Creating ACL Rules

ACL rules define the basis upon which a hit will take place for the ACL. Rules in an ACL are order-dependent. A packet is either forwarded (a permit rule) or not forwarded (a deny rule) according to the first rule that is matched. The matching criteria available is determined based upon whether the ACL is a standard ACL or an extended ACL. As soon as a rule is matched, processing of the access list stops. There is an implicit “deny all” rule at the end of every ACL. If all rules are missed, the packet is not forwarded.

Note

Note

When applying an ACL to a non-host context on the 7100-Series device, the following restrictions apply:
  • Ranges are not allowed for UDP and TCP rules; the equal (eq) option is supported
  • The msg option is not supported for ICMP rules
Note

Note

On the 7100-Series, the resources available for the configuration of ACL rules is based upon the system resource allocation profile. See System Resource Allocation Profile (7100-Series) for system resource allocation profile configuration details. See the release notes that come with your firmware for ACL resource limit details.

For an extended ACL, the following protocols can be specified in a rule:

  • A specific or all internet protocols
  • Authentication Header protocol
  • Encapsulation Security Payload
  • Generic Router Encapsulation protocol
  • An established TCP connection
  • Transmission Control Protocol (TCP)
  • User Datagram Protocol (UDP)
  • Internet Control Message Protocol (ICMP or ICMPv6)

TCP and UDP rules can match source and destination ports against the equal to value on the 7100-Series. TCP rules can also distinguish established connections for new connection requests.

Extended ACLs can optionally be set for a Diffserv codepoint (DSCP), IP precedence, or IP Type of Service (ToS) value for both IPv4 and IPv6. IPv6 provides additional support for routing header match against source-routed packet, and the packet‘s routing extension header, mobility extension header, and mobility-type extension header.

For a standard ACL, a source IPv4 address and an optional wildcard or IPv6 address and length are specified for the rule. For an extended ACL a source and destination IP address and wildcard are specified for the rule. In the case of an IPv4, Source and destination wildcards provide an inverted mask (specifies the don‘t care bits as 1s). 0.0.0.0 specifies an exact match. An any option is available for. The any option is short hand for 0.0.0.0 255.255.255.255.

Logging of ACL configuration activity is supported via syslog messages. This logging can be enabled for a specified entry, all entries, or the final implicit deny rule using the log entry command in access list configuration mode. Logging format can be in either a verbose or summary format.

Comments can be entered at the next available entry location, and, once entered, can be moved to a desired location.

Use the permit command to create a rule that forwards packets based upon the defined rule.

Use the deny command to create a rule that prevents the forwarding of packets based upon the defined rule.

IPv4 ACL examples

The following example creates a standard ACL 1, and specifies an entry 1 permit rule with a source IP address of 10.0.0.1 and a wild card of 0.0.255.255. The explicit deny all rule denies all other traffic for this ACL:

System(rw-config)->ip access-list standard 1
System(rw-cfg-std-acl)->permit 10.0.0.1 0.0.255.255
System(rw-cfg-std-acl)->show access-lists 1
Standard IP access list 1  (2 entries)
  1 permit 10.0.0.1  0.0.255.255
  -- implicit deny all --

The following example creates an extended access-list 120 and configures a deny entry for the IP protocol with a source address 20.0.0.1 and source wildcard of 0.0.255.255 and a destination address of any. Syslog messaging is enabled to log any hit for this rule. This rule is followed by a permit rule for any other source or destination IP protocol traffic:

System(rw-config)->ip access-list extended 120
System(rw-cfg-ext-acl)->deny ip 20.0.0.1 0.0.255.255 any log
System(rw-cfg-ext-acl)->permit ip any any
System(rw-cfg-ext-acl)->show access-lists 120
Extended IP access list 120  (3 entries)
  1 deny   ip  20.0.0.1  0.0.255.255  any
  2 permit ip  any  any
  -- implicit deny all --
System(rw-cfg-ext-acl)->

IPv6 ACL Examples

This example enters configuration mode for standard IPv6 access list acl2 and configures a permit entry for source address 2001:1234:50:0:21f:45ff:fe3d:21be/64:

System(rw-config)->ipv6 access-list standard acl2
System(rw-cfg-ipv6-ext-acl)->permit 2001:1234:50:0:21f:45ff:fe3d:21be/64
System(rw-cfg-ipv6-ext-acl)->

This example enters configuration mode for extended IPv6 access list acl120 and configures a permit entry for the IP protocol with a source address 2001:1234:50:0:21f:45ff:fe3d:21aa/64 and a destination address of any:

System(rw-config)->ipv6 access-list extended acl120
System(rw-cfg-ipv6-ext-acl)->permit ipv6 2001:1234:50:0:21f:45ff:fe3d:21aa/64 any
System(rw-cfg-ipv6-ext-acl)->