IP ACLs
An ACL is an ordered set of rules that you can use to filter traffic. Each rule specifies a set of conditions that a packet must satisfy to match the rule. When the device determines that an ACL applies to a packet, it tests the packet against the conditions of all rules. The first matching rule determines whether the packet is permitted or denied. If there is no match, the device applies the applicable implicit rule. The device continues processing packets that are permitted and drops packets that are denied.
Diagram
Classes
route_control (vxlan.overlay_extensions)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| ipv4_access_lists | List | [ipv4_access_lists] | No | |
| ipv6_access_lists | List | [ipv6_access_lists] | No |
ipv4_access_lists (vxlan.overlay_extensions.route_control)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Regex: ^[A-Za-z0-9-_]{1,63}$ | Yes | |
| entries | List | [entries] | No | |
| statistics_per_entry | Boolean | true, false | No | |
| fragments | Choice | deny-all, permit-all | No | |
| ignore_routable | Boolean | true, false | No |
ipv6_access_lists (vxlan.overlay_extensions.route_control)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Regex: ^[A-Za-z0-9-_]{1,63}$ | Yes | |
| entries | List | [entries] | No | |
| statistics_per_entry | Boolean | true, false | No | |
| fragments | Choice | deny-all, permit-all | No | |
| ignore_routable | Boolean | true, false | No | |
| extension_header | Choice | permit-all, deny-all | No |
entries (vxlan.overlay_extensions.route_control.ipv4_access_lists)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| seq_number | Integer | min: 1, max: 4294967294 | Yes | |
| operation | Choice | permit, deny | No | |
| remark | String | No | ||
| protocol | Any | Integer[min: 0, max: 255] or Choice[ahp, eigrp, esp, gre, icmp, igmp, ip, nos, ospf, pcp, pim, tcp, udf, udp] | No | |
| source | Class | [source] | No | |
| destination | Class | [destination] | No | |
| filtering_options | List | [filtering_options] | No | |
| log | Boolean | true, false | No |
entries (vxlan.overlay_extensions.route_control.ipv6_access_lists)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| seq_number | Integer | min: 1, max: 4294967294 | Yes | |
| operation | Choice | permit, deny | No | |
| remark | String | No | ||
| protocol | Any | Integer[min: 0, max: 255] or Choice[ahp, eigrp, esp, icmp, ipv6, pcp, pim, sctp, tcp, udf, udp] | No | |
| source | Class | [source] | No | |
| destination | Class | [destination] | No | |
| filtering_options | List | [filtering_options] | No | |
| log | Boolean | true, false | No |
source (vxlan.overlay_extensions.route_control.ipv4_access_lists.entries)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| ip | IP | No | ||
| wildcard | IP | No | ||
| addrgroup | String | No | ||
| any | Boolean | true, false | No | |
| host | IP | No | ||
| port_number | Class | [port_number] | No |
filtering_options (vxlan.overlay_extensions.route_control.ipv4_access_lists.entries)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| flags | List | [flags] | No | |
| dscp | Any | Integer[min: 0, max: 63] or Choice[af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, cs6, cs7, ef, default] | No | |
| http_method | Any | Integer[min: 1, max: 7] or Choice[connect, delete, get, head, post, put, trace] | No | |
| tcp_option_length | Integer | min: 0, max: 40 | No | |
| tcp_flags_mask | Integer | min: 0, max: 63 | No | |
| ttl | Integer | min: 0, max: 255 | No | |
| udf | Class | [udf] | No | |
| packet_length | Class | [packet_length] | No | |
| time_range | String | No | ||
