This section provides details for the configuration of ACLs on the S- and K-Series products.
Creating and Managing IPv4 and IPv6 ACLs describes how to create an IPv4 ACL and manage IPv4 ACLs at the ACL level.
Step | Task | Command(s) |
---|---|---|
1 | In global configuration command mode, create a standard extended or policy IPv4 or a standard or extended IPv6 ACL, or enter IPv4 or IPv6 ACL configuration mode for an already existing ACL. | ipv4 access-list {standard | extended} {access-list-number | name} ip access-list policy {access-list-number | name} ipv6 access-list {standard | extended} name |
2 | In global configuration command mode, optionally, copy a preexisting IPv4 or IPv6 ACL to a non-existing IPv4 or IPv6 ACL. | ipv4 ip access-list {standard | extended} {access-list-number | name} copy to {access-list-number | name} ipv6 ip access-list {standard | extended} name copy to name |
3 | In global configuration command mode, optionally, append a preexisting IPv4 or IPv6 ACL to another preexisting IPv4 or IPv6 ACL. | ipv4 ip access-list {standard | extended} {access-list-number | name} append to {access-list-number | name} ipv6 ip access-list {standard | extended} name append to name |
4 | In global configuration command mode, optionally, check the efficiency of an IPv4 or IPv6 ACL. | ipv4 ip access-list {standard | extended} {access-list-number | name} check ipv6 ip access-list {standard | extended} name check |
Creating and Managing L2 ACLs describes how to create an L2 ACL and manage the L2 ACL at the ACL level.
Step | Task | Command(s) |
---|---|---|
1 | In global configuration command mode, create an L2 ACL, or enter L2 ACL configuration mode for an already existing ACL. | l2 access-list name |
2 | In global configuration command mode, optionally, copy a preexisting L2 ACL to a non-existing L2 ACL. | l2 access-list name copy to name |
3 | In global configuration command mode, optionally, append a preexisting L2 ACL to another preexisting L2 ACL. | l2 access-list name append to name |
4 | In global configuration command mode, optionally, check the efficiency of an L2 ACL. | l2 access-list name check |
Entering and Managing Standard IPv4 ACL Rules describes how to enter and manage standard ACL rules.
Step | Task | Command(s) |
---|---|---|
1 | In IPv4 ACL configuration command mode, optionally, create a standard IPv4 ACL permit rule entry. | permit {source source-wildcard | any | host ip-address]} [log | log-verbose] |
2 | In IPv4 ACL configuration command mode, optionally, create a standard IPv4 ACL deny rule entry. | deny {source source-wildcard | any | host ip-address]} [log | log-verbose] |
3 | In IPv4 ACL configuration command mode, optionally, insert a new standard IPv4 ACL rule entry before the specified preexisting entry for this standard ACL. | insert before entry {remark “text” | {permit | deny} {source source-wildcard | any | host ip-address} [log | log-verbose]} |
4 | In IPv4 ACL configuration command mode, optionally, replace the specified standard ACL entry with the specified new entry. | replace entry {remark “text” | deny {source [source-wildcard] | any | host ip-address] | permit {source [source-wildcard] | any | host ip-address]} |
Entering and Managing Standard IPv6 ACL Rules describes how to enter and manage standard ACL rules.
Step | Task | Command(s) |
---|---|---|
1 | In IPv6 ACL configuration command mode, optionally, create a standard IPv6 ACL permit rule entry. | permit {source-address/length | any | host ip-address]} [log | log-verbose] |
2 | In IPv6 ACL configuration command mode, optionally, create a standard IPv6 ACL deny rule entry. | deny {source-address/length | any | host ip-address]} [log | log-verbose] |
3 | In IPv6 ACL configuration command mode, optionally, insert a new standard IPv6 ACL rule entry before the specified preexisting entry for this standard ACL. | insert before entry {remark text | {permit | deny}} {source-address/length | any | host ip-address]} [log | log-verbose] |
4 | In IPv6 ACL configuration command mode, optionally, replace the specified standard ACL entry with the specified new entry. | replace entry {remark text | {permit | deny}} {source-address/length | any | host ip-address]} [log | log-verbose] |
Entering and Managing Extended IPv4 ACL Rules describes how to enter and manage extended IPv4 ACL rules.
