ADTRAN 5000 Series

Command Reference Guide Global Configuration Mode Command Set

Functional Notes

Access control lists are used as packet selectors by access policies (ACPs); by themselves they do

nothing. ACLs are composed of an or dered list of entries with an implicit deny all at the end of each list. An

ACL entry contains two parts: an action (permit or deny) and a packet pattern. A permit ACL is used to

allow packets (meeting the specified pattern) to enter the router system. A deny ACL advances the AOS

the next access po licy en tr y. The AOS

provides two types of ACLs: standard and extended. Standard

ACLs allow source IP address p acket patterns only. Extended ACLs may specify patterns using most fields

in the IP header and the TCP or UDP heade r.

ACLs are performed in order fr om the top of the list down . Generally the most specific entries should be at

the top and the mo st gen er al at the bo tt om .

The following commands ar e contained in the access-list standard:

remark

Associates a descriptive t ag (up to 80 alpha numeric chara cters enclosed in quot ation marks) to the access

list. Enter a functional description for the list such as “This list blocks all outbound web traffic.”

log

Logs a message (if debug access-list is enable d for this access list) when the access list finds a packet

match.

permit or deny any

Uses the any keyword to match any IP address received by the access list. For example, the following

allows all packets through the configured access list:

(config)#ip access-list standard MatchAll

(config-std-nacl)#permit any

permit or deny host <ip address>

Uses the host <A.B.C.D> keyword to specify a single host address. For example, the following allows all

traffic from the host with an IP address of 196.173.22.253.

(config)#ip access-list standard MatchHost

(config-std-nacl)#permit host 196.173.22.253

permit or deny <ip address> <wildcard>

Uses the <A.B.C.D> <wildcard> format to match all IP addresses in a “range.” Wildcard masks work in

reverse logic from subnet mask. Specifying a one in the wildcard mask equates to a “don’t care.” For

example, the following denies all traffic from the 192.168.0.0/24 network:

(config)#ip access-list standard MatchNetwork

(config-std-nacl)#deny 192.168.0.0 0.0.0.255