Access List
Configure IPv4 and IPv6 access lists for traffic filtering and access control. Access lists provide granular control over network traffic by matching on protocol, source/destination addresses, ports, DSCP, TTL, packet length, and other criteria.
Diagram
Section titled “Diagram”
Classes
Section titled “Classes”configuration (iosxr.devices)
Section titled “configuration (iosxr.devices)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| access_lists | Class | [access_lists] | No |
access_lists (iosxr.devices.configuration)
Section titled “access_lists (iosxr.devices.configuration)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| options | Class | [options] | No | |
| ipv4 | List | [ipv4] | No | |
| ipv6 | List | [ipv6] | No |
options (iosxr.devices.configuration.access_lists)
Section titled “options (iosxr.devices.configuration.access_lists)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| ipv4_icmp_off | Boolean | true, false | No | |
| ipv4_log_update_disable | Boolean | true, false | No | |
| ipv4_log_update_rate | Integer | min: 1, max: 1000 | No | |
| ipv4_log_update_threshold | Integer | min: 1, max: 2147483647 | No | |
| ipv6_icmp_off | Boolean | true, false | No | |
| ipv6_log_update_disable | Boolean | true, false | No | |
| ipv6_log_update_rate | Integer | min: 1, max: 1000 | No | |
| ipv6_log_update_threshold | Integer | min: 1, max: 2147483647 | No |
ipv4 (iosxr.devices.configuration.access_lists)
Section titled “ipv4 (iosxr.devices.configuration.access_lists)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Yes | ||
| entries | List | [entries] | No |
ipv6 (iosxr.devices.configuration.access_lists)
Section titled “ipv6 (iosxr.devices.configuration.access_lists)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Yes | ||
| entries | List | [entries] | No |
entries (iosxr.devices.configuration.access_lists.ipv4)
Section titled “entries (iosxr.devices.configuration.access_lists.ipv4)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| sequence | Integer | min: 1, max: 2147483646 | Yes | |
| remark | String | No | ||
| action | Choice | permit, deny | No | |
| protocol | Any | Integer[min: 0, max: 255] or Choice[ahp, eigrp, esp, gre, icmp, icmpv6, igmp, igrp, ipinip, ipv4, nos, ospf, pcp, pim, sctp, tcp, udp, rsvp, vrrp] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| source | Class | [source] | No | |
| destination | Class | [destination] | No | |
| icmp_message_type | Integer | min: 0, max: 255 | No | |
| icmp_message_code | Integer | min: 0, max: 255 | No | |
| icmp_message_name | Choice | AdministrativelyProhibited, AlternateAddress, ConversionError, DODHostProhibited, DODNetProhibited, Echo, EchoReply, GeneralParameterProblem, HostIsolated, HostPrecedenceUnreachable, HostRedirect, HostTOSRedirect, HostTOSUnreachable, HostUnknown, HostUnreachable, InformationReply, InformationRequest, MaskReply, MaskRequest, MobileRedirect, NetTOSRedirect, NetTOSUnreachable, NetworkRedirect, NetworkUnknown, NetworkUnreachable, NoRoomForOption, OptionMissing, PacketTooBig, ParameterProblem, PortUnreachable, PrecedenceUnreachable, ProtocolUnreachable, ReassemblyTimeout, Redirect, RouterAdvertisement, RouterSolicitation, SourceQuench, SourceRouteFailed, TTLExceeded, TimeExceeded, TimestampReply, TimestampRequest, Traceroute, Unreachable | No | |
| tcp_flags | List | Choice[fin, syn, rst, psh, ack, urg] | No | |
| igmp_type | Any | Integer[min: 0, max: 255] or Choice[host-query, host-report, dvmrp, pim, trace, v2-report, v2-leave, mtrace-response, mtrace, v3-report] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| dscp | Any | Integer[min: 0, max: 63] or Choice[af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, cs6, cs7, default, ef] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| dscp_type | Choice | equal, greater-than, less-than, not-equal, range | No | |
