Configuring ACLs

This section provides details for the configuration of ACLs on the S- and K-Series products.

Creating and Managing IPv4 and IPv6 ACLs describes how to create an IPv4 ACL and manage IPv4 ACLs at the ACL level.

Click to expand in new window

Creating and Managing IPv4 and IPv6 ACLs

Step Task Command(s)
1 In global configuration command mode, create a standard extended or policy IPv4 or a standard or extended IPv6 ACL, or enter IPv4 or IPv6 ACL configuration mode for an already existing ACL. ipv4 access-list {standard | extended} {access-list-number | name}

ip access-list policy {access-list-number | name}

ipv6 access-list {standard | extended} name

2 In global configuration command mode, optionally, copy a preexisting IPv4 or IPv6 ACL to a non-existing IPv4 or IPv6 ACL. ipv4 ip access-list {standard | extended} {access-list-number | name} copy to {access-list-number | name}

ipv6 ip access-list {standard | extended} name copy to name

3 In global configuration command mode, optionally, append a preexisting IPv4 or IPv6 ACL to another preexisting IPv4 or IPv6 ACL. ipv4 ip access-list {standard | extended} {access-list-number | name} append to {access-list-number | name}

ipv6 ip access-list {standard | extended} name append to name

4 In global configuration command mode, optionally, check the efficiency of an IPv4 or IPv6 ACL. ipv4 ip access-list {standard | extended} {access-list-number | name} check

ipv6 ip access-list {standard | extended} name check

Creating and Managing L2 ACLs describes how to create an L2 ACL and manage the L2 ACL at the ACL level.

Click to expand in new window

Creating and Managing L2 ACLs

Step Task Command(s)
1 In global configuration command mode, create an L2 ACL, or enter L2 ACL configuration mode for an already existing ACL. l2 access-list name
2 In global configuration command mode, optionally, copy a preexisting L2 ACL to a non-existing L2 ACL. l2 access-list name copy to name
3 In global configuration command mode, optionally, append a preexisting L2 ACL to another preexisting L2 ACL. l2 access-list name append to name
4 In global configuration command mode, optionally, check the efficiency of an L2 ACL. l2 access-list name check

Entering and Managing Standard IPv4 ACL Rules describes how to enter and manage standard ACL rules.

Click to expand in new window

Entering and Managing Standard IPv4 ACL Rules

Step Task Command(s)
1 In IPv4 ACL configuration command mode, optionally, create a standard IPv4 ACL permit rule entry. permit {source source-wildcard | any | host ip-address]} [log | log-verbose]
2 In IPv4 ACL configuration command mode, optionally, create a standard IPv4 ACL deny rule entry. deny {source source-wildcard | any | host ip-address]} [log | log-verbose]
3 In IPv4 ACL configuration command mode, optionally, insert a new standard IPv4 ACL rule entry before the specified preexisting entry for this standard ACL. insert before entry {remark “text” | {permit | deny} {source source-wildcard | any | host ip-address} [log | log-verbose]}
4 In IPv4 ACL configuration command mode, optionally, replace the specified standard ACL entry with the specified new entry. replace entry {remark “text” | deny {source [source-wildcard] | any | host ip-address] | permit {source [source-wildcard] | any | host ip-address]}

Entering and Managing Standard IPv6 ACL Rules describes how to enter and manage standard ACL rules.

Click to expand in new window

Entering and Managing Standard IPv6 ACL Rules

Step Task Command(s)
1 In IPv6 ACL configuration command mode, optionally, create a standard IPv6 ACL permit rule entry. permit {source-address/length | any | host ip-address]} [log | log-verbose]
2 In IPv6 ACL configuration command mode, optionally, create a standard IPv6 ACL deny rule entry. deny {source-address/length | any | host ip-address]} [log | log-verbose]
3 In IPv6 ACL configuration command mode, optionally, insert a new standard IPv6 ACL rule entry before the specified preexisting entry for this standard ACL. insert before entry {remark text | {permit | deny}} {source-address/length | any | host ip-address]} [log | log-verbose]
4 In IPv6 ACL configuration command mode, optionally, replace the specified standard ACL entry with the specified new entry. replace entry {remark text | {permit | deny}} {source-address/length | any | host ip-address]} [log | log-verbose]

Entering and Managing Extended IPv4 ACL Rules describes how to enter and manage extended IPv4 ACL rules.

Click to expand in new window

Entering and Managing Extended IPv4 ACL Rules

Step Task Command(s)
1 In IPv4 ACL configuration command mode, optionally, create an extended or policy IPv4 ACL permit rule entry.

