Tip
This is the documentation for the 21.07 version. Looking for the documentation of the latest version? Have a look here.
Standard ACLs¶
A standard ACL works with IPv4 or IPv6 traffic at layer 3. The name of an ACL is arbitrary so it may be named in a way that makes its purpose obvious.
ACLs consist of one or more rules, defined by a sequence number that determines
the order in which the rules are applied. A common practice is to start
numbering at a value higher than 0 or 1, and to leave gaps in the sequence so
that rules may be added later. For example, the first rule could be 10
,
followed by 20
.
Each rule must have an action
and a defined ip-version
. Rules can also
define a source
, destination
, protocol
, and other attributes for
matching packets.
- description <text>:
Text describing the purpose of this ACL.
- action (deny|permit|reflect):
Determines what happens to packets matched by the rule. This is required.
- deny:
Drop a packet matching this rule.
- permit:
Pass a single packet matching the rule. Since this action is per-packet and stateless, a separate ACL may also be required to pass traffic in the opposite direction.
- reflect:
Permit a packet matching this rule and use a stateful packet processing path. Track the session and automatically permit return traffic in the opposite direction.
Note
Reflection consumes additional resources to track session state. By default the dataplane allocates 1GB memory for ACL entries and 64MB for hash entries which hold reflection session data. ACL entries consume approximately 200 bytes each and ACL hash entries consume approximately 20 bytes each. This results in a limit of roughly 4 million ACL entries and 3 million ACL hash entries.
- ip-version (ipv4|ipv6):
Controls whether IPv4 or IPv6 packets will be matched by the rule. This is required, and also governs validation of the source and destination when applicable.
- (source|destination):
Define matching criteria for a rule based on where a packet came from or where it is going.
- source address <ip-address>:
Match the source address of a packet. The given address must match the type set for
ip-version
.- source port any:
Match any TCP or UDP source port number (
0
through65535
). Only valid whenprotocol
is set to TCP or UDP. This is the default behavior when the rule does not contain a source port value.- source port <port-first> [ - <port-last>]:
Match the specified TCP or UDP source port or range of source ports. When supplying a range, the first port must be lower than the last port. Only valid when
protocol
is set totcp
orudp
.- destination address <ip-address>:
Match the destination address of a packet. The given address must match the type set for
ip-version
.- destination port any:
Match any TCP or UDP destination port number (
0
through65535
). Only valid whenprotocol
is set to TCP or UDP. This is the default behavior when the rule does not contain a destination port value.- destination port <port-first> [ - <port-last>]:
Match the specified TCP or UDP destination port or range of destination ports. When supplying a range, the first port must be lower than the last port. Only valid when
protocol
is set totcp
orudp
.
Note
Matching a source or destination port is only possible when the protocol is explicitly set to
tcp
orudp
.- protocol (any|icmp|icmpv6|tcp|udp|<proto-number>):
Sets the protocols which will be matched by this rule. This may be one of:
any
,icmp
,icmpv6
,tcp
,udp
, or a numeric protocol number from0-255
. If no protocol is specified, then the rule will match any protocol.- tcp flags value <v> mask <m>:
For rules matching TCP packets,
tcp flags
further restrict the match. This statement requires both avalue
andmask
, which may be given in either order. Thevalue
andmask
together define the flags matched out of a possible set of flags. These flags are specified numerically using the standard values for the flags: URG=32, ACK=16, PSH=8, RST=4, SYN=2, FIN=1. Add the values together to reach the desired value.For example, with stateful filtering a common way to detect the start of a TCP session is to look for the TCP SYN flag with a mask of SYN+ACK. That way it will match only when SYN is set and ACK is not set. Using the values from the previous paragraph yields:
tcp flags value 2 mask 18
- icmp (code|type) <first> [ - <last>]:
For rules matching ICMP protocol packets,
icmp type
andicmp code
restrict matches to a specific value or range. The type and code are entered numerically in the range of0-255
. For a list of possible type and code combinations, see the IANA ICMP Parameters list.- icmp (code|type) any:
Match any ICMP code or type. This is the default behavior.
Standard ACL Example¶
The following example ACL will block only SSH (tcp port 22) to 203.0.113.2 and permit all IPv4 other traffic:
tnsr(config)# acl blockssh
tnsr(config-acl)# rule 10
tnsr(config-acl-rule)# action deny
tnsr(config-acl-rule)# ip-version ipv4
tnsr(config-acl-rule)# destination address 203.0.113.2/32
tnsr(config-acl-rule)# destination port 22
tnsr(config-acl-rule)# protocol tcp
tnsr(config-acl-rule)# exit
tnsr(config-acl)# rule 20
tnsr(config-acl-rule)# action permit
tnsr(config-acl-rule)# ip-version ipv4
tnsr(config-acl-rule)# exit
tnsr(config-acl)# exit
tnsr(config)# int GigabitEthernet0/14/1
tnsr(config-interface)# access-list input acl blockssh sequence 10
tnsr(config-interface)# exit
tnsr(config)#
Deconstructing the above example, the ACL behaves as follows:
The name of the ACL is
blockssh
The first rule is
10
. This leaves some room before it in case other rules should be matched before this rule in the future.Rule 10 will deny traffic matching:
A destination of a single IPv4 address,
203.0.113.2
A destination of a single TCP port,
22
(ssh)A source of any is implied since it is not specified
The second rule is
20
. The gap between 10 and 20 leaves room for future expansion of rules between the two existing rules.Rule 20 will permit all other IPv4 traffic, since there is no source or destination given.
The ACL is then applied to GigabitEthernet0/14/1
in the inbound direction.