| dscp_range_from | Any | Integer or String or String[Regex: ^.*[\$\%]\{.*$] | No | |
| dscp_range_to | Any | Integer or String or String[Regex: ^.*[\$\%]\{.*$] | No | |
| precedence | Any | Integer[min: 0, max: 7] or Choice[critical, flash, flash-override, immediate, internet, network, priority, routine] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| fragment_type | Choice | dont-fragment, first-fragment, is-fragment, last-fragment, dont-fragment-is-fragment, dont-fragment-first-fragment, dont-fragment-last-fragment | No | |
| fragments | Boolean | true, false | No | |
| ttl | Integer | min: 0, max: 255 | No | |
| ttl_type | Choice | equal, greater-than, less-than, not-equal, range | No | |
| ttl_range_from | Integer | min: 0, max: 255 | No | |
| ttl_range_to | Integer | min: 0, max: 255 | No | |
| packet_length | Integer | min: 0, max: 65535 | No | |
| packet_length_type | Choice | equal, greater-than, less-than, not-equal, range | No | |
| packet_length_range_from | Integer | min: 0, max: 65535 | No | |
| packet_length_range_to | Integer | min: 0, max: 65535 | No | |
| fragment_offset | Integer | No | ||
| fragment_offset_type | Choice | equal, greater-than, less-than, not-equal, range | No | |
| fragment_offset_range_from | Integer | No | ||
| fragment_offset_range_to | Integer | No | ||
| nexthop1_ipv4 | IP | No | ||
| nexthop1_track | Any | Integer or String or String[Regex: ^.*[\$\%]\{.*$] | No | |
| nexthop1_vrf | Any | Integer or String or String[Regex: ^.*[\$\%]\{.*$] | No | |
| nexthop2_ipv4 | IP | No | ||
| nexthop2_track | Any | Integer or String or String[Regex: ^.*[\$\%]\{.*$] | No | |
| nexthop2_vrf | Any | Integer or String or String[Regex: ^.*[\$\%]\{.*$] | No | |
| nexthop3_ipv4 | IP | No | ||
| nexthop3_track | Any | Integer or String or String[Regex: ^.*[\$\%]\{.*$] | No | |
| nexthop3_vrf | Any | Integer or String or String[Regex: ^.*[\$\%]\{.*$] | No | |
| nexthop_default | Boolean | true, false | No | |
| log | Boolean | true, false | No | |
| log_input | Boolean | true, false | No | |
| counter | String | No | ||
| capture | Boolean | true, false | No | |
| icmp_off | Boolean | true, false | No |
entries (iosxr.devices.configuration.access_lists.ipv6)
Section titled “entries (iosxr.devices.configuration.access_lists.ipv6)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| sequence | Integer | min: 1, max: 2147483646 | Yes | |
| remark | String | No | ||
| action | Choice | permit, deny | No | |
| protocol | Any | Integer[min: 0, max: 255] or Choice[ahp, eigrp, esp, gre, icmpv6, igrp, ipv6, ospf, pcp, pim, sctp, tcp, udp, rsvp, vrrp] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| source | Class | [source] | No | |
| destination | Class | [destination] | No | |
| icmp_message_type | Integer | min: 0, max: 255 | No | |
| icmp_message_code | Integer | min: 0, max: 255 | No | |
| icmp_message_name | Choice | AdministrativelyProhibited, AddressUnreachable, BeyondScopeOfSourceAddress, DestinationUnreachable, Echo, EchoReply, ErroneousHeaderField, GroupMembershipQuery, GroupMembershipReduction, GroupMembershipReport, NeighborAdvertisement, NeighborRedirect, NeighborSolicitation, NoRouteToDestination, NodeInformationRequestIsRefused, NodeInformationSuccessfulReply, PacketTooBig, ParameterProblem, PortUnreachable, QuerySubjectIsDomainName, QuerySubjectIsIPv4Address, QuerySubjectIsIPv6Address, RRCommand, RRResult, RRSeqnumReset, ReassemblyOption, RouterAdvertisement, RouterRenumbering, RouterSolicitation, TTLExceeded, TimeExceeded, UnknownQueryType, UnrecognizedNextHeader, UnrecognizedOption, WhoAreYouReply, WhoAreYouRequest | No | |
| tcp_flags | List | Choice[fin, syn, rst, psh, ack, urg] | No | |
| headers | List | Choice[routing, destopts, hop-by-hop, fragments, authen] | No | |
