IP ACLs
sidebar_position: 3
An ACL is an ordered set of rules that you can use to filter traffic. Each rule specifies a set of conditions that a packet must satisfy to match the rule. When the device determines that an ACL applies to a packet, it tests the packet against the conditions of all rules. The first matching rule determines whether the packet is permitted or denied. If there is no match, the device applies the applicable implicit rule. The device continues processing packets that are permitted and drops packets that are denied.
Diagram
Classes
route_control (vxlan.overlay_extensions)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| ipv4_access_lists | List | [ipv4_access_lists] | No | |
| ipv6_access_lists | List | [ipv6_access_lists] | No |
ipv4_access_lists (vxlan.overlay_extensions.route_control)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Regex: ^[A-Za-z0-9-_]{1,63}$ | Yes | |
| entries | List | [entries] | No | |
| statistics_per_entry | Boolean | true, false | No | |
| fragments | Choice | deny-all, permit-all | No | |
| ignore_routable | Boolean | true, false | No |
ipv6_access_lists (vxlan.overlay_extensions.route_control)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Regex: ^[A-Za-z0-9-_]{1,63}$ | Yes | |
| entries | List | [entries] | No | |
| statistics_per_entry | Boolean | true, false | No | |
| fragments | Choice | deny-all, permit-all | No | |
| ignore_routable | Boolean | true, false | No | |
| extension_header | Choice | permit-all, deny-all | No |
entries (vxlan.overlay_extensions.route_control.ipv4_access_lists)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| seq_number | Integer | min: 1, max: 4294967294 | Yes | |
| operation | Choice | permit, deny | No | |
| remark | String | No | ||
| protocol | Any | Integer[min: 0, max: 255] or Choice[ahp, eigrp, esp, gre, icmp, igmp, ip, nos, ospf, pcp, pim, tcp, udf, udp] | No | |
| source | Class | [source] | No | |
| destination | Class | [destination] | No | |
| filtering_options | List | [filtering_options] | No | |
| log | Boolean | true, false | No |
entries (vxlan.overlay_extensions.route_control.ipv6_access_lists)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| seq_number | Integer | min: 1, max: 4294967294 | Yes | |
| operation | Choice | permit, deny | No | |
| remark | String | No | ||
| protocol | Any | Integer[min: 0, max: 255] or Choice[ahp, eigrp, esp, icmp, ipv6, pcp, pim, sctp, tcp, udf, udp] | No | |
| source | Class | [source] | No | |
| destination | Class | [destination] | No | |
| filtering_options | List | [filtering_options] | No | |
| log | Boolean | true, false | No |
source (vxlan.overlay_extensions.route_control.ipv4_access_lists.entries)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| ip | IP | No | ||
| wildcard | IP | No | ||
| addrgroup | String | No | ||
| any | Boolean | true, false | No | |
| host | IP | No | ||
| port_number | Class | [port_number] | No |
filtering_options (vxlan.overlay_extensions.route_control.ipv4_access_lists.entries)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| flags | List | [flags] | No | |
| dscp | Any | Integer[min: 0, max: 63] or Choice[af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, cs6, cs7, ef, default] | No | |
| http_method | Any | Integer[min: 1, max: 7] or Choice[connect, delete, get, head, post, put, trace] | No | |
| tcp_option_length | Integer | min: 0, max: 40 | No | |
| tcp_flags_mask | Integer | min: 0, max: 63 | No | |
| ttl | Integer | min: 0, max: 255 | No | |
| udf | Class | [udf] | No | |
| packet_length | Class | [packet_length] | No | |
| time_range | String | No | ||
| precedence | Any | Integer[min: 0, max: 7] or Choice[critical, flash, flash-override, immediate, internet, network, priority, routine] | No | |
| set_erspan_dscp | Integer | min: 1, max: 63 | No | |
| set_erspan_gre_proto | Integer | min: 1, max: 65535 | No | |
| load_share | Boolean | true, false | No | |
| fragments | Boolean | true, false | No |
source (vxlan.overlay_extensions.route_control.ipv6_access_lists.entries)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| ip | IP | No | ||
| wildcard | IP | No | ||
| addrgroup | String | No | ||
| any | Boolean | true, false | No | |
| host | IP | No | ||
| port_number | Class | [port_number] | No |
filtering_options (vxlan.overlay_extensions.route_control.ipv6_access_lists.entries)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| flags | List | [flags] | No | |
| dscp | Any | Integer[min: 0, max: 63] or Choice[af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, cs6, cs7, ef, default] | No | |
