An ACL is an ordered set of rules that you can use to filter traffic. Each rule specifies a set of conditions that a packet must satisfy to match the rule. When the device determines that an ACL applies to a packet, it tests the packet against the conditions of all rules. The first matching rule determines whether the packet is permitted or denied. If there is no match, the device applies the applicable implicit rule. The device continues processing packets that are permitted and drops packets that are denied.
Diagram
Classes
route_control (vxlan.overlay_extensions)
Name Type Constraint Mandatory Default Value ipv4_access_lists List [ipv4_access_lists]No ipv6_access_lists List [ipv6_access_lists]No
ipv4_access_lists (vxlan.overlay_extensions.route_control)
Name Type Constraint Mandatory Default Value name String Regex: ^[A-Za-z0-9-_]{1,63}$ Yes entries List [entries]No statistics_per_entry Boolean true, falseNo fragments Choice deny-all, permit-allNo ignore_routable Boolean true, falseNo
ipv6_access_lists (vxlan.overlay_extensions.route_control)
Name Type Constraint Mandatory Default Value name String Regex: ^[A-Za-z0-9-_]{1,63}$ Yes entries List [entries]No statistics_per_entry Boolean true, falseNo fragments Choice deny-all, permit-allNo ignore_routable Boolean true, falseNo extension_header Choice permit-all, deny-allNo
entries (vxlan.overlay_extensions.route_control.ipv4_access_lists)
Name Type Constraint Mandatory Default Value seq_number Integer min: 1, max: 4294967294 Yes operation Choice permit, denyNo remark String No protocol Any Integer[min: 0, max: 255] or Choice[ahp, eigrp, esp, gre, icmp, igmp, ip, nos, ospf, pcp, pim, tcp, udf, udp] No source Class [source]No destination Class [destination]No filtering_options List [filtering_options]No log Boolean true, falseNo
entries (vxlan.overlay_extensions.route_control.ipv6_access_lists)
Name Type Constraint Mandatory Default Value seq_number Integer min: 1, max: 4294967294 Yes operation Choice permit, denyNo remark String No protocol Any Integer[min: 0, max: 255] or Choice[ahp, eigrp, esp, icmp, ipv6, pcp, pim, sctp, tcp, udf, udp] No source Class [source]No destination Class [destination]No filtering_options List [filtering_options]No log Boolean true, falseNo
source (vxlan.overlay_extensions.route_control.ipv4_access_lists.entries)
Name Type Constraint Mandatory Default Value ip IP No wildcard IP No addrgroup String No any Boolean true, falseNo host IP No port_number Class [port_number]No
filtering_options (vxlan.overlay_extensions.route_control.ipv4_access_lists.entries)
Name Type Constraint Mandatory Default Value flags List [flags]No dscp Any Integer[min: 0, max: 63] or Choice[af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, cs6, cs7, ef, default] No http_method Any Integer[min: 1, max: 7] or Choice[connect, delete, get, head, post, put, trace] No tcp_option_length Integer min: 0, max: 40 No tcp_flags_mask Integer min: 0, max: 63 No ttl Integer min: 0, max: 255 No udf Class [udf]No packet_length Class [packet_length]No time_range String No precedence Any Integer[min: 0, max: 7] or Choice[critical, flash, flash-override, immediate, internet, network, priority, routine] No set_erspan_dscp Integer min: 1, max: 63 No set_erspan_gre_proto Integer min: 1, max: 65535 No load_share Boolean true, falseNo fragments Boolean true, falseNo
source (vxlan.overlay_extensions.route_control.ipv6_access_lists.entries)
Name Type Constraint Mandatory Default Value ip IP No wildcard IP No addrgroup String No any Boolean true, falseNo host IP No port_number Class [port_number]No
filtering_options (vxlan.overlay_extensions.route_control.ipv6_access_lists.entries)
Name Type Constraint Mandatory Default Value flags List [flags]No dscp Any Integer[min: 0, max: 63] or Choice[af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, cs6, cs7, ef, default] No tcp_flags_mask Integer min: 0, max: 63 No ttl Integer min: 0, max: 255 No udf Class [udf]No packet_length Class [packet_length]No time_range String No precedence Any Integer[min: 0, max: 7] or Choice[critical, flash, flash-override, immediate, internet, network, priority, routine] No load_share Boolean true, falseNo fragments Boolean true, falseNo
port_number (vxlan.overlay_extensions.route_control.ipv4_access_lists.entries.source)
Name Type Constraint Mandatory Default Value operator Choice eq, gt, lt, neq, rangeNo port Integer min: 0, max: 65535 No from Integer min: 0, max: 65535 No to Integer min: 0, max: 65535 No
flags (vxlan.overlay_extensions.route_control.ipv4_access_lists.entries.filtering_options)
Name Type Constraint Mandatory Default Value establish Boolean true, falseNo ack Boolean true, falseNo fin Boolean true, falseNo psh Boolean true, falseNo rst Boolean true, falseNo syn Boolean true, falseNo urg Boolean true, falseNo
udf (vxlan.overlay_extensions.route_control.ipv4_access_lists.entries.filtering_options)
Name Type Constraint Mandatory Default Value name String No value Integer min: 0, max: 65535 No mask Integer min: 0, max: 65535 No
packet_length (vxlan.overlay_extensions.route_control.ipv4_access_lists.entries.filtering_options)
Name Type Constraint Mandatory Default Value operation Choice eq, gt, lt, neq, rangeNo size Integer min: 20, max: 9210 No from Integer mint: 20, max: 9210 No to Integer mint: 20, max: 9210 No
Examples
Example-1
In this example, we have an IPv4 ACL named myACL with a remark in the sequence number 5 to describe the next entry or entries.
