I've been working on a standardized list of access lists to use in conjunction with Quality of Service (QOS) on Cisco routers and switches. I've tried to adhere as closely as possible to the Cisco QoS Baseline (pdf).

As I refine the ACLs, I'll keep this page up to date. If you have any ideas on how I can make these better, please send me an email.

Bulk Data

The bulk data class is intended for non-interactive traffic flows. So far I have indentified FTP and the various e-mail related protocols.

no ip access-list extended BULK-DATA
ip access-list extended BULK-DATA
 ! FTP
 permit tcp any any eq ftp
 permit tcp any any eq ftp-data
 permit tcp any eq ftp any
 permit tcp any eq ftp-data any
 ! IMAP
 permit tcp any any eq 143
 permit tcp any eq 143 any
 permit tcp any any eq 993
 permit tcp any eq 993 any
 ! POP3
 permit tcp any any eq 110
 permit tcp any eq 110 any
 permit tcp any any eq 995
 permit tcp any eq 995 any
 ! SMTP
 permit tcp any any eq 25
 permit tcp any eq 25 any
 permit tcp any any eq 465
 permit tcp any eq 465 any

Call Signaling

Call signaling refers to the protocols that control Voice over IP (VoIP) and video-conferencing traffic. This is not the Real-time Protocol (RTP) traffic that makes up the bulk of a VoIP call.

no ip access-list extended CALL-SIGNALING
ip access-list extended CALL-SIGNALING
 ! SCCP / Skinny
 permit tcp any any range 2000 2002
 permit tcp any range 2000 2002 any
 ! SIP
 permit udp any any eq 5060
 permit tcp any any eq 5060
 ! H.323
 permit udp any any range 1718 1719
 permit tcp any any eq 1720
 ! MGCP
 permit tcp any any eq 2428
 permit tcp any eq 2428 any
 permit udp any any eq 2427
 permit udp any eq 2427 any

IP Routing

IP routing protocols in this class include Border Gateway Protocol (BGP) and Routing Information Protocol (RIP).

no ip access-list extended IP-ROUTING
ip access-list extended IP-ROUTING
 ! BGP
 permit tcp any eq 179 any
 permit tcp any any eq 179
 ! RIP
 permit udp any eq 520 any
 permit udp any any eq 520

Network Management

The network management class is intended for protocols important to the maintenance of the network. I've put the protocols important to my networks here, but your selections may vary.

no ip access-list extended NET-MGMT
ip access-list extended NET-MGMT
 ! SNMP
 permit udp any eq 161 any
 permit udp any any range 161 162
 ! Syslog
 permit udp any any eq 514
 ! Telnet
 permit tcp any eq 23 any
 permit tcp any any eq 23
 ! DNS
 permit tcp any eq 53 any
 permit udp any eq 53 any
 permit tcp any any eq 53
 permit udp any any eq 53
 ! ICMP
 permit icmp any any
 ! TFTP
 permit udp any eq 69 any
 permit udp any any eq 69
 ! DHCP
 permit udp any range 67 68 any
 permit udp any any range 67 68

Voice

This class identifies the RTP traffic that makes up a VoIP call. This traffic is very sensitive to latency and jitter and should be prioritized.

no ip access-list extended VOICE
ip access-list extended VOICE
 permit udp any range 16384 32767 any range 16384 32767