| tcp_flags_mask | Integer | min: 0, max: 63 | No | |
| ttl | Integer | min: 0, max: 255 | No | |
| udf | Class | [udf] | No | |
| packet_length | Class | [packet_length] | No | |
| time_range | String | No | ||
| precedence | Any | Integer[min: 0, max: 7] or Choice[critical, flash, flash-override, immediate, internet, network, priority, routine] | No | |
| load_share | Boolean | true, false | No | |
| fragments | Boolean | true, false | No |
port_number (vxlan.overlay_extensions.route_control.ipv4_access_lists.entries.source)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| operator | Choice | eq, gt, lt, neq, range | No | |
| port | Integer | min: 0, max: 65535 | No | |
| from | Integer | min: 0, max: 65535 | No | |
| to | Integer | min: 0, max: 65535 | No |
flags (vxlan.overlay_extensions.route_control.ipv4_access_lists.entries.filtering_options)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| establish | Boolean | true, false | No | |
| ack | Boolean | true, false | No | |
| fin | Boolean | true, false | No | |
| psh | Boolean | true, false | No | |
| rst | Boolean | true, false | No | |
| syn | Boolean | true, false | No | |
| urg | Boolean | true, false | No |
udf (vxlan.overlay_extensions.route_control.ipv4_access_lists.entries.filtering_options)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | No | ||
| value | Integer | min: 0, max: 65535 | No | |
| mask | Integer | min: 0, max: 65535 | No |
packet_length (vxlan.overlay_extensions.route_control.ipv4_access_lists.entries.filtering_options)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| operation | Choice | eq, gt, lt, neq, range | No | |
| size | Integer | min: 20, max: 9210 | No | |
| from | Integer | mint: 20, max: 9210 | No | |
| to | Integer | mint: 20, max: 9210 | No |
Examples
Example-1
In this example, we have an IPv4 ACL named myACL with a remark in the sequence number 5 to describe the next entry or entries. In the sequence 10 we permit traffic with protocol IP between the source 192.168.10.0/24 and the destination 192.168.200.0/24.
ip access-list myacl 5 remark Allow_traffic 10 permit ip 192.168.10.0 0.0.0.255 192.168.200.0 0.0.0.255---vxlan: overlay_extensions: route_control: ipv4_access_lists: - name: myACL entries: - seq_number: 5 remark: Allow_traffic - seq_number: 10 operation: permit protocol: ip source: ip: 192.168.10.0 wildcard: 0.0.0.255 destination: ip: 192.168.200.0 wildcard: 0.0.0.255 groups: - name: ipacl_RCtrlGrp ipv4_access_lists: - name: myACL switches: - name: netascode-leaf1 groups: - ipacl_RCtrlGrpExample-2
These two ACLs acl-103 and acl-104 filter TCP traffic.
The ACL acl-103 allows TCP traffic with port greater (gt) than 1023 with Flag established in the entry 10. The ACL acl-104 has two entries:
10allowsTCPtraffic from any source IP with source port80to destination192.168.1.100/3220allowsTCPtraffic fron source IP192.168.1.0/24to the destination port20with flagestablished.
ip access-list acl-103 10 permit tcp any any gt 1023 establishedip access-list acl-104 10 permit tcp any eq www 192.168.1.100/32 20 permit tcp any 192.168.1.0 0.0.0.255 eq ftp-data established---vxlan: overlay_extensions: route_control: ipv4_access_lists: - name: acl-103 entries: - seq_number: 10 operation: permit protocol: tcp source: any: true destination: any: true port_number: operator: gt port: 1023 filtering_options: - flags: - establish: true - name: acl-104 entries: - seq_number: 10 operation: permit protocol: tcp source: any: true port_number: operator: eq port: 80 destination: host: 192.168.1.100/32 - seq_number: 20 operation: permit protocol: tcp source: any: true destination: ip: 192.168.1.101/24 port_number: operator: eq port: 20 filtering_options: - flags: - establish: true groups: - name: ipacl_RCtrlGrp ipv4_access_lists: - name: acl-103 - name: acl-104 switches: - name: netascode-leaf1 groups: - ipacl_RCtrlGrpExample-3
This ACL logging-acl will allow in the sequence 10 traffic fron any source to destination 10.30.30.0/24 and log matches.
ip access-list logging-acl 10 permit ip any 10.30.30.0 0.0.0.255 log---vxlan: overlay_extensions: route_control: ipv4_access_lists: - name: logging-acl entries: - seq_number: 10 operation: permit protocol: ip source: any: true destination: ip: 10.30.30.0/24 log: true groups: - name: ipacl_RCtrlGrp ipv4_access_lists: - name: logging-acl switches: - name: netascode-leaf1 groups: - ipacl_RCtrlGrpExample-4
In this ACL http-option-acl we will enable statistics per entry. This ACL has two entries:
10allowsTCPtraffic with http-method:GETand TCP-option with a length of4 bytes.20allowsTCPtraffic with http-method:POST.