In the sequence 10 we permit traffic with protocol IP between the source 192.168.10.0/24 and the destination 192.168.200.0/24.
ip access-list myacl 5 remark Allow_traffic 10 permit ip 192.168.10.0 0.0.0.255 192.168.200.0 0.0.0.255 --- vxlan : overlay_extensions : route_control : ipv4_access_lists : - name : myACL entries : - seq_number : 5 remark : Allow_traffic - seq_number : 10 operation : permit protocol : ip source : ip : 192.168.10.0 wildcard : 0.0.0.255 destination : ip : 192.168.200.0 wildcard : 0.0.0.255 groups : - name : ipacl_RCtrlGrp ipv4_access_lists : - name : myACL switches : - name : netascode - leaf1 groups : - ipacl_RCtrlGrp Example-2
These two ACLs acl-103 and acl-104 filter TCP traffic.
The ACL acl-103 allows TCP traffic with port greater (gt) than 1023 with Flag established in the entry 10.
The ACL acl-104 has two entries:
10 allows TCP traffic from any source IP with source port 80 to destination 192.168.1.100/3220 allows TCP traffic fron source IP 192.168.1.0/24 to the destination port 20 with flag established.
ip access-list acl-103 10 permit tcp any any gt 1023 established ip access-list acl-104 10 permit tcp any eq www 192.168.1.100/32 20 permit tcp any 192.168.1.0 0.0.0.255 eq ftp-data established --- vxlan : overlay_extensions : route_control : ipv4_access_lists : - name : acl - 103 entries : - seq_number : 10 operation : permit protocol : tcp source : any : true destination : any : true port_number : operator : gt port : 1023 filtering_options : - flags : - establish : true - name : acl - 104 entries : - seq_number : 10 operation : permit protocol : tcp source : any : true port_number : operator : eq port : 80 destination : host : 192.168.1.100/32 - seq_number : 20 operation : permit protocol : tcp source : any : true destination : ip : 192.168.1.101/24 port_number : operator : eq port : 20 filtering_options : - flags : - establish : true groups : - name : ipacl_RCtrlGrp ipv4_access_lists : - name : acl - 103 - name : acl - 104 switches : - name : netascode - leaf1 groups : - ipacl_RCtrlGrp Example-3
This ACL logging-acl will allow in the sequence 10 traffic fron any source to destination 10.30.30.0/24 and log matches.
ip access-list logging-acl 10 permit ip any 10.30.30.0 0.0.0.255 log --- vxlan : overlay_extensions : route_control : ipv4_access_lists : - name : logging - acl entries : - seq_number : 10 operation : permit protocol : ip source : any : true destination : ip : 10.30.30.0/24 log : true groups : - name : ipacl_RCtrlGrp ipv4_access_lists : - name : logging - acl switches : - name : netascode - leaf1 groups : - ipacl_RCtrlGrp Example-4
In this ACL http-option-acl we will enable statistics per entry. This ACL has two entries:
10 allows TCP traffic with http-method: GET and TCP-option with a length of 4 bytes.20 allows TCP traffic with http-method: POST.
