The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes how to configure IP access control lists (ACLs) on the Cisco 1000 Series Connected Grid Routers (hereafter referred to as the Cisco CG-OS router).
Unless otherwise specified, the term IP ACL refers to IPv4 and IPv6 ACLs.
This chapter includes the following sections:
An ACL is an ordered set of rules that you can use to filter traffic. Each rule specifies a set of conditions that a packet must satisfy to match the rule. When the Cisco CG-OS router determines that an ACL applies to a packet, it tests the packet against the conditions of all rules. The first matching rule determines whether the packet is permitted or denied. If there is no match, the Cisco CG-OS router applies the applicable default rule. The Cisco CG-OS router continues processing packets that are permitted and drops packets that are denied. For more information, see Implicit Rules.
You can use ACLs to protect networks and specific hosts from unnecessary or unwanted traffic. For example, you could use ACLs to disallow HTTP traffic from a high-security network to the Internet. You could also use ACLs to allow HTTP traffic but only to specific sites, using the IP address of the site to identify it in an IP ACL.
This section includes the following topics:
The Cisco CG-OS router supports the following types of ACLs for security traffic filtering:
IP ACLs supports the following Router ACL application, which filters Layer 3 traffic.
Table 9-1 summarizes the applications for security ACLs.
When the Cisco CG-OS router processes a packet, it determines the forwarding path of the packet. The path determines which ACLs that the Cisco CG-OS router applies to the traffic. The Cisco CG-OS router applies the ACLs in the following order:
Rules are what you create, modify, and remove when you configure how an ACL filters network traffic. Rules appear in the running configuration. When you apply an ACL to an interface or change a rule within an ACL that is already applied to an interface, the Cisco CG-OS router creates ACL entries from the rules in the running configuration and sends those ACL entries to the applicable interface. Depending on how you configure the ACL, there might be more ACL entries than rules, especially if you use object groups when you configure rules. For more information, see Policy-Based ACLs.
You can create rules in access-list configuration mode by using the
permit
or
deny
command.
The Cisco CG-OS router allows traffic that matches the criteria in a permit rule and blocks traffic that matches the criteria in a deny rule. You have many options for configuring the criteria that traffic must meet in order to match the rule.
This section describes some of the options that you can use when you configure a rule.
IPv4 and IPv6 ACLs allow you to identify traffic by protocol. For your convenience, you can specify some protocols by name. For example, in an IPv4 or IPv6 ACL, you can specify ICMP by name.
You can specify any protocol by number. In IPv4 and IPv6 ACLs, you can specify protocols by the integer that represents the Internet protocol number.
In each rule, you specify the source and the destination of the traffic that matches the rule. You can specify both the source and destination as a specific host, a network or group of hosts, or any host. How you specify the source and destination depends on whether you are configuring IPv4 and IPv6 ACLs. For information about specifying source and destination, see the applicable permit and deny commands.
IP ACLs have implicit rules, which means that although these rules do not appear in the running configuration, the Cisco CG-OS router applies them to traffic when no other rules in an ACL match. When you configure the Cisco CG-OS router to maintain per-rule statistics for an ACL, the Cisco CG-OS router does not maintain statistics for implicit rules.
All IPv4 ACLs include the following implicit rule:
This implicit rule ensures that the Cisco CG-OS router denies unmatched IP traffic.
All IPv6 ACLs include the following implicit rules:
Unless you configure an IPv6 ACL with a rule that denies ICMPv6 neighbor discovery messages, the first four rules ensure that the Cisco CG-OS router permits neighbor discovery advertisement and solicitation messages. The fifth rule ensures that the Cisco CG-OS router denies unmatched IPv6 traffic.
Note If you explicitly configure an IPv6 ACL with a deny ipv6 any any rule, the implicit permit rules can never permit traffic. If you explicitly configure a deny ipv6 any any rule but want to permit ICMPv6 neighbor discovery messages, explicitly configure a rule for all five implicit IPv6 ACL rules.
You can identify traffic by using additional options. These options differ by ACL type. The following list includes most but not all additional filtering options:
– Authentication Header Protocol
– Encapsulating Security Payload
– KA9Q NOS-compatible IP-over-IP tunneling
– Open Shortest Path First (OSPF versions 2 and 3)
– Payload Compression Protocol
– Differentiated Services Code Point (DSCP) value
– TCP packets with the ACK, FIN, PSH, RST, SYN, or URG bit set
– Authentication Header Protocol
– Encapsulating Security Payload
– Payload Compression Protocol
– Stream Control Transmission Protocol (SCTP)
– TCP packets with the ACK, FIN, PSH, RST, SYN, or URG bit set
For information about all filtering options available in rules, see the applicable permit and deny commands in the Command Lookup Too l on Cisco.com.
