IP ACLs
sidebar_position: 3
An ACL is an ordered set of rules that you can use to filter traffic. Each rule specifies a set of conditions that a packet must satisfy to match the rule. When the device determines that an ACL applies to a packet, it tests the packet against the conditions of all rules. The first matching rule determines whether the packet is permitted or denied. If there is no match, the device applies the applicable implicit rule. The device continues processing packets that are permitted and drops packets that are denied.
Diagram
Classes
route_control (vxlan.overlay_extensions)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
ipv4_access_lists | List | [ipv4_access_lists] | No | |
ipv6_access_lists | List | [ipv6_access_lists] | No |
ipv4_access_lists (vxlan.overlay_extensions.route_control)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
name | String | Regex: ^[A-Za-z0-9-_]{1,63}$ | Yes | |
entries | List | [entries] | No | |
statistics_per_entry | Boolean | true , false | No | |
fragments | Choice | deny-all , permit-all | No | |
ignore_routable | Boolean | true , false | No |
ipv6_access_lists (vxlan.overlay_extensions.route_control)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
name | String | Regex: ^[A-Za-z0-9-_]{1,63}$ | Yes | |
entries | List | [entries] | No | |
statistics_per_entry | Boolean | true , false | No | |
fragments | Choice | deny-all , permit-all | No | |
ignore_routable | Boolean | true , false | No | |
extension_header | Choice | permit-all , deny-all | No |
entries (vxlan.overlay_extensions.route_control.ipv4_access_lists)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
seq_number | Integer | min: 1 , max: 4294967294 | Yes | |
operation | Choice | permit , deny | No | |
remark | String | No | ||
protocol | Any | Integer[min: 0 , max: 255 ] or Choice[ahp , eigrp , esp , gre , icmp , igmp , ip , nos , ospf , pcp , pim , tcp , udf , udp ] | No | |
source | Class | [source] | No | |
destination | Class | [destination] | No | |
filtering_options | List | [filtering_options] | No | |
log | Boolean | true , false | No |
entries (vxlan.overlay_extensions.route_control.ipv6_access_lists)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
seq_number | Integer | min: 1 , max: 4294967294 | Yes | |
operation | Choice | permit , deny | No | |
remark | String | No | ||
protocol | Any | Integer[min: 0 , max: 255 ] or Choice[ahp , eigrp , esp , icmp , ipv6 , pcp , pim , sctp , tcp , udf , udp ] | No | |
source | Class | [source] | No | |
destination | Class | [destination] | No | |
filtering_options | List | [filtering_options] | No | |
log | Boolean | true , false | No |
source (vxlan.overlay_extensions.route_control.ipv4_access_lists.entries)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
ip | IP | No | ||
wildcard | IP | No | ||
addrgroup | String | No | ||
any | Boolean | true , false | No | |
host | IP | No | ||
port_number | Class | [port_number] | No |
filtering_options (vxlan.overlay_extensions.route_control.ipv4_access_lists.entries)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
flags | List | [flags] | No | |
dscp | Any | Integer[min: 0 , max: 63 ] or Choice[af11 , af12 , af13 , af21 , af22 , af23 , af31 , af32 , af33 , af41 , af42 , af43 , cs1 , cs2 , cs3 , cs4 , cs5 , cs6 , cs7 , ef , default ] | No | |
http_method | Any | Integer[min: 1 , max: 7 ] or Choice[connect , delete , get , head , post , put , trace ] | No | |
tcp_option_length | Integer | min: 0 , max: 40 | No | |
tcp_flags_mask | Integer | min: 0 , max: 63 | No | |
ttl | Integer | min: 0 , max: 255 | No | |
udf | Class | [udf] | No | |
packet_length | Class | [packet_length] | No | |