| dscp | Any | Integer[min: 0, max: 63] or Choice[af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, cs6, cs7, default, ef] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| precedence | Any | Integer[min: 0, max: 7] or Choice[critical, flash, flash-override, immediate, internet, network, priority, routine] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| fragment_type | Choice | first-fragment, is-fragment | No | |
| ttl | Integer | min: 0, max: 255 | No | |
| ttl_type | Choice | equal, greater-than, less-than, not-equal, range | No | |
| ttl_range_from | Integer | min: 0, max: 255 | No | |
| ttl_range_to | Integer | min: 0, max: 255 | No | |
| packet_length | Integer | min: 0, max: 65535 | No | |
| packet_length_type | Choice | equal, greater-than, less-than, not-equal, range | No | |
| packet_length_range_from | Integer | min: 0, max: 65535 | No | |
| packet_length_range_to | Integer | min: 0, max: 65535 | No | |
| nexthop1_ipv6 | IP | No | ||
| nexthop1_track | Any | Integer or String or String[Regex: ^.*[\$\%]\{.*$] | No | |
| nexthop1_vrf | Any | Integer or String or String[Regex: ^.*[\$\%]\{.*$] | No | |
| nexthop2_ipv6 | IP | No | ||
| nexthop2_track | Any | Integer or String or String[Regex: ^.*[\$\%]\{.*$] | No | |
| nexthop2_vrf | Any | Integer or String or String[Regex: ^.*[\$\%]\{.*$] | No | |
| nexthop3_ipv6 | IP | No | ||
| nexthop3_track | Any | Integer or String or String[Regex: ^.*[\$\%]\{.*$] | No | |
| nexthop3_vrf | Any | Integer or String or String[Regex: ^.*[\$\%]\{.*$] | No | |
| log | Boolean | true, false | No | |
| log_input | Boolean | true, false | No | |
| counter | String | No | ||
| capture | Boolean | true, false | No | |
| icmp_off | Boolean | true, false | No |
source (iosxr.devices.configuration.access_lists.ipv4.entries)
Section titled “source (iosxr.devices.configuration.access_lists.ipv4.entries)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| address | IP | No | ||
| wildcard_mask | String | No | ||
| prefix_length | Integer | min: 0, max: 32 | No | |
| any | Boolean | true, false | No | |
| host | IP | No | ||
| net_group | String | No | ||
| port_group | String | No | ||
| port_type | Choice | equal, greater-than, less-than, not-equal, range | No | |
| port | Any | Integer[min: 0, max: 65535] or Choice[bgp, chargen, cmd, daytime, discard, domain, echo, exec, finger, ftp, ftp-data, gopher, hostname, https, ident, irc, klogin, kshell, ldp, login, lpd, nntp, pim-auto-rp, pop2, pop3, radius, radius-acct, smtp, snmp, ssh, sunrpc, tacacs, talk, telnet, time, uucp, whois, www, bfd, bootpc, bootps, dnsix, isakmp, mobile-ip, nameserver, netbios-dgm, netbios-ns, netbios-ss, ntp, rip, snmptrap, tftp, xdmcp] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| port_range_from | Any | Integer[min: 0, max: 65535] or Choice[bgp, chargen, cmd, daytime, discard, domain, echo, exec, finger, ftp, ftp-data, gopher, hostname, https, ident, irc, klogin, kshell, ldp, login, lpd, nntp, pim-auto-rp, pop2, pop3, radius, radius-acct, smtp, snmp, ssh, sunrpc, tacacs, talk, telnet, time, uucp, whois, www, bfd, bootpc, bootps, dnsix, isakmp, mobile-ip, nameserver, netbios-dgm, netbios-ns, netbios-ss, ntp, rip, snmptrap, tftp, xdmcp] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| port_range_to | Any | Integer[min: 0, max: 65535] or Choice[bgp, chargen, cmd, daytime, discard, domain, echo, exec, finger, ftp, ftp-data, gopher, hostname, https, ident, irc, klogin, kshell, ldp, login, lpd, nntp, pim-auto-rp, pop2, pop3, radius, radius-acct, smtp, snmp, ssh, sunrpc, tacacs, talk, telnet, time, uucp, whois, www, bfd, bootpc, bootps, dnsix, isakmp, mobile-ip, nameserver, netbios-dgm, netbios-ns, netbios-ss, ntp, rip, snmptrap, tftp, xdmcp] or String[Regex: ^.*[\$\%]\{.*$] | No |
