configuration mode. There are two versions of the deny command: deny (source), and deny (protocol). To remove a condition from an access list, use the no form of this command.

[sequence-number] deny source [source-wildcard] [log | log-input]

[sequence-number] deny protocol source source-wildcard destination destination-wildcard [precedence precedence] [dscp dscp] [fragments] [packet-length operator packet-length value] [log | log-input] [ttl ttl value1 value2]

no sequence-number

Internet Control Message Protocol (ICMP)

[sequence-number] deny icmp source source-wildcard destination destination-wildcard [icmp-type] [icmp-code] [precedence precedence] [dscp dscp] [fragments] [log | log-input] [icmp-off]

Internet Group Management Protocol (IGMP)

[sequence-number] deny igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [dscp value] [fragments] [log | log-input]

Stream Control Transmission Protocol (SCTP)

[sequence-number] deny sctp source source-wildcard [operator {port | protocol-port}] destination destination-wildcard [operator {port | protocol-port}] [established] [ack] [rst] [syn] [fin] [psh] [urg] [precedence precedence] [dscp dscp] [fragments] [log | log-input]

Transmission Control Protocol (TCP)

[sequence-number] deny tcp source source-wildcard [operator {port | protocol-port}] destination destination-wildcard [operator {port | protocol-port}] [established] | {match-any |
match-all} {+ | -}[ flag-name] [precedence precedence] [dscp dscp] [fragments] [log | log-input]

User Datagram Protocol (UDP)

[sequence-number] deny udp source source-wildcard [operator {port | protocol-port}] destination destination-wildcard [operator {port | protocol-port}] [precedence precedence] [dscp dscp] [fragments] [log | log-input]

Syntax Description

sequence-number

(Optional) Number of the deny statement in the access list. This number determines the order of the statements in the access list. The number can be from 1 to 2147483646. (By default, the first statement is number 10, and the subsequent statements are incremented by 10.) Use the resequence access-list command to change the number of the first statement and increment subsequent statements of a configured access list.

source

Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:

Use a 32-bit quantity in four-part dotted-decimal format.

Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

Use the host source combination as an abbreviation for a source and source-wildcard of source 0.0.0.0.

source-wildcard

Wildcard bits to be applied to the source. There are three alternative ways to specify the source wildcard:

Use a 32-bit quantity in four-part dotted-decimal format. Place ones in the bit positions you want to ignore.

Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

Use the host source combination as an abbreviation for a source and source-wildcard of source 0.0.0.0.

protocol

Name or number of an IP protocol. It can be one of the keywords ahp, esp, eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, pim, pcp, sctp, tcp, or udp, or an integer from 0 to 255 representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the ip keyword. ICMP, SCTP, and TCP allow further qualifiers, which are described later in this table.

destination

Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:

Use a 32-bit quantity in four-part dotted-decimal format.

Use the any keyword as an abbreviation for the destination and destination-wildcard of 0.0.0.0 255.255.255.255.

Use the host destination combination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

destination-wildcard

Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:

Use a 32-bit quantity in four-part dotted-decimal format. Place ones in the bit positions you want to ignore.

Use the any keyword as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255.

Use the host destination combination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

precedence precedence

(Optional) Packets can be filtered by precedence level (as specified by a number from 0 to 7) or by the following names:

match-Match packets with routine precedence (0)

priority-Match packets with priority precedence (1)

immediate-Match packets with immediate precedence (2)

flash-Match packets with flash precedence (3)

flash-override-Match packets with flash override precedence (4)

critical-Match packets with critical precedence (5)

internet-Match packets with internetwork control precedence (6)

network-Match packets with network control precedence (7)

dscp dscp

(Optional) Differentiated services code point (DSCP) provides quality of service control. The values for dscp are as follows:

0—63-Differentiated services codepoint value

af11-Match packets with AF11 dscp (001010)

af12-Match packets with AF12 dscp (001100)

af13-Match packets with AF13 dscp (001110)

af21-Match packets with AF21 dscp (010010)

af22-Match packets with AF22 dscp (010100)

af23-Match packets with AF23 dscp (010110)

af31-Match packets with AF31 dscp (011010)

af32-Match packets with AF32 dscp (011100)

af33-Match packets with AF33 dscp (011110)

af41-Match packets with AF41 dscp (100010)

af42—Match packets with AF42 dscp (100100)

af43-Match packets with AF43 dscp (100110)

cs1-Match packets with CS1(precedence 1) dscp (001000)

cs2-Match packets with CS2(precedence 2) dscp (010000)

cs3-Match packets with CS3(precedence 3) dscp (011000)

cs4-Match packets with CS4(precedence 4) dscp (100000)

cs5-Match packets with CS5(precedence 5) dscp (101000)

cs6-Match packets with CS6(precedence 6) dscp (110000)

cs7-Match packets with CS7(precedence 7) dscp (111000)

default-Default DSCP (000000)

ef-Match packets with EF dscp (101110)

fragments

(Optional) Causes the software to examine fragments of IPv4 packets when applying this access list entry. When this keyword is specified, fragments are subject to the access list entry.

packet-length operator

(Optional) Packet length operator used for filtering.

packet-length value

(Optional) Packet length used to match only packets in the range of the length.

log

(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)

The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches a flow, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.

log-input

(Optional) Provides the same function as the log keyword, except that the logging message also includes the input interface.

ttl

(Optional) Turns on matching against time-to-life (TTL) value.

ttl value1 value2

(Optional) TTL value used for filtering. Range is 1 to 255.

If only value1 is specified, the match is against this value.