time_range | String | No | ||
precedence | Any | Integer[min: 0 , max: 7 ] or Choice[critical , flash , flash-override , immediate , internet , network , priority , routine ] | No | |
set_erspan_dscp | Integer | min: 1 , max: 63 | No | |
set_erspan_gre_proto | Integer | min: 1 , max: 65535 | No | |
load_share | Boolean | true , false | No | |
fragments | Boolean | true , false | No |
source (vxlan.overlay_extensions.route_control.ipv6_access_lists.entries)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
ip | IP | No | ||
wildcard | IP | No | ||
addrgroup | String | No | ||
any | Boolean | true , false | No | |
host | IP | No | ||
port_number | Class | [port_number] | No |
filtering_options (vxlan.overlay_extensions.route_control.ipv6_access_lists.entries)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
flags | List | [flags] | No | |
dscp | Any | Integer[min: 0 , max: 63 ] or Choice[af11 , af12 , af13 , af21 , af22 , af23 , af31 , af32 , af33 , af41 , af42 , af43 , cs1 , cs2 , cs3 , cs4 , cs5 , cs6 , cs7 , ef , default ] | No | |
tcp_flags_mask | Integer | min: 0 , max: 63 | No | |
ttl | Integer | min: 0 , max: 255 | No | |
udf | Class | [udf] | No | |
packet_length | Class | [packet_length] | No | |
time_range | String | No | ||
precedence | Any | Integer[min: 0 , max: 7 ] or Choice[critical , flash , flash-override , immediate , internet , network , priority , routine ] | No | |
load_share | Boolean | true , false | No | |
fragments | Boolean | true , false | No |
port_number (vxlan.overlay_extensions.route_control.ipv4_access_lists.entries.source)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
operator | Choice | eq , gt , lt , neq , range | No | |
port | Integer | min: 0 , max: 65535 | No | |
from | Integer | min: 0 , max: 65535 | No | |
to | Integer | min: 0 , max: 65535 | No |
flags (vxlan.overlay_extensions.route_control.ipv4_access_lists.entries.filtering_options)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
establish | Boolean | true , false | No | |
ack | Boolean | true , false | No | |
fin | Boolean | true , false | No | |
psh | Boolean | true , false | No | |
rst | Boolean | true , false | No | |
syn | Boolean | true , false | No | |
urg | Boolean | true , false | No |
udf (vxlan.overlay_extensions.route_control.ipv4_access_lists.entries.filtering_options)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
name | String | No | ||
value | Integer | min: 0 , max: 65535 | No | |
mask | Integer | min: 0 , max: 65535 | No |
packet_length (vxlan.overlay_extensions.route_control.ipv4_access_lists.entries.filtering_options)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
operation | Choice | eq , gt , lt , neq , range | No | |
size | Integer | min: 20 , max: 9210 | No | |
from | Integer | mint: 20 , max: 9210 | No | |
to | Integer | mint: 20 , max: 9210 | No |
Examples
Example-1
In this example, we have an IPv4 ACL named myACL
with a remark in the sequence number 5
to describe the next entry or entries. In the sequence 10
we permit
traffic with protocol IP
between the source 192.168.10.0/24
and the destination 192.168.200.0/24
.
ip access-list myacl 5 remark Allow_traffic 10 permit ip 192.168.10.0 0.0.0.255 192.168.200.0 0.0.0.255
---vxlan: overlay_extensions: route_control: ipv4_access_lists: - name: myACL entries: - seq_number: 5 remark: Allow_traffic - seq_number: 10 operation: permit protocol: ip source: ip: 192.168.10.0 wildcard: 0.0.0.255 destination: ip: 192.168.200.0 wildcard: 0.0.0.255 groups: - name: ipacl_RCtrlGrp ipv4_access_lists: - name: myACL switches: - name: netascode-leaf1 groups: - ipacl_RCtrlGrp
Example-2
These two ACLs acl-103
and acl-104
filter TCP
traffic.
