A standard ACL works with IPv4 or IPv6 traffic at layer 3. The name of an ACL is arbitrary so it may be named in a way that makes its purpose obvious.
ACLs consist of one or more rules, defined by a sequence number that determines
the order in which the rules are applied. A common practice is to start
numbering at a value higher than 0 or 1, and to leave gaps in the sequence so
that rules may be added later. For example, the first rule could be
Each rule must have an
action and a defined
ip-version. Rules can also
protocol, and other attributes for
- description <text>
Text describing the purpose of this ACL.
- action (deny|permit|reflect)
Determines what happens to packets matched by the rule. This is required.
Drop a packet matching this rule.
Pass a single packet matching the rule. Since this action is per-packet and stateless, a separate ACL may also be required to pass traffic in the opposite direction.
Permit a packet matching this rule and use a stateful packet processing path. Track the session and automatically permit return traffic in the opposite direction.
Reflection consumes additional resources to track session state. By default the dataplane allocates 1GB memory for ACL entries and 64MB for hash entries which hold reflection session data. ACL entries consume approximately 200 bytes each and ACL hash entries consume approximately 20 bytes each. This results in a limit of roughly 4 million ACL entries and 3 million ACL hash entries.
- ip-version (ipv4|ipv6)
Controls whether IPv4 or IPv6 packets will be matched by the rule. This is required, and also governs validation of the source and destination when applicable.
Define matching criteria for a rule based on where a packet came from or where it is going.
- source address <ip-address>
Match the source address of a packet. The given address must match the type set for
- source port any
Match any TCP or UDP source port number (
65535). Only valid when
protocolis set to TCP or UDP. This is the default behavior when the rule does not contain a source port value.
- source port <port-first> [ - <port-last>]
Match the specified TCP or UDP source port or range of source ports. When supplying a range, the first port must be lower than the last port. Only valid when
protocolis set to
- destination address <ip-address>
Match the destination address of a packet. The given address must match the type set for
- destination port any
Match any TCP or UDP destination port number (
65535). Only valid when
protocolis set to TCP or UDP. This is the default behavior when the rule does not contain a destination port value.
- destination port <port-first> [ - <port-last>]
Match the specified TCP or UDP destination port or range of destination ports. When supplying a range, the first port must be lower than the last port. Only valid when
protocolis set to
Matching a source or destination port is only possible when the protocol is explicitly set to
- protocol (any|icmp|icmpv6|tcp|udp|<proto-number>)
Sets the protocols which will be matched by this rule. This may be one of:
udp, or a numeric protocol number from
0-255. If no protocol is specified, then the rule will match any protocol.
- tcp flags value <v> mask <m>
For rules matching TCP packets,
tcp flagsfurther restrict the match. This statement requires both a
mask, which may be given in either order. The
masktogether define the flags matched out of a possible set of flags. These flags are specified numerically using the standard values for the flags: URG=32, ACK=16, PSH=8, RST=4, SYN=2, FIN=1. Add the values together to reach the desired value.
For example, with stateful filtering a common way to detect the start of a TCP session is to look for the TCP SYN flag with a mask of SYN+ACK. That way it will match only when SYN is set and ACK is not set. Using the values from the previous paragraph yields:
tcp flags value 2 mask 18
- icmp (code|type) <first> [ - <last>]
For rules matching ICMP protocol packets,
icmp coderestrict matches to a specific value or range. The type and code are entered numerically in the range of
0-255. For a list of possible type and code combinations, see the IANA ICMP Parameters list.
- icmp (code|type) any
Match any ICMP code or type. This is the default behavior.
Standard ACL Example¶
The following example ACL will block only SSH (tcp port 22) to 203.0.113.2 and permit all IPv4 other traffic:
tnsr(config)# acl blockssh tnsr(config-acl)# rule 10 tnsr(config-acl-rule)# action deny tnsr(config-acl-rule)# ip-version ipv4 tnsr(config-acl-rule)# destination address 203.0.113.2/32 tnsr(config-acl-rule)# destination port 22 tnsr(config-acl-rule)# protocol tcp tnsr(config-acl-rule)# exit tnsr(config-acl)# rule 20 tnsr(config-acl-rule)# action permit tnsr(config-acl-rule)# ip-version ipv4 tnsr(config-acl-rule)# exit tnsr(config-acl)# exit tnsr(config)# int GigabitEthernet0/14/1 tnsr(config-interface)# access-list input acl blockssh sequence 10 tnsr(config-interface)# exit tnsr(config)#
Deconstructing the above example, the ACL behaves as follows:
The name of the ACL is
The first rule is
10. This leaves some room before it in case other rules should be matched before this rule in the future.
Rule 10 will deny traffic matching:
A destination of a single IPv4 address,
A destination of a single TCP port,
A source of any is implied since it is not specified
The second rule is
20. The gap between 10 and 20 leaves room for future expansion of rules between the two existing rules.
Rule 20 will permit all other IPv4 traffic, since there is no source or destination given.
The ACL is then applied to
GigabitEthernet0/14/1 in the inbound direction.