A standard ACL works with IPv4 or IPv6 traffic at layer 3. The name of an ACL is arbitrary so it may be named in a way that makes its purpose obvious.
ACLs consist of one or more rules, defined by a sequence number that determines
the order in which the rules are applied. A common practice is to start
numbering at a value higher than 0 or 1, and to leave gaps in the sequence so
that rules may be added later. For example, the first rule could be
Each rule can have an action, define a source, destination, protocol, and other attributes.
actionof a rule determines how it governs packets that match.
denyaction will drop a packet which matches this rule.
permitaction will pass a single packet matching the rule. Since this action is per-packet and stateless, a separate ACL may also be required to pass traffic in the opposite direction.
reflectaction permits a packet and uses a stateful packet processing path. The session is tracked, and return traffic is automatically permitted in the opposite direction.
destinationdefine matching criteria for a rule based on where a packet came from or where it is going. The source and destination may be IPv4 (
ipv4) or IPv6 (
ipv6), and may specify an IPv4 or IPv6
portnumber for TCP and UDP, or both. If both
destinationare set, they must use the same address family, either IPv4 or IPv6.
protocoloption restricts the rule to match one specific protocol, currently this may be one of:
udp. If no protocol is specified, then the rule will match any protocol.
- TCP Flags
For rules matching TCP packets,
tcp flagsmay also be given to further restrict the match. A
maskmust both be specified, which defines the flags to look for out of a possible set of flags. These flags are specified numerically using the standard values for the flags: URG=32, ACK=16, PSH=8, RST=4, SYN=2, FIN=1. Add the values together to reach the desired value.
For example, with stateful filtering a common way to detect the start of a TCP session is to look for the TCP SYN flag with a mask of SYN+ACK. That way it will match only when SYN is set and ACK is not set. Using the values from the previous paragraph yields:
tcp flags value 2 mask 18
- ICMP Code/Type
For rules matching ICMP packets, the
icmp codemay also be used to restrict matches. The type and code are entered numerically in the range of 0-255. For a list of possible type and code combinations, see the IANA ICMP Parameters list.
The following example ACL will block only SSH (tcp port 22) to 203.0.113.2 and permit all other traffic:
tnsr(config)# acl blockssh tnsr(config-acl)# rule 10 tnsr(config-acl-rule)# action deny tnsr(config-acl-rule)# destination ip address 203.0.113.2/32 tnsr(config-acl-rule)# destination ip port 22 tnsr(config-acl-rule)# protocol tcp tnsr(config-acl-rule)# exit tnsr(config-acl)# rule 20 tnsr(config-acl-rule)# action permit tnsr(config-acl-rule)# exit tnsr(config-acl)# exit tnsr(config)# int GigabitEthernet0/14/1 tnsr(config-interface)# access-list input acl blockssh sequence 10 tnsr(config-interface)# exit tnsr(config)#
Deconstructing the above example, the ACL behaves as follows:
The name of the ACL is
The first rule is
10. This leaves some room before it in case other rules should be matched before this rule in the future.
Rule 10 will deny traffic matching:
A destination of a single IP address,
A destination of a single TCP port,
A source of any is implied since it is not specified
The second rule is
20. The gap between 10 and 20 leaves room for future expansion of rules between the two existing rules.
Rule 20 will permit all other traffic, since there is no source or destination given.
The ACL is then applied to
GigabitEthernet0/14/1 in the inbound direction.