Standard ACLs

A standard ACL works with IPv4 or IPv6 traffic at layer 3. The name of an ACL is arbitrary so it may be named in a way that makes its purpose obvious.

ACLs consist of one or more rules, defined by a sequence number that determines the order in which the rules are applied. A common practice is to start numbering at a value higher than 0 or 1, and to leave gaps in the sequence so that rules may be added later. For example, the first rule could be 10, followed by 20.

Each rule must have an action and a defined ip-version. Rules can also define a source, destination, protocol, and other attributes for matching packets.

description <text>:

Text describing the purpose of this ACL.

action (deny|permit|reflect):

Determines what happens to packets matched by the rule. This is required.

deny:

Drop a packet matching this rule.

permit:

Pass a single packet matching the rule. Since this action is per-packet and stateless, a separate ACL may also be required to pass traffic in the opposite direction.

reflect:

Permit a packet matching this rule and use a stateful packet processing path. Track the session and automatically permit return traffic in the opposite direction.

Note

Reflection consumes additional resources to track session state. By default the dataplane allocates 1GB memory in the main heap (Memory) for ACL entries and 64MB for hash entries which hold reflection session data. ACL entries consume approximately 200 bytes each and ACL hash entries consume approximately 20 bytes each. This results in a limit of roughly 4 million ACL entries and 3 million ACL hash entries.

ip-version (ipv4|ipv6):

Controls whether IPv4 or IPv6 packets will be matched by the rule. This is required, and also governs validation of the source and destination when applicable.

(source|destination):

Define matching criteria for a rule based on where a packet came from or where it is going.

source address <ip-address>:

Match the source address of a packet. The given address must match the type set for ip-version.

source port any:

Match any TCP or UDP source port number (0 through 65535). Only valid when protocol is set to TCP or UDP. This is the default behavior when the rule does not contain a source port value.

source port <port-first> [ - <port-last>]:

Match the specified TCP or UDP source port or range of source ports. When supplying a range, the first port must be lower than the last port. Only valid when protocol is set to tcp or udp.

destination address <ip-address>:

Match the destination address of a packet. The given address must match the type set for ip-version.

destination port any:

Match any TCP or UDP destination port number (0 through 65535). Only valid when protocol is set to TCP or UDP. This is the default behavior when the rule does not contain a destination port value.

destination port <port-first> [ - <port-last>]:

Match the specified TCP or UDP destination port or range of destination ports. When supplying a range, the first port must be lower than the last port. Only valid when protocol is set to tcp or udp.

Note

Matching a source or destination port is only possible when the protocol is explicitly set to tcp or udp.

protocol (any|icmp|icmpv6|tcp|udp|<proto-number>):

Sets the protocols which will be matched by this rule. This may be one of: any, icmp, icmpv6, tcp, udp, or a numeric protocol number from 0-255. If no protocol is specified, then the rule will match any protocol.

tcp flags value <v> mask <m>:

For rules matching TCP packets, TCP Flags further restrict the match. This statement requires both a value and mask, which may be given in either order. The value and mask together define the flags matched out of a possible set of flags.

These flags are specified numerically using the standard bit place values for the flags. Add the values together to reach the desired value.

For example, with stateful filtering a common way to detect the start of a TCP session is to look for the TCP SYN flag with a mask of SYN+ACK. That way it will match only when SYN is set and ACK is not set. Using the values from the TCP flags reference yields: tcp flags value 2 mask 18

icmp (code|type) <first> [ - <last>]:

For rules matching ICMP protocol packets, icmp type and icmp code restrict matches to a specific value or range. The type and code are entered numerically in the range of 0-255. For a list of possible type and code combinations, see the IANA ICMP Parameters list.

icmp (code|type) any:

Match any ICMP code or type. This is the default behavior.

Standard ACL Example

The following example ACL will block only SSH (tcp port 22) to 203.0.113.2 and permit all IPv4 other traffic:

tnsr(config)# acl blockssh
tnsr(config-acl)# rule 10
tnsr(config-acl-rule)# action deny
tnsr(config-acl-rule)# ip-version ipv4
tnsr(config-acl-rule)# destination address 203.0.113.2/32
tnsr(config-acl-rule)# destination port 22
tnsr(config-acl-rule)# protocol tcp
tnsr(config-acl-rule)# exit
tnsr(config-acl)# rule 20
tnsr(config-acl-rule)# action permit
tnsr(config-acl-rule)# ip-version ipv4
tnsr(config-acl-rule)# exit
tnsr(config-acl)# exit
tnsr(config)# int GigabitEthernet0/14/1
tnsr(config-interface)# access-list input acl blockssh sequence 10
tnsr(config-interface)# exit
tnsr(config)#

Deconstructing the above example, the ACL behaves as follows:

  • The name of the ACL is blockssh

  • The first rule is 10. This leaves some room before it in case other rules should be matched before this rule in the future.

  • Rule 10 will deny traffic matching:

    • A destination of a single IPv4 address, 203.0.113.2

    • A destination of a single TCP port, 22 (ssh)

    • A source of any is implied since it is not specified

  • The second rule is 20. The gap between 10 and 20 leaves room for future expansion of rules between the two existing rules.

  • Rule 20 will permit all other IPv4 traffic, since there is no source or destination given.

The ACL is then applied to GigabitEthernet0/14/1 in the inbound direction.