Content Comparison

...

access-list

OneOS6Book

Image Added

Standard Access Lists: only on IP address
Extended Access Lists: IP and transport protocol header fields ( IP Src/Dsts @, DSCP code, IP id, TCP/UDP Src/Dst port numbers, as well as ICMP type and code.
Reflexive Access Lists: ( against address spoofing) Temporary filter will be automatically set up in the reverse direction
Local Access Lists: Traffic destined to or generated by the router

Image Added

config

wilcard is the inverse of mask 192.168.0.0/24 = 255.255.255.0 > wilcard: 0.0.0.255

Standard

Code Block
show running-config ip access-list standard ip access-list standard ACL_SSH permit 192.168.0.0 0.0.0.255 log (optional: sequence 1 ) . . .

show

jlk-One5G#show ip access-list ACL_SSH
ip access-list standard ACL_SSH
1 permit 192.168.0.0 0.0.0.255 log (2 matches)
. . .
22 deny any log (0 matches)
23 permit 0.0.0.0 255.255.255.255 log (0 matches)

jlk-One5G#show ip access-list sizing
Number of Index : 262144
Default number of sessions : 100000
Sessions: config 1461 closed, 0 failed

ip access-list extended App_1_HandS

Code Block

ip access-list extended App_1_HandS
 permit ip 0.0.0.0 255.255.255.255 172.10.0.0 0.0.255.255
exit
ip access-list extended App_2_HandS
 permit ip 0.0.0.0 255.255.255.255 192.168.10.0 0.0.0.255
exit
ip access-list extended permitSpecificPorts
 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 22
 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 830
 permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 4500
 permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 500
 permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 848
 permit ip 50 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
 permit icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
 permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 3784
 permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 161
 permit udp 10.0.0.0 0.255.255.255 67 0.0.0.0 255.255.255.255 68
 permit udp 172.16.0.0 0.15.255.255 67 0.0.0.0 255.255.255.255 68
 permit udp 192.168.0.0 0.0.255.255 67 0.0.0.0 255.255.255.255 68
exit
ip access-list extended allowOut
 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 reflexive
exit
ip access-list extended sdwan_mgmt_traffic
 permit udp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 9995
 permit udp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 123
 permit udp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 514
 permit tcp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 601
 permit tcp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 2200
 permit tcp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 2201
 permit udp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 848
 permit tcp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 80
 permit tcp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 443
 permit tcp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 4740
 permit tcp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 6514
 permit udp 192.0.2.1 0.0.0.0 57.152.68.169 0.0.0.0 53
exit
ip access-list extended local_mgmt_traffic
 permit udp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 9995
 permit udp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 123
 permit udp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 514
 permit tcp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 601
 permit tcp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 2200
 permit tcp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 2201
 permit udp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 848
 permit tcp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 80
 permit tcp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 443
 permit tcp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 4740
 permit tcp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 6514
 permit udp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 53
exit
ip access-list extended local_mgmt_traffic_high_prio
 permit udp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 123
 permit tcp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 2200
 permit udp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 53
exit
ip access-list extended ipsec_mgmt
 permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 4500
 permit udp 0.0.0.0 255.255.255.255 4500 0.0.0.0 255.255.255.255
 permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 500
 permit udp 0.0.0.0 255.255.255.255 500 0.0.0.0 255.255.255.255
 permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 848
 permit udp 0.0.0.0 255.255.255.255 848 0.0.0.0 255.255.255.255
exit
ip access-list extended site2site
 permit ip 0.0.0.0 255.255.255.255 10.0.0.0 0.255.255.255
 permit ip 0.0.0.0 255.255.255.255 172.16.0.0 0.15.255.255
 permit ip 0.0.0.0 255.255.255.255 192.168.0.0 0.0.255.255
exit
ip access-list extended breakout
 deny ip 0.0.0.0 255.255.255.255 10.0.0.0 0.255.255.255
 deny ip 0.0.0.0 255.255.255.255 172.16.0.0 0.15.255.255
 deny ip 0.0.0.0 255.255.255.255 192.168.0.0 0.0.255.255
 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
ip access-list extended all_traffic
 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
ip access-list extended not_sdwan_mgmt_traffic
 deny udp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 9995
 deny udp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 123
 deny udp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 514
 deny tcp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 601
 deny tcp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 2200
 deny tcp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 2201
 deny udp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 848
 deny tcp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 80
 deny tcp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 443
 deny tcp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 4740
 deny tcp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 6514
 deny udp 192.0.2.1 0.0.0.0 57.152.68.169 0.0.0.0 53
 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
ip access-list extended not_local_mgmt_traffic
 deny udp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 9995
 deny udp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 123
 deny udp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 514
 deny tcp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 601
 deny tcp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 2200
 deny tcp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 2201
 deny udp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 848
 deny tcp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 80
 deny tcp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 443
 deny tcp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 4740
 deny tcp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 6514
 deny udp 192.0.2.1 0.0.0.0 0.0.0.0 255.255.255.255 53
 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
ip access-list extended public_dns
 deny udp 192.0.2.1 0.0.0.0 57.152.68.169 0.0.0.0 53
 permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 53
exit
ip access-list extended esp
 permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 4500
 permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 500
 permit ip 50 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
ip access-list extended permitSpecificPortsVrf
 permit tcp 0.0.0.0 255.255.255.255 22 0.0.0.0 255.255.255.255
 permit tcp 0.0.0.0 255.255.255.255 830 0.0.0.0 255.255.255.255
 permit udp 0.0.0.0 255.255.255.255 4500 0.0.0.0 255.255.255.255
 permit udp 0.0.0.0 255.255.255.255 500 0.0.0.0 255.255.255.255
 permit udp 0.0.0.0 255.255.255.255 848 0.0.0.0 255.255.255.255
 permit ip 50 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
 permit icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
 permit udp 0.0.0.0 255.255.255.255 3784 0.0.0.0 255.255.255.255
 permit udp 0.0.0.0 255.255.255.255 161 0.0.0.0 255.255.255.255
exit
ip access-list extended from_vasi_internet
 permit ip 198.51.100.5 0.0.0.0 0.0.0.0 255.255.255.255
exit
ip access-list extended not_from_vasi_internet
 deny ip 198.51.100.5 0.0.0.0 0.0.0.0 255.255.255.255
 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
ip access-list extended App_1_Default-Breakout
 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
tic category tic_Default-Breakout

...

Version	Old Version 1	New Version Current
Changes made by	Jean-luc KRIKER	Jean-luc KRIKER
Saved on	Nov 06, 2024	Dec 17, 2024

Versions Compared

Key