Step | Task | Command(s) |
---|---|---|
1 | In IPv4 ACL configuration command mode, optionally, create an extended or policy IPv4 ACL permit rule entry. The set-dscp parameter is supported by policy ACLs only. |
permit {protocol-num | ip |
esp | gre} {source source-wildcard | any | host
ip-address} {destination destination-host
wildcard | any | host
ip-address} [dscp
code] [precedence
value] [tos
value] [log
| log-verbose] set-dscp
value permit tcp {source source-wildcard | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination destination-host wildcard | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [established] [dscp code] [precedence value] [tos value] [log | log-verbose] set-dscp value permit udp {source source-wildcard | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination destination-host wildcard | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [dscp code] [precedence value] [tos value] [log | log-verbose] set-dscp value permit icmp {source source-wildcard | any | host ip-address} {destination destination-host wildcard | any | host ip-address} [msg icmp-msg] [dscp code] [precedence value] [tos value] [log | log-verbose] set-dscp value |
2 | In IPv4 ACL configuration command mode, optionally, create an extended IPv4 ACL deny rule entry. | deny {protocol-num | ip |
esp | gre} {source source-wildcard | any | host
ip-address} {destination destination-host
wildcard | any | host
ip-address} [dscp
code] [precedence
value] [tos
value] [log
| log-verbose] deny tcp {source source-wildcard | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination destination-host wildcard | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [established] [dscp code] [precedence value] [tos value] [log | log-verbose] deny udp {source source-wildcard | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination destination-host wildcard | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [dscp code] [precedence value] [tos value] [log | log-verbose] deny icmp {source source-wildcard | any | host ip-address} {destination destination-host wildcard | any | host ip-address} [msg icmp-msg] [dscp code] [precedence value] [tos value] [log | log-verbose] |
3 | In IPv4 ACL configuration command mode, optionally, insert a new extended IPv4 ACL rule entry before the specified preexisting entry for this extended ACL. See the appropriate command syntax when entering a deny or permit rule to be inserted. | insert before entry {remark “text” | deny-syntax | permit-syntax} |
4 | In IPv4 ACL configuration command mode, optionally, replace the specified extended IPv4 ACL entry with the specified new entry. See the appropriate command syntax when entering a deny or permit rule to be replaced. | replace entry {remark “text” | deny-syntax | permit-syntax} |
Entering and Managing Extended IPv6 ACL Rules describes how to enter and manage extended IPv6 ACL rules.
Step | Task | Command(s) |
---|---|---|
1 | In IPv6 ACL configuration command mode, optionally, create an extended IPv6 ACL permit rule entry. | permit {protocol-num | ipv6
| esp | gre} {source-address/length | any
| host
ip-address} {destination-address/length |
any | host
ip-address} [dscp
code] [traffic-class
value] [flow-label
value] [log
| log-verbose] [routing] [routing-type
type] [mobility] [mobility-type
type] permit tcp {source-address/length | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination-address/length | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [established] [dscp code] [traffic-class value] [flow-label value] [log | log-verbose] [routing] [routing-type type] [mobility] [mobility-type type] permit udp {source-address/length | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination-address/length | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [dscp code] [traffic-class value] [flow-label value] [log | log-verbose] [routing] [routing-type type] [mobility] [mobility-type type] |
permit icmpv6 {source-address/length | any | host ip-address} {destination-address/length | any | host ip-address} [icmpv6-type [icmpv6-code] | msg icmpv6-msg] [dscp code] [traffic-class value] [flow-label value] [log | log-verbose] [routing] [routing-type type] [mobility] [mobility-type type] | ||
2 | deny {protocol-num | ipv6
| esp | gre} {source-address/length | any
| host
ip-address} {destination-address/length | any
| host
ip-address} [dscp
code] [traffic-class
value] [flow-label
value] [log
| log-verbose] [routing] [routing-type
type] [mobility] [mobility-type
type] deny tcp {source-address/length | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination-address/length | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [established] [dscp code] [traffic-class value] [flow-label value] [log | log-verbose] [routing] [routing-type type] [mobility] [mobility-type type] |
|
3 | In IPv6 ACL configuration command mode, optionally, create an extended IPv6 ACL deny rule entry. | deny udp {source-address/length | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination-address/length | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [dscp code] [traffic-class value] [flow-label value] [log | log-verbose] [routing] [routing-type type] [mobility] [mobility-type type] deny icmpv6 {source-address/length | any | host ip-address} {destination-address/length | any | host ip-address} [icmpv6-type [icmpv6-code] | msg icmpv6-msg] [dscp code] [traffic-class value] [flow-label value] [log | log-verbose] [routing] [routing-type type] [mobility] [mobility-type type] |
4 | In IPv6 ACL configuration command mode, optionally, insert a new extended IPv6 ACL rule entry before the specified preexisting entry for this extended ACL. See the appropriate command syntax when entering a deny or permit rule to be inserted. | insert before entry {remark “text” | deny-syntax | permit-syntax} |
5 | In IPv6 ACL configuration command mode, optionally, replace the specified extended IPv6 ACL entry with the specified new entry. See the appropriate command syntax when entering a deny or permit rule to be replaced. | replace entry {remark “text” | deny-syntax | permit-syntax} |
Entering and Managing L2 ACL Rules describes how to enter and manage L2 ACL rules.