The ACL acl-103
allows TCP
traffic with port greater (gt
) than 1023
with Flag established
in the entry 10
. The ACL acl-104
has two entries:
10
allowsTCP
traffic from any source IP with source port80
to destination192.168.1.100/32
20
allowsTCP
traffic fron source IP192.168.1.0/24
to the destination port20
with flagestablished
.
ip access-list acl-103 10 permit tcp any any gt 1023 establishedip access-list acl-104 10 permit tcp any eq www 192.168.1.100/32 20 permit tcp any 192.168.1.0 0.0.0.255 eq ftp-data established
---vxlan: overlay_extensions: route_control: ipv4_access_lists: - name: acl-103 entries: - seq_number: 10 operation: permit protocol: tcp source: any: true destination: any: true port_number: operator: gt port: 1023 filtering_options: - flags: - establish: true - name: acl-104 entries: - seq_number: 10 operation: permit protocol: tcp source: any: true port_number: operator: eq port: 80 destination: host: 192.168.1.100/32 - seq_number: 20 operation: permit protocol: tcp source: any: true destination: ip: 192.168.1.101/24 port_number: operator: eq port: 20 filtering_options: - flags: - establish: true groups: - name: ipacl_RCtrlGrp ipv4_access_lists: - name: acl-103 - name: acl-104 switches: - name: netascode-leaf1 groups: - ipacl_RCtrlGrp
Example-3
This ACL logging-acl
will allow in the sequence 10
traffic fron any source to destination 10.30.30.0/24
and log
matches.
ip access-list logging-acl 10 permit ip any 10.30.30.0 0.0.0.255 log
---vxlan: overlay_extensions: route_control: ipv4_access_lists: - name: logging-acl entries: - seq_number: 10 operation: permit protocol: ip source: any: true destination: ip: 10.30.30.0/24 log: true groups: - name: ipacl_RCtrlGrp ipv4_access_lists: - name: logging-acl switches: - name: netascode-leaf1 groups: - ipacl_RCtrlGrp
Example-4
In this ACL http-option-acl
we will enable statistics per entry
. This ACL has two entries:
10
allowsTCP
traffic with http-method:GET
and TCP-option with a length of4 bytes
.20
allowsTCP
traffic with http-method:POST
.
ip access-list http-option-acl statistics per-entry 10 permit tcp any any http-method get tcp-option-length 4 20 permit tcp any any http-method post
---vxlan: overlay_extensions: route_control: ipv4_access_lists: - name: http-option-acl statistics_per_entry: true entries: - seq_number: 10 operation: permit protocol: tcp source: any: true destination: any: true filtering_options: - http_method: get tcp_option_length: 4 - seq_number: 20 operation: permit protocol: tcp source: any: true destination: any: true filtering_options: - http_method: post groups: - name: ipacl_RCtrlGrp ipv4_access_lists: - name: http-option-acl switches: - name: netascode-leaf1 groups: - ipacl_RCtrlGrp
Other IPv4 ACLs
---vxlan: overlay_extensions: route_control: # IP Precedence ipv4_access_lists: - name: ACL-ip_precedence entries: - seq_number: 10 operation: permit protocol: ip source: any: true destination: any: true filtering_options: - precedence: critical # Filter UDP and TCP traffic. - name: acl-105 entries: - seq_number: 10 operation: permit protocol: udp source: any: true destination: any: true port_number: operator: eq port: 53 - seq_number: 20 operation: permit protocol: udp source: any: true port_number: operator: eq port: 53 destination: any: true - seq_number: 30 operation: permit protocol: tcp source: host: 10.1.1.1 destination: host: 172.16.1.1 port_number: operator: range from: 8080 to: 8082 # Match UDF - name: udf-acl entries: - seq_number: 10 protocol: udf operation: permit filtering_options: - udf: name: pktoff10 value: 4660 # dec(4660) = hex(1234) mask: 65535 # dec(65535) = hex(ffff) # Filter traffic with TTL equal to 1 - name: ACL-TTL entries: - seq_number: 10 protocol: ip operation: deny source: any: true destination: any: true filtering_options: - ttl: 1 - seq_number: 100 protocol: ip operation: permit source: any: true destination: any: true # Filter DSCP equal to EF - name: ACL-DSCP entries: - seq_number: 10 protocol: ip operation: permit source: any: true destination: any: true filtering_options: - dscp: ef # Filter traffic with Time-range - name: ACL-timerange entries: - seq_number: 10 operation: permit protocol: ip source: any: true destination: any: true filtering_options: - time_range: lunch log: true # Filter Fragmented traffic - name: ACL-Fragment entries: - seq_number: 10 operation: permit protocol: ip source: any: true destination: any: true filtering_options: - fragments: true - name: ACL-Fragment2 fragments: permit-all - name: ACL-ignoreroutable ignore_routable: true # Filter with Object-Group - name: ACL-AddGroup entries: - seq_number: 10 operation: permit protocol: ip source: addrgroup: web_server destination: any: true groups: - name: ipacl_RCtrlGrp ipv4_access_lists: - name: ACL-ip_precedence - name: acl-105 - name: udf-acl - name: ACL-TTL - name: ACL-DSCP - name: ACL-timerange - name: ACL-Fragment - name: ACL-Fragment2 - name: ACL-ignoreroutable - name: ACL-AddGroup switches: - name: netascode-leaf1 groups: - ipacl_RCtrlGrp
IPv6 ACLs example
This IPv6 ACL ACL6-101
has one entry 10
. This sequence number allows TCP traffic from source 2001:db8:300:201::/64
with source port 23
to any destination. This ACL is used in group ipacl_RCtrlGrp
, which is consumed by switch netascode-leaf1
.
ipv6 access-list ACL6-101 10 permit tcp 2001:db8:300:201::/64 eq telnet any
---vxlan: overlay_extensions: route_control: ipv6_access_lists: - name: ACL6-101 entries: - seq_number: 10 operation: permit protocol: tcp source: ip: 2001:db8:300:201::/64 port_number: operator: eq port: 23 destination: any: true groups: - name: ipacl_RCtrlGrp ipv6_access_lists: - name: ACL6-101 switches: - name: netascode-leaf1 groups: - ipacl_RCtrlGrp
Other IPv6 examples
IPv6 ACL with option extension_header
works only with Fretta (-R).
---vxlan: overlay_extensions: route_control: ipv6_access_lists: # Filter IPv6 - name: ACL6-102 entries: - seq_number: 10 operation: permit protocol: tcp source: ip: 2001:db8:300:201::1/32 port_number: operator: eq port: 80 destination: ip: 2001:db8:300:202::1/32 - name: snmp6-acl entries: - seq_number: 10 operation: permit protocol: udp source: any: true destination: any: true port_number: operator: eq port: 161 - seq_number: 20 operation: permit protocol: udp source: any: true destination: any: true port_number: operator: eq port: 162 - seq_number: 30 operation: permit protocol: tcp source: any: true destination: any: true port_number: operator: eq port: 161 - seq_number: 40 operation: permit protocol: tcp source: any: true destination: any: true port_number: operator: eq port: 162 - name: ACL6-Fragment entries: - seq_number: 10 operation: permit protocol: ipv6 source: any: true destination: any: true filtering_options: - fragments: true - name: ACL6-Fragment2 fragments: permit-all - name: ACL6-ignoreroutable ignore_routable: true # # Working on Fretta only (9x00 -R) - name: ACL6-extension_header extension_header: deny-all groups: - name: ipacl_RCtrlGrp ipv6_access_lists: - name: ACL6-102 - name: snmp6-acl - name: ACL6-Fragment - name: ACL6-Fragment2 - name: ACL6-ignoreroutable - name: ACL6-extension_header # Fretta device only switches: - name: netascode-leaf1 groups: - ipacl_RCtrlGrp