destination (iosxr.devices.configuration.access_lists.ipv4.entries)
Section titled “destination (iosxr.devices.configuration.access_lists.ipv4.entries)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| address | IP | No | ||
| wildcard_mask | String | No | ||
| prefix_length | Integer | min: 0, max: 32 | No | |
| any | Boolean | true, false | No | |
| host | IP | No | ||
| net_group | String | No | ||
| port_group | String | No | ||
| port_type | Choice | equal, greater-than, less-than, not-equal, range | No | |
| port | Any | Integer[min: 0, max: 65535] or Choice[bgp, chargen, cmd, daytime, discard, domain, echo, exec, finger, ftp, ftp-data, gopher, hostname, https, ident, irc, klogin, kshell, ldp, login, lpd, nntp, pim-auto-rp, pop2, pop3, radius, radius-acct, smtp, snmp, ssh, sunrpc, tacacs, talk, telnet, time, uucp, whois, www, bfd, bootpc, bootps, dnsix, isakmp, mobile-ip, nameserver, netbios-dgm, netbios-ns, netbios-ss, ntp, rip, snmptrap, tftp, xdmcp] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| port_range_from | Any | Integer[min: 0, max: 65535] or Choice[bgp, chargen, cmd, daytime, discard, domain, echo, exec, finger, ftp, ftp-data, gopher, hostname, https, ident, irc, klogin, kshell, ldp, login, lpd, nntp, pim-auto-rp, pop2, pop3, radius, radius-acct, smtp, snmp, ssh, sunrpc, tacacs, talk, telnet, time, uucp, whois, www, bfd, bootpc, bootps, dnsix, isakmp, mobile-ip, nameserver, netbios-dgm, netbios-ns, netbios-ss, ntp, rip, snmptrap, tftp, xdmcp] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| port_range_to | Any | Integer[min: 0, max: 65535] or Choice[bgp, chargen, cmd, daytime, discard, domain, echo, exec, finger, ftp, ftp-data, gopher, hostname, https, ident, irc, klogin, kshell, ldp, login, lpd, nntp, pim-auto-rp, pop2, pop3, radius, radius-acct, smtp, snmp, ssh, sunrpc, tacacs, talk, telnet, time, uucp, whois, www, bfd, bootpc, bootps, dnsix, isakmp, mobile-ip, nameserver, netbios-dgm, netbios-ns, netbios-ss, ntp, rip, snmptrap, tftp, xdmcp] or String[Regex: ^.*[\$\%]\{.*$] | No |
source (iosxr.devices.configuration.access_lists.ipv6.entries)
Section titled “source (iosxr.devices.configuration.access_lists.ipv6.entries)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| address | IP | No | ||
| prefix_length | Integer | min: 0, max: 128 | No | |
| any | Boolean | true, false | No | |
| host | IP | No | ||
| net_group | String | No | ||
| port_group | String | No | ||
| port_type | Choice | equal, greater-than, less-than, not-equal, range | No | |
| port | Any | Integer[min: 0, max: 65535] or Choice[bgp, chargen, cmd, daytime, discard, domain, echo, exec, finger, ftp, ftp-data, gopher, hostname, https, ident, irc, klogin, kshell, ldp, login, lpd, nntp, pim-auto-rp, pop2, pop3, radius, radius-acct, smtp, snmp, ssh, sunrpc, tacacs, talk, telnet, time, uucp, whois, www, bfd, bootpc, bootps, dnsix, isakmp, mobile-ip, nameserver, netbios-dgm, netbios-ns, netbios-ss, ntp, rip, snmptrap, tftp, xdmcp] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| port_range_from | Any | Integer[min: 0, max: 65535] or Choice[bgp, chargen, cmd, daytime, discard, domain, echo, exec, finger, ftp, ftp-data, gopher, hostname, https, ident, irc, klogin, kshell, ldp, login, lpd, nntp, pim-auto-rp, pop2, pop3, radius, radius-acct, smtp, snmp, ssh, sunrpc, tacacs, talk, telnet, time, uucp, whois, www, bfd, bootpc, bootps, dnsix, isakmp, mobile-ip, nameserver, netbios-dgm, netbios-ns, netbios-ss, ntp, rip, snmptrap, tftp, xdmcp] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| port_range_to | Any | Integer[min: 0, max: 65535] or Choice[bgp, chargen, cmd, daytime, discard, domain, echo, exec, finger, ftp, ftp-data, gopher, hostname, https, ident, irc, klogin, kshell, ldp, login, lpd, nntp, pim-auto-rp, pop2, pop3, radius, radius-acct, smtp, snmp, ssh, sunrpc, tacacs, talk, telnet, time, uucp, whois, www, bfd, bootpc, bootps, dnsix, isakmp, mobile-ip, nameserver, netbios-dgm, netbios-ns, netbios-ss, ntp, rip, snmptrap, tftp, xdmcp] or String[Regex: ^.*[\$\%]\{.*$] | No |