| precedence | Any | Integer[min: 0, max: 7] or Choice[critical, flash, flash-override, immediate, internet, network, priority, routine] | No | |
| set_erspan_dscp | Integer | min: 1, max: 63 | No | |
| set_erspan_gre_proto | Integer | min: 1, max: 65535 | No | |
| load_share | Boolean | true, false | No | |
| fragments | Boolean | true, false | No |
source (vxlan.overlay_extensions.route_control.ipv6_access_lists.entries)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| ip | IP | No | ||
| wildcard | IP | No | ||
| addrgroup | String | No | ||
| any | Boolean | true, false | No | |
| host | IP | No | ||
| port_number | Class | [port_number] | No |
filtering_options (vxlan.overlay_extensions.route_control.ipv6_access_lists.entries)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| flags | List | [flags] | No | |
| dscp | Any | Integer[min: 0, max: 63] or Choice[af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, cs6, cs7, ef, default] | No | |
| tcp_flags_mask | Integer | min: 0, max: 63 | No | |
| ttl | Integer | min: 0, max: 255 | No | |
| udf | Class | [udf] | No | |
| packet_length | Class | [packet_length] | No | |
| time_range | String | No | ||
| precedence | Any | Integer[min: 0, max: 7] or Choice[critical, flash, flash-override, immediate, internet, network, priority, routine] | No | |
| load_share | Boolean | true, false | No | |
| fragments | Boolean | true, false | No |
port_number (vxlan.overlay_extensions.route_control.ipv4_access_lists.entries.source)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| operator | Choice | eq, gt, lt, neq, range | No | |
| port | Integer | min: 0, max: 65535 | No | |
| from | Integer | min: 0, max: 65535 | No | |
| to | Integer | min: 0, max: 65535 | No |
flags (vxlan.overlay_extensions.route_control.ipv4_access_lists.entries.filtering_options)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| establish | Boolean | true, false | No | |
| ack | Boolean | true, false | No | |
| fin | Boolean | true, false | No | |
| psh | Boolean | true, false | No | |
| rst | Boolean | true, false | No | |
| syn | Boolean | true, false | No | |
| urg | Boolean | true, false | No |
udf (vxlan.overlay_extensions.route_control.ipv4_access_lists.entries.filtering_options)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | No | ||
| value | Integer | min: 0, max: 65535 | No | |
| mask | Integer | min: 0, max: 65535 | No |
packet_length (vxlan.overlay_extensions.route_control.ipv4_access_lists.entries.filtering_options)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| operation | Choice | eq, gt, lt, neq, range | No | |
| size | Integer | min: 20, max: 9210 | No | |
| from | Integer | mint: 20, max: 9210 | No | |
| to | Integer | mint: 20, max: 9210 | No |
Examples
Example-1
In this example, we have an IPv4 ACL named myACL with a remark in the sequence number 5 to describe the next entry or entries.
In the sequence 10 we permit traffic with protocol IP between the source 192.168.10.0/24 and the destination 192.168.200.0/24.
ip access-list myacl
5 remark Allow_traffic
10 permit ip 192.168.10.0 0.0.0.255 192.168.200.0 0.0.0.255
route_control.nac.yaml
---
vxlan:
overlay_extensions:
route_control:
ipv4_access_lists:
- name: myACL
entries:
- seq_number: 5
remark: Allow_traffic
- seq_number: 10
operation: permit
protocol: ip
source:
ip: 192.168.10.0
wildcard: 0.0.0.255
destination:
ip: 192.168.200.0
wildcard: 0.0.0.255
groups:
- name: ipacl_RCtrlGrp
ipv4_access_lists:
- name: myACL
switches:
- name: netascode-leaf1
groups:
- ipacl_RCtrlGrp
Example-2
These two ACLs acl-103 and acl-104 filter TCP traffic.
The ACL acl-103 allows TCP traffic with port greater (gt) than 1023 with Flag established in the entry 10.