ip access-list http-option-acl statistics per-entry 10 permit tcp any any http-method get tcp-option-length 4 20 permit tcp any any http-method post --- vxlan : overlay_extensions : route_control : ipv4_access_lists : - name : http - option - acl statistics_per_entry : true entries : - seq_number : 10 operation : permit protocol : tcp source : any : true destination : any : true filtering_options : - http_method : get tcp_option_length : 4 - seq_number : 20 operation : permit protocol : tcp source : any : true destination : any : true filtering_options : - http_method : post groups : - name : ipacl_RCtrlGrp ipv4_access_lists : - name : http - option - acl switches : - name : netascode - leaf1 groups : - ipacl_RCtrlGrp Other IPv4 ACLs
--- vxlan : overlay_extensions : route_control : ipv4_access_lists : - name : ACL - ip_precedence entries : - seq_number : 10 operation : permit protocol : ip source : any : true destination : any : true filtering_options : - precedence : critical - name : acl - 105 entries : - seq_number : 10 operation : permit protocol : udp source : any : true destination : any : true port_number : operator : eq port : 53 - seq_number : 20 operation : permit protocol : udp source : any : true port_number : operator : eq port : 53 destination : any : true - seq_number : 30 operation : permit protocol : tcp source : host : 10.1.1.1 destination : host : 172.16.1.1 port_number : operator : range from : 8080 to : 8082 - name : udf - acl entries : - seq_number : 10 protocol : udf operation : permit filtering_options : - udf : name : pktoff10 value : 4660 mask : 65535 - name : ACL - TTL entries : - seq_number : 10 protocol : ip operation : deny source : any : true destination : any : true filtering_options : - ttl : 1 - seq_number : 100 protocol : ip operation : permit source : any : true destination : any : true - name : ACL - DSCP entries : - seq_number : 10 protocol : ip operation : permit source : any : true destination : any : true filtering_options : - dscp : ef - name : ACL - timerange entries : - seq_number : 10 operation : permit protocol : ip source : any : true destination : any : true filtering_options : - time_range : lunch log : true - name : ACL - Fragment entries : - seq_number : 10 operation : permit protocol : ip source : any : true destination : any : true filtering_options : - fragments : true - name : ACL - Fragment2 fragments : permit - all - name : ACL - ignoreroutable ignore_routable : true - name : ACL - AddGroup entries : - seq_number : 10 operation : permit protocol : ip source : addrgroup : web_server destination : any : true groups : - name : ipacl_RCtrlGrp ipv4_access_lists : - name : ACL - ip_precedence - name : acl - 105 - name : udf - acl - name : ACL - TTL - name : ACL - DSCP - name : ACL - timerange - name : ACL - Fragment - name : ACL - Fragment2 - name : ACL - ignoreroutable - name : ACL - AddGroup switches : - name : netascode - leaf1 groups : - ipacl_RCtrlGrp IPv6 ACLs example
This IPv6 ACL ACL6-101 has one entry 10. This sequence number allows TCP traffic from source 2001:db8:300:201::/64 with source port 23 to any destination.
This ACL is used in group ipacl_RCtrlGrp, which is consumed by switch netascode-leaf1.
ipv6 access-list ACL6-101 10 permit tcp 2001:db8:300:201::/64 eq telnet any --- vxlan : overlay_extensions : route_control : ipv6_access_lists : - name : ACL6 - 101 entries : - seq_number : 10 operation : permit protocol : tcp source : ip : 2001 : db8 : 300 : 201 : : /64 port_number : operator : eq port : 23 destination : any : true groups : - name : ipacl_RCtrlGrp ipv6_access_lists : - name : ACL6 - 101 switches : - name : netascode - leaf1 groups : - ipacl_RCtrlGrp Other IPv6 examples
IPv6 ACL with option extension_header works only with Fretta (-R).
--- vxlan : overlay_extensions : route_control : ipv6_access_lists : - name : ACL6 - 102 entries : - seq_number : 10 operation : permit protocol : tcp source : ip : 2001 : db8 : 300 : 201 : : 1/32 port_number : operator : eq port : 80 destination : ip : 2001 : db8 : 300 : 202 : : 1/32 - name : snmp6 - acl entries : - seq_number : 10 operation : permit protocol : udp source : any : true destination : any : true port_number : operator : eq port : 161 - seq_number : 20 operation : permit protocol : udp source : any : true destination : any : true port_number : operator : eq port : 162 - seq_number : 30 operation : permit protocol : tcp source : any : true destination : any : true port_number : operator : eq port : 161 - seq_number : 40 operation : permit protocol : tcp source : any : true destination : any : true port_number : operator : eq port : 162 - name : ACL6 - Fragment entries : - seq_number : 10 operation : permit protocol : ipv6 source : any : true destination : any : true filtering_options : - fragments : true - name : ACL6 - Fragment2 fragments : permit - all - name : ACL6 - ignoreroutable ignore_routable : true - name : ACL6 - extension_header extension_header : deny - all groups : - name : ipacl_RCtrlGrp ipv6_access_lists : - name : ACL6 - 102 - name : snmp6 - acl - name : ACL6 - Fragment - name : ACL6 - Fragment2 - name : ACL6 - ignoreroutable - name : ACL6 - extension_header switches : - name : netascode - leaf1 groups : - ipacl_RCtrlGrp