ip access-list http-option-acl statistics per-entry 10 permit tcp any any http-method get tcp-option-length 4 20 permit tcp any any http-method post---vxlan: overlay_extensions: route_control: ipv4_access_lists: - name: http-option-acl statistics_per_entry: true entries: - seq_number: 10 operation: permit protocol: tcp source: any: true destination: any: true filtering_options: - http_method: get tcp_option_length: 4 - seq_number: 20 operation: permit protocol: tcp source: any: true destination: any: true filtering_options: - http_method: post groups: - name: ipacl_RCtrlGrp ipv4_access_lists: - name: http-option-acl switches: - name: netascode-leaf1 groups: - ipacl_RCtrlGrpOther IPv4 ACLs
---vxlan: overlay_extensions: route_control: # IP Precedence ipv4_access_lists: - name: ACL-ip_precedence entries: - seq_number: 10 operation: permit protocol: ip source: any: true destination: any: true filtering_options: - precedence: critical # Filter UDP and TCP traffic. - name: acl-105 entries: - seq_number: 10 operation: permit protocol: udp source: any: true destination: any: true port_number: operator: eq port: 53 - seq_number: 20 operation: permit protocol: udp source: any: true port_number: operator: eq port: 53 destination: any: true - seq_number: 30 operation: permit protocol: tcp source: host: 10.1.1.1 destination: host: 172.16.1.1 port_number: operator: range from: 8080 to: 8082 # Match UDF - name: udf-acl entries: - seq_number: 10 protocol: udf operation: permit filtering_options: - udf: name: pktoff10 value: 4660 # dec(4660) = hex(1234) mask: 65535 # dec(65535) = hex(ffff) # Filter traffic with TTL equal to 1 - name: ACL-TTL entries: - seq_number: 10 protocol: ip operation: deny source: any: true destination: any: true filtering_options: - ttl: 1 - seq_number: 100 protocol: ip operation: permit source: any: true destination: any: true # Filter DSCP equal to EF - name: ACL-DSCP entries: - seq_number: 10 protocol: ip operation: permit source: any: true destination: any: true filtering_options: - dscp: ef # Filter traffic with Time-range - name: ACL-timerange entries: - seq_number: 10 operation: permit protocol: ip source: any: true destination: any: true filtering_options: - time_range: lunch log: true # Filter Fragmented traffic - name: ACL-Fragment entries: - seq_number: 10 operation: permit protocol: ip source: any: true destination: any: true filtering_options: - fragments: true - name: ACL-Fragment2 fragments: permit-all - name: ACL-ignoreroutable ignore_routable: true # Filter with Object-Group - name: ACL-AddGroup entries: - seq_number: 10 operation: permit protocol: ip source: addrgroup: web_server destination: any: true groups: - name: ipacl_RCtrlGrp ipv4_access_lists: - name: ACL-ip_precedence - name: acl-105 - name: udf-acl - name: ACL-TTL - name: ACL-DSCP - name: ACL-timerange - name: ACL-Fragment - name: ACL-Fragment2 - name: ACL-ignoreroutable - name: ACL-AddGroup switches: - name: netascode-leaf1 groups: - ipacl_RCtrlGrpIPv6 ACLs example
This IPv6 ACL ACL6-101 has one entry 10. This sequence number allows TCP traffic from source 2001:db8:300:201::/64 with source port 23 to any destination. This ACL is used in group ipacl_RCtrlGrp, which is consumed by switch netascode-leaf1.
ipv6 access-list ACL6-101 10 permit tcp 2001:db8:300:201::/64 eq telnet any---vxlan: overlay_extensions: route_control: ipv6_access_lists: - name: ACL6-101 entries: - seq_number: 10 operation: permit protocol: tcp source: ip: 2001:db8:300:201::/64 port_number: operator: eq port: 23 destination: any: true groups: - name: ipacl_RCtrlGrp ipv6_access_lists: - name: ACL6-101 switches: - name: netascode-leaf1 groups: - ipacl_RCtrlGrpOther IPv6 examples
IPv6 ACL with option extension_header works only with Fretta (-R).
---vxlan: overlay_extensions: route_control: ipv6_access_lists: # Filter IPv6 - name: ACL6-102 entries: - seq_number: 10 operation: permit protocol: tcp source: ip: 2001:db8:300:201::1/32 port_number: operator: eq port: 80 destination: ip: 2001:db8:300:202::1/32 - name: snmp6-acl entries: - seq_number: 10 operation: permit protocol: udp source: any: true destination: any: true port_number: operator: eq port: 161 - seq_number: 20 operation: permit protocol: udp source: any: true destination: any: true port_number: operator: eq port: 162 - seq_number: 30 operation: permit protocol: tcp source: any: true destination: any: true port_number: operator: eq port: 161 - seq_number: 40 operation: permit protocol: tcp source: any: true destination: any: true port_number: operator: eq port: 162 - name: ACL6-Fragment entries: - seq_number: 10 operation: permit protocol: ipv6 source: any: true destination: any: true filtering_options: - fragments: true - name: ACL6-Fragment2 fragments: permit-all - name: ACL6-ignoreroutable ignore_routable: true # # Working on Fretta only (9x00 -R) - name: ACL6-extension_header extension_header: deny-all groups: - name: ipacl_RCtrlGrp ipv6_access_lists: - name: ACL6-102 - name: snmp6-acl - name: ACL6-Fragment - name: ACL6-Fragment2 - name: ACL6-ignoreroutable - name: ACL6-extension_header # Fretta device only switches: - name: netascode-leaf1 groups: - ipacl_RCtrlGrp