destination (iosxr.devices.configuration.access_lists.ipv6.entries)
Section titled “destination (iosxr.devices.configuration.access_lists.ipv6.entries)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| address | IP | No | ||
| prefix_length | Integer | min: 0, max: 128 | No | |
| any | Boolean | true, false | No | |
| host | IP | No | ||
| net_group | String | No | ||
| port_group | String | No | ||
| port_type | Choice | equal, greater-than, less-than, not-equal, range | No | |
| port | Any | Integer[min: 0, max: 65535] or Choice[bgp, chargen, cmd, daytime, discard, domain, echo, exec, finger, ftp, ftp-data, gopher, hostname, https, ident, irc, klogin, kshell, ldp, login, lpd, nntp, pim-auto-rp, pop2, pop3, radius, radius-acct, smtp, snmp, ssh, sunrpc, tacacs, talk, telnet, time, uucp, whois, www, bfd, bootpc, bootps, dnsix, isakmp, mobile-ip, nameserver, netbios-dgm, netbios-ns, netbios-ss, ntp, rip, snmptrap, tftp, xdmcp] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| port_range_from | Any | Integer[min: 0, max: 65535] or Choice[bgp, chargen, cmd, daytime, discard, domain, echo, exec, finger, ftp, ftp-data, gopher, hostname, https, ident, irc, klogin, kshell, ldp, login, lpd, nntp, pim-auto-rp, pop2, pop3, radius, radius-acct, smtp, snmp, ssh, sunrpc, tacacs, talk, telnet, time, uucp, whois, www, bfd, bootpc, bootps, dnsix, isakmp, mobile-ip, nameserver, netbios-dgm, netbios-ns, netbios-ss, ntp, rip, snmptrap, tftp, xdmcp] or String[Regex: ^.*[\$\%]\{.*$] | No | |
| port_range_to | Any | Integer[min: 0, max: 65535] or Choice[bgp, chargen, cmd, daytime, discard, domain, echo, exec, finger, ftp, ftp-data, gopher, hostname, https, ident, irc, klogin, kshell, ldp, login, lpd, nntp, pim-auto-rp, pop2, pop3, radius, radius-acct, smtp, snmp, ssh, sunrpc, tacacs, talk, telnet, time, uucp, whois, www, bfd, bootpc, bootps, dnsix, isakmp, mobile-ip, nameserver, netbios-dgm, netbios-ns, netbios-ss, ntp, rip, snmptrap, tftp, xdmcp] or String[Regex: ^.*[\$\%]\{.*$] | No |
Example YAML Code:
Section titled “Example YAML Code:”Example-1: Infrastructure protection ACL restricting management plane access to trusted subnets for SSH, SNMP, and TACACS+.
iosxr: devices: - name: router-1 host: 10.10.10.1:57400 configuration: access_lists: ipv4: - name: ACL_COPP_MGMT entries: - sequence: 10 remark: "Allow SSH from NOC" - sequence: 20 action: permit protocol: tcp source: address: 10.250.0.0 wildcard_mask: 0.0.0.255 destination: any: true port_type: equal port: 22 - sequence: 30 remark: "Allow SNMP polling from NMS" - sequence: 40 action: permit protocol: udp source: host: 10.250.0.10 destination: any: true port_type: equal port: 161 - sequence: 50 remark: "Allow TACACS+ from AAA servers" - sequence: 60 action: permit protocol: tcp source: address: 10.250.1.0 wildcard_mask: 0.0.0.7 destination: any: true port_type: equal port: 49 - sequence: 70 remark: "Allow ICMP echo for monitoring (named)" - sequence: 80 action: permit protocol: icmp source: address: 10.250.0.0 wildcard_mask: 0.0.0.255 destination: any: true icmp_message_name: Echo - sequence: 90 remark: "Allow ICMP type 1 code 0" - sequence: 100 action: permit protocol: icmp source: address: 10.250.0.0 wildcard_mask: 0.0.0.255 destination: any: true icmp_message_type: 1 icmp_message_code: 0 - sequence: 1000 remark: "Deny and log everything else" - sequence: 1010 action: deny protocol: ipv4 source: any: true destination: any: true log: true counter: COPP_DENIEDExample-2: QoS classification ACL matching voice, video, and signaling traffic by DSCP and port ranges.