Step | Task | Command(s) |
---|---|---|
1 | In L2 ACL configuration command mode, optionally, create a L2 ACL permit rule entry. | permit {any | host source-macAddr | source-macAddr source-wildcard} [any | host destination-macAddr | destination-macAddr destination-wildcard] [dei] [cos cos] [vlan vlan [vidhi]] [ethertype data] [log | log-verbose] |
2 | In L2 ACL configuration command mode, optionally, create a L2 ACL deny rule entry. | deny {any | host source-macAddr | source-macAddr source-wildcard} [any | host destination-macAddr | destination-macAddr destination-wildcard] [dei] [cos cos] [vlan vlan [vidhi]] [ethertype data] [log | log-verbose] |
3 | In L2 ACL configuration command mode, optionally, insert a new L2 ACL rule entry before the specified preexisting entry for this L2 ACL. | insert before entry {remark “text” | {permit | deny} {any | host source-macAddr | source-macAddr source-wildcard} [any | host destination-macAddr | destination-macAddr destination-wildcard] [dei] [cos cos] [vlan vlan [vidhi]] [ethertype data] [log | log-verbose] |
4 | In L2 ACL configuration command mode, optionally, replace the specified L2 ACL entry with the specified new entry. | replace entry {remark “text” | {permit | deny} {any | host source-macAddr | source-macAddr source-wildcard} [any | host destination-macAddr | destination-macAddr destination-wildcard] [dei] [cos cos] [vlan vlan [vidhi]] [ethertype data] [log | log-verbose] |
Managing IPv4, IPv6 and L2 ACL Rules describes how to manage ACL rules.
Step | Task | Command(s) |
---|---|---|
1 | In IPv4, IPv6, or L2 ACL configuration command mode, optionally, enable logging for the specified rule, the final implicit deny rule, or all rules. | log [entry] [implicit] [all] |
2 | In IPv4, IPv6, or L2 ACL configuration command mode, optionally, delete a preexisting ACL rule entry. | delete {entry | from entry to entry} |
3 | In IPv4, IPv6, or L2 ACL configuration command mode, optionally, move a preexisting ACL entry before the specified entry or range of entries. | move before entry from entry to entry |
4 | In IPv4, IPv6, or L2 ACL configuration command mode, optionally, enter a text comment as the next ACL entry. | remark “text” |
Applying and Displaying ACLs describes how to apply and display ACLs.
Step | Task | Command(s) |
---|---|---|
1 | In interface configuration command mode, apply an ACL to a routing interface specifying the whether the ACL applies to inbound or outbound frames. | ipv4 access-group {access-list-number | name} {in | out} ipv6 access-group access-list-name {in | out} l2 access-group name {in | out} |
2 | In configuration command mode, apply an IPv4 or IPv6 ACL to the host services for this device. | ipv4 host-access {access-list-number | name} ipv6 host-access name |
3 | In any command mode, optionally, display ACL configuration. | show access-lists [access-list-number | name] [from start-range to end-range]] [brief] |
4 | In any command mode, optionally, display applied ACLs. | show access-lists applied [host | interfaces [vlan | inbound | outbound | in-and-out]] |
5 | In any command mode, optionally, clear ACL display counters. | clear access-lists counters [{access-list-number | name} | applied [host | interfaces [vlan vlan-id] [inbound | outbound | in-and-out]] |
Entering VRF Access Mode and Applying ACLs describes how to enter VRF access configuration mode and apply ACLs.
Step | Task | Command(s) |
---|---|---|
1 | In VRF configuration mode, enter VRF access configuration mode. | vrf-access |
2 | In VRF access configuration mode, apply an IPv4 access list to traffic from the specified VRF. | ip access-group list-name from-vrf vrf-name |
3 | In VRF access configuration mode, apply an IPv4 access list to traffic inbound from any VRF. | ip access-group list-name from-any-vrf |
4 | In VRF access configuration mode, apply an IPv4 access list to traffic outbound to the specified VRF. | ip access-group list-name to-vrf vrf-name |
5 | In VRF access configuration mode, apply an IPv4 access list to traffic outbound to any VRF. | ip access-group list-name to-any-vrf |
6 | In VRF access configuration mode, apply an IPv6 access list to traffic from the specified VRF. | ipv6 access-group list-name from-vrf vrf-name |
7 | In VRF access configuration mode, apply an IPv6 access list to traffic from any VRF. | ipv6 access-group list-name from-any-vrf |
8 | In VRF access configuration mode, apply an IPv6 access list to traffic outbound to the specified VRF. | ipv6 access-group list-name to-vrf vrf-name |
9 | In VRF access configuration mode, apply an IPv6 access list to traffic outbound to any VRF. | ipv6 access-group list-name to-any-vrf |