The set-dscp parameter is supported by policy ACLs only.

permit {protocol-num | ip | esp | gre} {source source-wildcard | any | host ip-address} {destination destination-host wildcard | any | host ip-address} [dscp code] [precedence value] [tos value] [log | log-verbose] set-dscp value

permit tcp {source source-wildcard | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination destination-host wildcard | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [established] [dscp code] [precedence value] [tos value] [log | log-verbose] set-dscp value

permit udp {source source-wildcard | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination destination-host wildcard | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [dscp code] [precedence value] [tos value] [log | log-verbose] set-dscp value

permit icmp {source source-wildcard | any | host ip-address} {destination destination-host wildcard | any | host ip-address} [msg icmp-msg] [dscp code] [precedence value] [tos value] [log | log-verbose] set-dscp value

2 In IPv4 ACL configuration command mode, optionally, create an extended IPv4 ACL deny rule entry. deny {protocol-num | ip | esp | gre} {source source-wildcard | any | host ip-address} {destination destination-host wildcard | any | host ip-address} [dscp code] [precedence value] [tos value] [log | log-verbose]

deny tcp {source source-wildcard | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination destination-host wildcard | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [established] [dscp code] [precedence value] [tos value] [log | log-verbose]

deny udp {source source-wildcard | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination destination-host wildcard | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [dscp code] [precedence value] [tos value] [log | log-verbose]

deny icmp {source source-wildcard | any | host ip-address} {destination destination-host wildcard | any | host ip-address} [msg icmp-msg] [dscp code] [precedence value] [tos value] [log | log-verbose]

3 In IPv4 ACL configuration command mode, optionally, insert a new extended IPv4 ACL rule entry before the specified preexisting entry for this extended ACL. See the appropriate command syntax when entering a deny or permit rule to be inserted. insert before entry {remark “text” | deny-syntax | permit-syntax}
4 In IPv4 ACL configuration command mode, optionally, replace the specified extended IPv4 ACL entry with the specified new entry. See the appropriate command syntax when entering a deny or permit rule to be replaced. replace entry {remark “text” | deny-syntax | permit-syntax}

Entering and Managing Extended IPv6 ACL Rules describes how to enter and manage extended IPv6 ACL rules.

Click to expand in new window

Entering and Managing Extended IPv6 ACL Rules

Step Task Command(s)
1 In IPv6 ACL configuration command mode, optionally, create an extended IPv6 ACL permit rule entry. permit {protocol-num | ipv6 | esp | gre} {source-address/length | any | host ip-address} {destination-address/length | any | host ip-address} [dscp code] [traffic-class value] [flow-label value] [log | log-verbose] [routing] [routing-type type] [mobility] [mobility-type type]

permit tcp {source-address/length | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination-address/length | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [established] [dscp code] [traffic-class value] [flow-label value] [log | log-verbose] [routing] [routing-type type] [mobility] [mobility-type type]

permit udp {source-address/length | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination-address/length | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [dscp code] [traffic-class value] [flow-label value] [log | log-verbose] [routing] [routing-type type] [mobility] [mobility-type type]

    permit icmpv6 {source-address/length | any | host ip-address} {destination-address/length | any | host ip-address} [icmpv6-type [icmpv6-code] | msg icmpv6-msg] [dscp code] [traffic-class value] [flow-label value] [log | log-verbose] [routing] [routing-type type] [mobility] [mobility-type type]
2   deny {protocol-num | ipv6 | esp | gre} {source-address/length | any | host ip-address} {destination-address/length | any | host ip-address} [dscp code] [traffic-class value] [flow-label value] [log | log-verbose] [routing] [routing-type type] [mobility] [mobility-type type]

deny tcp {source-address/length | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination-address/length | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [established] [dscp code] [traffic-class value] [flow-label value] [log | log-verbose] [routing] [routing-type type] [mobility] [mobility-type type]

3 In IPv6 ACL configuration command mode, optionally, create an extended IPv6 ACL deny rule entry. deny udp {source-address/length | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination-address/length | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [dscp code] [traffic-class value] [flow-label value] [log | log-verbose] [routing] [routing-type type] [mobility] [mobility-type type]

deny icmpv6 {source-address/length | any | host ip-address} {destination-address/length | any | host ip-address} [icmpv6-type [icmpv6-code] | msg icmpv6-msg] [dscp code] [traffic-class value] [flow-label value] [log | log-verbose] [routing] [routing-type type] [mobility] [mobility-type type]

4 In IPv6 ACL configuration command mode, optionally, insert a new extended IPv6 ACL rule entry before the specified preexisting entry for this extended ACL. See the appropriate command syntax when entering a deny or permit rule to be inserted. insert before entry {remark “text” | deny-syntax | permit-syntax}
5 In IPv6 ACL configuration command mode, optionally, replace the specified extended IPv6 ACL entry with the specified new entry. See the appropriate command syntax when entering a deny or permit rule to be replaced. replace entry {remark “text” | deny-syntax | permit-syntax}

Entering and Managing L2 ACL Rules describes how to enter and manage L2 ACL rules.