The ACL acl-104 has two entries:
10allowsTCPtraffic from any source IP with source port80to destination192.168.1.100/3220allowsTCPtraffic fron source IP192.168.1.0/24to the destination port20with flagestablished.
ip access-list acl-103
10 permit tcp any any gt 1023 established
ip access-list acl-104
10 permit tcp any eq www 192.168.1.100/32
20 permit tcp any 192.168.1.0 0.0.0.255 eq ftp-data established
route_control.nac.yaml
---
vxlan:
overlay_extensions:
route_control:
ipv4_access_lists:
- name: acl-103
entries:
- seq_number: 10
operation: permit
protocol: tcp
source:
any: true
destination:
any: true
port_number:
operator: gt
port: 1023
filtering_options:
- flags:
- establish: true
- name: acl-104
entries:
- seq_number: 10
operation: permit
protocol: tcp
source:
any: true
port_number:
operator: eq
port: 80
destination:
host: 192.168.1.100/32
- seq_number: 20
operation: permit
protocol: tcp
source:
any: true
destination:
ip: 192.168.1.101/24
port_number:
operator: eq
port: 20
filtering_options:
- flags:
- establish: true
groups:
- name: ipacl_RCtrlGrp
ipv4_access_lists:
- name: acl-103
- name: acl-104
switches:
- name: netascode-leaf1
groups:
- ipacl_RCtrlGrp
Example-3
This ACL logging-acl will allow in the sequence 10 traffic fron any source to destination 10.30.30.0/24 and log matches.
ip access-list logging-acl
10 permit ip any 10.30.30.0 0.0.0.255 log
route_control.nac.yaml
---
vxlan:
overlay_extensions:
route_control:
ipv4_access_lists:
- name: logging-acl
entries:
- seq_number: 10
operation: permit
protocol: ip
source:
any: true
destination:
ip: 10.30.30.0/24
log: true
groups:
- name: ipacl_RCtrlGrp
ipv4_access_lists:
- name: logging-acl
switches:
- name: netascode-leaf1
groups:
- ipacl_RCtrlGrp
Example-4
In this ACL http-option-acl we will enable statistics per entry. This ACL has two entries:
10allowsTCPtraffic with http-method:GETand TCP-option with a length of4 bytes.20allowsTCPtraffic with http-method:POST.
ip access-list http-option-acl
statistics per-entry
10 permit tcp any any http-method get tcp-option-length 4
20 permit tcp any any http-method post
route_control.nac.yaml
---
vxlan:
overlay_extensions:
route_control:
ipv4_access_lists:
- name: http-option-acl
statistics_per_entry: true
entries:
- seq_number: 10
operation: permit
protocol: tcp
source:
any: true
destination:
any: true
filtering_options:
- http_method: get
tcp_option_length: 4
- seq_number: 20
operation: permit
protocol: tcp
source:
any: true
destination:
any: true
filtering_options:
- http_method: post
groups:
- name: ipacl_RCtrlGrp
ipv4_access_lists:
- name: http-option-acl
switches:
- name: netascode-leaf1
groups:
- ipacl_RCtrlGrp
Other IPv4 ACLs
route_control.nac.yaml
---
vxlan:
overlay_extensions:
route_control:
# IP Precedence
ipv4_access_lists:
- name: ACL-ip_precedence
entries:
- seq_number: 10
operation: permit
protocol: ip
source:
any: true
destination:
any: true
filtering_options:
- precedence: critical
# Filter UDP and TCP traffic.
- name: acl-105
entries:
- seq_number: 10
operation: permit
protocol: udp
source:
any: true
destination:
any: true
port_number:
operator: eq
port: 53
- seq_number: 20
operation: permit
protocol: udp
source:
any: true
port_number:
operator: eq
port: 53
destination:
any: true
- seq_number: 30
operation: permit
protocol: tcp
source:
host: 10.1.1.1
destination:
host: 172.16.1.1
port_number:
operator: range
from: 8080
to: 8082
# Match UDF
- name: udf-acl
entries:
- seq_number: 10
protocol: udf
operation: permit
filtering_options:
- udf:
name: pktoff10
value: 4660 # dec(4660) = hex(1234)
mask: 65535 # dec(65535) = hex(ffff)
# Filter traffic with TTL equal to 1
- name: ACL-TTL
entries:
- seq_number: 10
protocol: ip
operation: deny
source:
any: true
destination:
any: true
filtering_options:
- ttl: 1
- seq_number: 100
protocol: ip
operation: permit
source:
any: true
destination:
any: true
# Filter DSCP equal to EF
- name: ACL-DSCP
entries:
- seq_number: 10
protocol: ip
operation: permit
source:
any: true
destination:
any: true
filtering_options:
- dscp: ef
# Filter traffic with Time-range
- name: ACL-timerange
entries:
- seq_number: 10
operation: permit
protocol: ip
source:
any: true
destination:
any: true
filtering_options:
- time_range: lunch
log: true
# Filter Fragmented traffic
- name: ACL-Fragment
entries:
- seq_number: 10
operation: permit
protocol: ip
source:
any: true
destination:
any: true
filtering_options:
- fragments: true
- name: ACL-Fragment2
fragments: permit-all
- name: ACL-ignoreroutable
ignore_routable: true
# Filter with Object-Group
- name: ACL-AddGroup
entries:
- seq_number: 10
operation: permit
protocol: ip
source:
addrgroup: web_server
destination:
any: true
groups:
- name: ipacl_RCtrlGrp
ipv4_access_lists:
- name: ACL-ip_precedence
- name: acl-105
- name: udf-acl
- name: ACL-TTL
- name: ACL-DSCP
- name: ACL-timerange
- name: ACL-Fragment
- name: ACL-Fragment2
- name: ACL-ignoreroutable
- name: ACL-AddGroup
switches:
- name: netascode-leaf1
groups:
- ipacl_RCtrlGrp
IPv6 ACLs example
This IPv6 ACL ACL6-101 has one entry 10. This sequence number allows TCP traffic from source 2001:db8:300:201::/64 with source port 23 to any destination.
This ACL is used in group ipacl_RCtrlGrp, which is consumed by switch netascode-leaf1.
ipv6 access-list ACL6-101
10 permit tcp 2001:db8:300:201::/64 eq telnet any
route_control.nac.yaml
---
vxlan:
overlay_extensions:
route_control:
ipv6_access_lists:
- name: ACL6-101
entries:
- seq_number: 10
operation: permit
protocol: tcp
source:
ip: 2001:db8:300:201::/64
port_number:
operator: eq
port: 23
destination:
any: true
groups:
- name: ipacl_RCtrlGrp
ipv6_access_lists:
- name: ACL6-101
switches:
- name: netascode-leaf1
groups:
- ipacl_RCtrlGrp
Other IPv6 examples
warning
IPv6 ACL with option extension_header works only with Fretta (-R).
---
vxlan:
overlay_extensions:
route_control:
ipv6_access_lists:
# Filter IPv6
- name: ACL6-102
entries:
- seq_number: 10
operation: permit
protocol: tcp
source:
ip: 2001:db8:300:201::1/32
port_number:
operator: eq
port: 80
destination:
ip: 2001:db8:300:202::1/32
- name: snmp6-acl
entries:
- seq_number: 10
operation: permit
protocol: udp
source:
any: true
destination:
any: true
port_number:
operator: eq
port: 161
- seq_number: 20
operation: permit
protocol: udp
source:
any: true
destination:
any: true
port_number:
operator: eq
port: 162
- seq_number: 30
operation: permit
protocol: tcp
source:
any: true
destination:
any: true
port_number:
operator: eq
port: 161
- seq_number: 40
operation: permit
protocol: tcp
source:
any: true
destination:
any: true
port_number:
operator: eq
port: 162
- name: ACL6-Fragment
entries:
- seq_number: 10
operation: permit
protocol: ipv6
source:
any: true
destination:
any: true
filtering_options:
- fragments: true
- name: ACL6-Fragment2
fragments: permit-all
- name: ACL6-ignoreroutable
ignore_routable: true
# # Working on Fretta only (9x00 -R)
- name: ACL6-extension_header
extension_header: deny-all
groups:
- name: ipacl_RCtrlGrp
ipv6_access_lists:
- name: ACL6-102
- name: snmp6-acl
- name: ACL6-Fragment
- name: ACL6-Fragment2
- name: ACL6-ignoreroutable
- name: ACL6-extension_header # Fretta device only
switches:
- name: netascode-leaf1
groups:
- ipacl_RCtrlGrp