Tip
This is the documentation for the 19.02 version. Looking for the documentation of the latest version? Have a look here.
Standard ACLsΒΆ
A standard ACL works with IPv4 or IPv6 traffic at layer 3. The name of an ACL is arbitrary so it may be named in a way that makes its purpose obvious.
ACLs consist of one or more rules, defined by a sequence number that determines
the order in which the rules are applied. A common practice is to start
numbering at a value higher than 0 or 1, and to leave gaps in the sequence so
that rules may be added later. For example, the first rule could be 10,
followed by 20.
Each rule can have an action, define a source, destination, protocol, and other attributes.
- Action
The
actionof a rule determines how it governs packets that match.- deny
The
denyaction will drop a packet which matches this rule.- permit
The
permitaction will pass a single packet matching the rule. Since this action is per-packet and stateless, a separate ACL may also be required to pass traffic in the opposite direction.- reflect
The
reflectaction permits a packet and uses a stateful packet processing path. The session is tracked, and return traffic is automatically permitted in the opposite direction.
- Source/Destination
The
sourceanddestinationdefine matching criteria for a rule based on where a packet came from or where it is going. The source and destination may be IPv4 (ip,ipv4) or IPv6 (ipv6), and may specify an IPv4 or IPv6address, aportnumber for TCP and UDP, or both. If bothsourceanddestinationare set, they must use the same address family, either IPv4 or IPv6.- Protocol
The
protocoloption restricts the rule to match one specific protocol, currently this may be one of:icmp,tcp,udp. If no protocol is specified, then the rule will match any protocol.- TCP Flags
For rules matching TCP packets,
tcp flagsmay also be given to further restrict the match. Avalueandmaskmust both be specified, which defines the flags to look for out of a possible set of flags. These flags are specified numerically using the standard values for the flags: URG=32, ACK=16, PSH=8, RST=4, SYN=2, FIN=1. Add the values together to reach the desired value.For example, with stateful filtering a common way to detect the start of a TCP session is to look for the TCP SYN flag with a mask of SYN+ACK. That way it will match only when SYN is set and ACK is not set. Using the values from the previous paragraph yields:
tcp flags value 2 mask 18- ICMP Code/Type
For rules matching ICMP packets, the
icmp typeandicmp codemay also be used to restrict matches. The type and code are entered numerically in the range of 0-255. For a list of possible type and code combinations, see the IANA ICMP Parameters list.
The following example ACL will block only SSH (tcp port 22) to 203.0.113.2 and permit all other traffic:
tnsr(config)# acl blockssh
tnsr(config-acl)# rule 10
tnsr(config-acl-rule)# action deny
tnsr(config-acl-rule)# destination ip address 203.0.113.2/32
tnsr(config-acl-rule)# destination ip port 22
tnsr(config-acl-rule)# protocol tcp
tnsr(config-acl-rule)# exit
tnsr(config-acl)# rule 20
tnsr(config-acl-rule)# action permit
tnsr(config-acl-rule)# exit
tnsr(config-acl)# exit
tnsr(config)# int GigabitEthernet0/14/1
tnsr(config-interface)# access-list input acl blockssh sequence 10
tnsr(config-interface)# exit
tnsr(config)#
Deconstructing the above example, the ACL behaves as follows:
The name of the ACL is
blocksshThe first rule is
10. This leaves some room before it in case other rules should be matched before this rule in the future.Rule 10 will deny traffic matching:
A destination of a single IP address,
203.0.113.2A destination of a single TCP port,
22(ssh)A source of any is implied since it is not specified
The second rule is
20. The gap between 10 and 20 leaves room for future expansion of rules between the two existing rules.Rule 20 will permit all other traffic, since there is no source or destination given.
The ACL is then applied to GigabitEthernet0/14/1 in the inbound direction.