Click to expand in new window

Entering and Managing L2 ACL Rules

Step Task Command(s)
1 In L2 ACL configuration command mode, optionally, create a L2 ACL permit rule entry. permit {any | host source-macAddr | source-macAddr source-wildcard} [any | host destination-macAddr | destination-macAddr destination-wildcard] [dei] [cos cos] [vlan vlan [vidhi]] [ethertype data] [log | log-verbose]
2 In L2 ACL configuration command mode, optionally, create a L2 ACL deny rule entry. deny {any | host source-macAddr | source-macAddr source-wildcard} [any | host destination-macAddr | destination-macAddr destination-wildcard] [dei] [cos cos] [vlan vlan [vidhi]] [ethertype data] [log | log-verbose]
3 In L2 ACL configuration command mode, optionally, insert a new L2 ACL rule entry before the specified preexisting entry for this L2 ACL. insert before entry {remark “text” | {permit | deny} {any | host source-macAddr | source-macAddr source-wildcard} [any | host destination-macAddr | destination-macAddr destination-wildcard] [dei] [cos cos] [vlan vlan [vidhi]] [ethertype data] [log | log-verbose]
4 In L2 ACL configuration command mode, optionally, replace the specified L2 ACL entry with the specified new entry. replace entry {remark “text” | {permit | deny} {any | host source-macAddr | source-macAddr source-wildcard} [any | host destination-macAddr | destination-macAddr destination-wildcard] [dei] [cos cos] [vlan vlan [vidhi]] [ethertype data] [log | log-verbose]

Managing IPv4, IPv6 and L2 ACL Rules describes how to manage ACL rules.

Click to expand in new window

Managing IPv4, IPv6 and L2 ACL Rules

Step Task Command(s)
1 In IPv4, IPv6, or L2 ACL configuration command mode, optionally, enable logging for the specified rule, the final implicit deny rule, or all rules. log [entry] [implicit] [all]
2 In IPv4, IPv6, or L2 ACL configuration command mode, optionally, delete a preexisting ACL rule entry. delete {entry | from entry to entry}
3 In IPv4, IPv6, or L2 ACL configuration command mode, optionally, move a preexisting ACL entry before the specified entry or range of entries. move before entry from entry to entry
4 In IPv4, IPv6, or L2 ACL configuration command mode, optionally, enter a text comment as the next ACL entry. remark “text”

Applying and Displaying ACLs describes how to apply and display ACLs.

Click to expand in new window

Applying and Displaying ACLs

Step Task Command(s)
1 In interface configuration command mode, apply an ACL to a routing interface specifying the whether the ACL applies to inbound or outbound frames. ipv4 access-group {access-list-number | name} {in | out}

ipv6 access-group access-list-name {in | out}

l2 access-group name {in | out}

2 In configuration command mode, apply an IPv4 or IPv6 ACL to the host services for this device. ipv4 host-access {access-list-number | name}

ipv6 host-access name

3 In any command mode, optionally, display ACL configuration. show access-lists [access-list-number | name] [from start-range to end-range]] [brief]
4 In any command mode, optionally, display applied ACLs. show access-lists applied [host | interfaces [vlan | inbound | outbound | in-and-out]]
5 In any command mode, optionally, clear ACL display counters. clear access-lists counters [{access-list-number | name} | applied [host | interfaces [vlan vlan-id] [inbound | outbound | in-and-out]]

Entering VRF Access Mode and Applying ACLs describes how to enter VRF access configuration mode and apply ACLs.

Click to expand in new window

Entering VRF Access Mode and Applying ACLs

Step Task Command(s)
1 In VRF configuration mode, enter VRF access configuration mode. vrf-access
2 In VRF access configuration mode, apply an IPv4 access list to traffic from the specified VRF. ip access-group list-name from-vrf vrf-name
3 In VRF access configuration mode, apply an IPv4 access list to traffic inbound from any VRF. ip access-group list-name from-any-vrf
4 In VRF access configuration mode, apply an IPv4 access list to traffic outbound to the specified VRF. ip access-group list-name to-vrf vrf-name
5 In VRF access configuration mode, apply an IPv4 access list to traffic outbound to any VRF. ip access-group list-name to-any-vrf
6 In VRF access configuration mode, apply an IPv6 access list to traffic from the specified VRF. ipv6 access-group list-name from-vrf vrf-name
7 In VRF access configuration mode, apply an IPv6 access list to traffic from any VRF. ipv6 access-group list-name from-any-vrf
8 In VRF access configuration mode, apply an IPv6 access list to traffic outbound to the specified VRF. ipv6 access-group list-name to-vrf vrf-name
9 In VRF access configuration mode, apply an IPv6 access list to traffic outbound to any VRF. ipv6 access-group list-name to-any-vrf