iosxr: devices: - name: router-1 host: 10.10.10.1:57400 configuration: access_lists: ipv4: - name: ACL_QOS_CLASSIFY entries: - sequence: 10 remark: "Voice bearer - RTP" - sequence: 20 action: permit protocol: udp source: any: true destination: any: true port_type: range port_range_from: 16384 port_range_to: 32767 dscp: ef - sequence: 30 remark: "Video conferencing - AF41" - sequence: 40 action: permit protocol: udp source: any: true destination: any: true port_type: range port_range_from: 33000 port_range_to: 40000 dscp: af41 - sequence: 50 remark: "SIP signaling" - sequence: 60 action: permit protocol: tcp source: any: true destination: any: true port_type: equal port: 5060 dscp: cs3 - sequence: 70 remark: "Network control - routing protocols" - sequence: 80 action: permit protocol: ospf source: any: true destination: any: true precedence: internet - sequence: 90 remark: "Drop fragments to prevent evasion" - sequence: 100 action: deny protocol: ipv4 source: any: true destination: any: true fragment_type: is-fragment log: true - sequence: 110 remark: "Match TCP SYN for stateless filtering" - sequence: 120 action: permit protocol: tcp source: any: true destination: any: true tcp_flags: - synExample-3: Dual-stack IPv6 security ACL and anti-spoofing rules.
iosxr: devices: - name: router-1 host: 10.10.10.1:57400 configuration: access_lists: ipv6: - name: ACL_V6_EDGE_IN entries: - sequence: 10 remark: "Allow ICMPv6 neighbor solicitation" - sequence: 20 action: permit protocol: icmpv6 source: any: true destination: any: true icmp_message_name: NeighborSolicitation - sequence: 30 remark: "Allow ICMPv6 neighbor advertisement" - sequence: 40 action: permit protocol: icmpv6 source: any: true destination: any: true icmp_message_name: NeighborAdvertisement - sequence: 50 remark: "Allow ICMPv6 echo for troubleshooting" - sequence: 60 action: permit protocol: icmpv6 source: any: true destination: any: true icmp_message_name: Echo - sequence: 70 remark: "Allow ICMPv6 packet-too-big for PMTUD" - sequence: 80 action: permit protocol: icmpv6 source: any: true destination: any: true icmp_message_name: PacketTooBig - sequence: 90 remark: "Allow BGP from peer 2001:db8:ffff::1" - sequence: 100 action: permit protocol: tcp source: host: "2001:db8:ffff::1" destination: any: true port_type: equal port: 179 ttl: 255 - sequence: 110 remark: "Allow established return traffic" - sequence: 120 action: permit protocol: tcp source: any: true port_type: equal port: 179 destination: host: "2001:db8:ffff::2" ttl: 255 - sequence: 130 remark: "Allow customer prefix 2001:db8:a000::/36" - sequence: 140 action: permit protocol: ipv6 source: address: "2001:db8:a000::" prefix_length: 36 destination: any: true - sequence: 150 remark: "Match TCP SYN for stateless filtering" - sequence: 160 action: permit protocol: tcp source: any: true destination: any: true tcp_flags: - syn - sequence: 170 remark: "Match IPv6 extension headers" - sequence: 180 action: permit protocol: ipv6 source: any: true destination: any: true headers: - routing - destopts - hop-by-hop - sequence: 900 remark: "Deny and log all other traffic" - sequence: 910 action: deny protocol: ipv6 source: any: true destination: any: true log: trueExample-4: Access list options controlling ICMP unreachable generation and ACL logging rates.
iosxr: devices: - name: router-1 host: 10.10.10.1:57400 configuration: access_lists: options: ipv4_icmp_off: true ipv4_log_update_rate: 100 ipv4_log_update_threshold: 500000 ipv6_icmp_off: true ipv6_log_update_rate: 100 ipv6_log_update_threshold: 500000