If both value1 and value2 are specified, the packet TTL is matched against the range of TTLs between value1 and value2.

icmp-off

(Optional) Turns off ICMP generation for denied packets.

icmp-type

(Optional) ICMP message type for filtering ICMP packets. Range is from 0 to 255.

icmp-code

(Optional) ICMP message code for filtering ICMP packets. Range is from 0 to 255.

igmp-type

(Optional) IGMP message type (0 to 15) or message name for filtering IGMP packets, as follows:

dvmrp

host-query

host-report

mtrace

mtrace-response

pim

precedence

trace

v2-leave

v2-report

v3-report

operator

(Optional) Operator is used to compare source or destination ports. Possible operands are lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).

If the operator is positioned after the source and source-wildcard values, it must match the source port.

If the operator is positioned after the destination and destination-wildcard values, it must match the destination port.

If the operator is positioned after the ttl keyword, it matches the TTL value.

The range operator requires two port numbers. All other operators require one port number.

port

Decimal number of a TCP or UDP port. A port number is a number from 0 to 65535.

TCP ports can be used only when filtering TCP. UDP ports can be used only when filtering UDP.

protocol-port

Name of a TCP or UDP port. TCP and UDP port names are listed in the "Usage Guidelines" section.

TCP port names can be used only when filtering TCP. UDP port names can be used only when filtering UDP.

established

(Optional) For the TCP protocol only: Indicates an established connection.

match-any

(Optional) For the TCP protocol only: Filters on any combination of TCP flags.

match-all

(Optional) For the TCP protocol only: Filters on all TCP flags.

+ | -

(Required) For the TCP protocol match-any, match-all: Prefix flag-name with + or -. Use the + flag-name argument to match packets with the TCP flag set. Use the - flag-name argument to match packets when the TCP flag is not set.

flag-name

(Required) For the TCP protocol match-any, match-all. Flag names are: ack, fin, psh, rst, syn.


Defaults

There is no specific condition under which a packet is denied passing the IPv4 access list.

ICMP message generation is enabled by default.

Command Modes

IPv4 access list configuration

Command History

Release
Modification

Release 2.0

This command was introduced on the Cisco CRS-1.

Release 3.0

No modification.

Release 3.2

This command was supported on the Cisco XR 12000 Series Router.

Release 3.3.0

The optional keywords match-any and match-all were added for the TCP protocol. The argument flag-name was added for the TCP protocol.

The match-any and match-all keywords and the flag-name argument are supported on the Cisco CRS-1.

The optional keyword icmp-off was added for the ICMP protocol.

Release 3.4.0

The optional keyword ttl and the associated arguments ttl value1 and value2 and operator, with range values, were added to the command.

Release 3.5.0

No modification.

Release 3.6.0

No modification.


Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

Use the deny command following the ipv4 access-list command to specify conditions under which a packet cannot pass the access list.

By default, the first statement in an access list is number 10, and the subsequent statements are incremented by 10.

You can add permit, deny, or remark statements to an existing access list without retyping the entire list. To add a new statement anywhere other than at the end of the list, create a new statement with an appropriate entry number that falls between two existing entry numbers to indicate where it belongs.

If you want to add a statement between two consecutively numbered statements (for example, between lines 10 and 11), first use the resequence access-list command to renumber the first statement and increment the entry number of each subsequent statement. The increment argument causes new, unused line numbers between statements. Then add a new statement with the entry-number argument, specifying where it belongs in the access list.

The following is a list of precedence names:

critical

flash

flash-override

immediate

internet

network

priority

routine

The following is a list of ICMP message type names:

administratively-prohibited

alternate-address

conversion-error

dod-host-prohibited

dod-net-prohibited

echo

echo-reply

general-parameter-problem

host-isolated

host-precedence-unreachable

host-redirect

host-tos-redirect

host-tos-unreachable

host-unknown

host-unreachable

information-reply

information-request

mask-reply

mask-request

mobile-redirect

net-redirect

net-tos-redirect

net-tos-unreachable

net-unreachable

network-unknown

no-room-for-option

option-missing

packet-too-big

parameter-problem

port-unreachable

precedence-unreachable

protocol-unreachable

reassembly-timeout

redirect

router-advertisement

router-solicitation

source-quench

source-route-failed

time-exceeded

timestamp-reply

timestamp-request

traceroute

ttl-exceeded

unreachable

The following is a list of TCP port names that can be used instead of port numbers. Refer to the current Assigned Numbers RFC to find a reference to these protocols. You can find port numbers corresponding to these protocols by typing a ? in the place of a port number.

bgp

chargen

cmd

daytime

discard

domain

echo

exec

finger

ftp

ftp-data

gopher

hostname

ident

irc

klogin

kshell

login

lpd

nntp

pim-auto-rp

pop2

pop3

smtp

sunrpc

tacacs

talk

telnet

time

uucp

whois

www

The following UDP port names can be used instead of port numbers. Refer to the current Assigned Numbers RFC to find a reference to these protocols. You can find port numbers corresponding to these protocols by typing a ? in the place of a port number.

biff

bootpc

bootps

discard

dnsix

domain

echo

isakmp

mobile-ip

nameserver

netbios-dgm

netbios-ns

netbios-ss

ntp

pim-auto-rp

rip

snmp

snmptrap

sunrpc

syslog

tacacs

talk

tftp

time

who

xdmcp

Use the following flags in conjunction with the match-any and match-all keywords and the + and - signs to select the flags to display:

ack

fin

psh

rst

syn

For example, match-all +ack +syn displays TCP packets with both the ack and syn flags set, or match-any +ack -syn displays the TCP packets with the ack set or the syn not set.

Task ID