Standard ACLsΒΆ

A standard ACL works with IPv4 or IPv6 traffic at layer 3. The name of an ACL is arbitrary so it may be named in a way that makes its purpose obvious.

ACLs consist of one or more rules, defined by a sequence number that determines the order in which the rules are applied. A common practice is to start numbering at a value higher than 0 or 1, and to leave gaps in the sequence so that rules may be added later. For example, the first rule could be 10, followed by 20.

Each rule can have an action, define a source, destination, protocol, and other attributes.

Action:

The action of a rule determines how it governs packets that match.

deny:The deny action will drop a packet which matches this rule.
permit:The permit action will pass a single packet matching the rule. Since this action is per-packet and stateless, a separate ACL may also be required to pass traffic in the opposite direction.
reflect:The reflect action permits a packet and uses a stateful packet processing path. The session is tracked, and return traffic is automatically permitted in the opposite direction.
Source/Destination:
 

The source and destination define matching criteria for a rule based on where a packet came from or where it is going. The source and destination may be IPv4 (ip, ipv4) or IPv6 (ipv6), and may specify an IPv4 or IPv6 address, a port number for TCP and UDP, or both. If both source and destination are set, they must use the same address family, either IPv4 or IPv6.

Protocol:

The protocol option restricts the rule to match one specific protocol, currently this may be one of: icmp, tcp, udp. If no protocol is specified, then the rule will match any protocol.

TCP Flags:

For rules matching TCP packets, tcp flags may also be given to further restrict the match. A value and mask must both be specified, which defines the flags to look for out of a possible set of flags. These flags are specified numerically using the standard values for the flags: URG=32, ACK=16, PSH=8, RST=4, SYN=2, FIN=1. Add the values together to reach the desired value.

For example, with stateful filtering a common way to detect the start of a TCP session is to look for the TCP SYN flag with a mask of SYN+ACK. That way it will match only when SYN is set and ACK is not set. Using the values from the previous paragraph yields: tcp flags value 2 mask 18

ICMP Code/Type:

For rules matching ICMP packets, the icmp type and icmp code may also be used to restrict matches. The type and code are entered numerically in the range of 0-255. For a list of possible type and code combinations, see the IANA ICMP Parameters list.

The following example ACL will block only SSH (tcp port 22) to 203.0.113.2 and permit all other traffic:

tnsr(config)# acl blockssh
tnsr(config-acl)# rule 10
tnsr(config-acl-rule)# action deny
tnsr(config-acl-rule)# destination ip address 203.0.113.2/32
tnsr(config-acl-rule)# destination ip port 22
tnsr(config-acl-rule)# protocol tcp
tnsr(config-acl-rule)# exit
tnsr(config-acl)# rule 20
tnsr(config-acl-rule)# action permit
tnsr(config-acl-rule)# exit
tnsr(config-acl)# exit
tnsr(config)# int GigabitEthernet0/14/1
tnsr(config-interface)# access-list input acl blockssh sequence 10
tnsr(config-interface)# exit
tnsr(config)#

Deconstructing the above example, the ACL behaves as follows:

  • The name of the ACL is blockssh
  • The first rule is 10. This leaves some room before it in case other rules should be matched before this rule in the future.
  • Rule 10 will deny traffic matching:
    • A destination of a single IP address, 203.0.113.2
    • A destination of a single TCP port, 22 (ssh)
    • A source of any is implied since it is not specified
  • The second rule is 20. The gap between 10 and 20 leaves room for future expansion of rules between the two existing rules.
  • Rule 20 will permit all other traffic, since there is no source or destination given.

The ACL is then applied to GigabitEthernet0/14/1 in the inbound direction.