L3 ACL Creation

There are three types of L3 ACLs: standard, extended and policy. The type of ACL you need depends upon the packet field(s) that will generate a hit for the rules specified in the ACL. For a standard ACL, only the source IP address is configurable. For an extended and policy ACL, the protocol, source IP address, destination IP address, and in the case of the TCP or UDP protocols, matching source and destination ports are configurable. The policy ACL requires that the set DSCP policy specific parameter be specified.

There are two ways to identify the new ACL: a number or a name. The use of a number is for IPv4 ACLs only. Standard IPv4 ACL numbers range from 1 to 99. Extended and policy IPv4 ACL numbers range from 100 to 199. Both IPv4 and IPv6 allow alphanumeric names that must start with an alpha character. A name may be quoted, as the quotes are stripped, but spaces are not supported in the quoted string. A name cannot be one of the show access-lists keywords brief or applied, or any prefix thereof such as -br- or -app-. Names can be up to 64 characters in length.

Once you have determined the appropriate ACL type, use the:

In each case, specifying the access-list number or name for the ACL.

An existing L3 ACL can be copied to a non-existing L3 ACL of the same IP type (IPv4 or IPv6). An existing L3 ACL can be appended to the end of another existing L3 ACL of the same IP type, but a standard L3 ACL may not be appended to an extended L3 ACL nor vice versa.

Upon creating the L3 ACL, you are placed in the access-list configuration command mode where you can enter rules or comment entries for this L3 ACL.

Policy ACLs

The policy ACL allows an application such as VoIP to dynamically set the DSCP value when a permit match occurs for the ACL. Policy ACLs are intended to be used by an application capable of dynamically configuring the ACL to prioritize relatively short duration connections between specific end points. Entries in the policy ACL will be updated rapidly with an entry created for each new connection (VoIP call) and deleted when the connection terminates. The creation and application of policy ACLs do not persist after a system reset, due to the transient nature of the connections to which they are applied.

A policy ACL does not drop packets. A permit rule match sets the DSCP field in the packet to the value specified by the mandatory set-dscp permit parameter and then resumes the normal forwarding process. A deny rule match will stop processing the packet against the policy ACL and resumes the normal forwarding process.

Policy ACLs have the same configuration options as IPv4 extended ACLs, with the additional required set-dscp parameter. Multiple policy ACLs may be created, but only one policy ACL may be applied at a time per VRF.

Policy ACLs are supported on the S- and K-Series.

IPv4 ACL Creation Examples

The following example creates a standard IPv4 ACL with the access-list number 1 as its identifier:

System(rw-config)->ip access-list standard 1
System(rw-cfg-std-acl)->

The following example creates an extended IPv4 ACL with the access-list number 100 as its identifier:

System(rw-config)->ip access-list extended 100
System(rw-cfg-ext-acl)->

The following example creates a policy IPv4 ACL with the access-list number 101 as its identifier:

System(rw-config)->ip access-list policy 101
System(rw-cfg-ext-acl)->

The following example creates a standard ACL with the name ipv4acl1 as its identifier:

System(rw-config)->ip access-list standard ipv4acl1
System(rw-cfg-std-acl)->

IPv6 ACL Creation Examples

The following example creates a standard IPv6 ACL with the access-list number acl1 as its identifier:

System(rw-config)->ipv6 access-list standard acl1
System(rw-cfg-ipv6-std-acl)->

The following example creates an extended IPv6 ACL with the access-list number acl100 as its identifier:

System(rw-config)->ipv6 access-list extended 100
System(rw-cfg-ipv6-ext-acl)->

The following example creates a standard IPv6 ACL with the name ipv6acl1 as its identifier:

System(rw-config)->ipv6 access-list standard ipv6acl1
System(rw-cfg-ipv6-std-acl)->