The Cisco CG-OS router supports sequence numbers for rules. Every rule that you enter receives a sequence number, either assigned by you or assigned automatically by the Cisco CG-OS router. Sequence numbers simplify the following ACL tasks:
However, if the same rule had a sequence number of 101, removing the rule requires only the following command:
When you enter a rule without a sequence number, the Cisco CG-OS router adds the rule to the end of the ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule to the rule. For example, if the last rule in an ACL has a sequence number of 225 and you add a rule without a sequence number, the Cisco CG-OS router assigns the sequence number 235 to the new rule.
In addition, Cisco CG-OS allows you to reassign sequence numbers to rules in an ACL. Resequencing is useful when an ACL has rules numbered contiguously, such as 100 and 101, and you need to insert one or more rules between those rules.
IP ACL rules for TCP and UDP traffic can use logical operators to filter traffic based on port numbers. The Cisco CG-OS router stores operator-operand couples in registers called logical operator units (LOUs). The Cisco CG-OS router supports 104 LOUs.
The LOU usage for each type of operator is as follows:
The following guidelines determine when the Cisco CG-OS router store operator-operand couples in LOUs:
For example, the operator-operand couples “gt 10” and “gt 11” would be stored separately in half an LOU each. The couples “gt 10” and “lt 10” would also be stored separately.
You can enable the Cisco CG-OS router to create an informational log message for packets that match a rule.
Note ACL logging supports ACL processing that occurs on interfaces only. For more information about ACL processing, see Guidelines and Limitations.
The log message contains the following information about the packet:
You can use time ranges to control when an ACL rule is in effect. For example, if the Cisco CG-OS router determines that a particular ACL applies to traffic arriving on an interface, and a rule in the ACL uses a time range that is not in effect, the Cisco CG-OS router does not compare the traffic to that rule. The Cisco CG-OS router evaluates time ranges based on its clock.
When you apply an ACL that uses time ranges, the Cisco CG-OS router updates the affected interface whenever a time range referenced in the ACL starts or ends. Updates that are initiated by time ranges occur on a best-effort priority. When the Cisco CG-OS router is especially busy when a time range causes an update, the Cisco CG-OS router might delay the update by up to a few seconds.
IPv4 and IPv6 support time ranges. When the Cisco CG-OS router applies an ACL to traffic, the rules in effect are as follows:
The Cisco CG-OS router supports named, reusable time ranges, which allows you to configure a time range once and specify it by name when you configure many ACL rules. Time range names have a maximum length of 64 alphanumeric characters.
A time range contains one or more rules. The two types of rules are as follows:
– Start and end date and time both specified—The time range rule is active when the current time is later than the start date and time and earlier than the end date and time.
– Start date and time specified with no end date and time—The time range rule is active when the current time is later than the start date and time.
– No start date and time with end date and time specified—The time range rule is active when the current time is earlier than the end date and time.
– No start or end date and time specified—The time range rule is always active.
For example, you could prepare your network to allow access to a new subnet by specifying a time range that allows access beginning at midnight of the day that you plan to place the subnet online. You can use that time range in ACL rules that apply to the subnet. After the start time and date have passed, the Cisco CG-OS router automatically begins applying the rules that use this time range when it applies the ACLs that contain the rules.
Note The order of rules in a time range does not affect how a Cisco CG-OS router evaluates whether a time range is active. Cisco CG-OS includes sequence numbers in time ranges to make editing the time range easier.
Time ranges also allow you to include remarks, which you can use to insert comments into a time range. Remarks have a maximum length of 100 alphanumeric characters.
The Cisco CG-OS router determines whether a time range is active as follows:
When a time range contains both absolute and periodic rules, the periodic rules can only be active when at least one absolute rule is active.
The Cisco CG-OS router supports policy-based ACLs (PBACLs), which allow you to apply access control policies across object groups. An object group is a group of IP addresses or a group of TCP or UDP ports. When you create a rule, you specify the object groups rather than specifying IP addresses.
Using object groups when you configure IPv4 or IPv6 ACLs can help reduce the complexity of updating ACLs when you need to add or remove addresses from the source or destination of rules. For example, if three rules reference the same IP address group object, you can add an IP address to the object instead of changing all three rules.
PBACLs do not reduce the resources required by an ACL when you apply it to an interface. When you apply a PBACL or update a PBACL that is already applied, the Cisco CG-OS router expands each rule that refers to object groups into one ACL entry per object within the group. If a rule specifies the source and destination both with object groups, the number of ACL entries created on the interface when you apply the PBACL is equal to the number of objects in the source group multiplied by the number of objects in the destination group.
The following object group types apply to the Cisco CG-OS router:
The Cisco CG-OS router can maintain global statistics for each rule that you configure in IPv4 and IPv6 ACLs. If an ACL is applied to multiple interfaces, the maintained rule statistics are the sum of packet matches (hits) on all the interfaces on which that ACL is applied.
Note • The Cisco CG-OS router does not support interface-level ACL statistics.
For each ACL that you configure, you can specify whether the Cisco CG-OS router maintains statistics for that ACL, which allows you to turn ACL statistics on or off as needed to monitor traffic filtered by an ACL or to help troubleshoot the configuration of an ACL.
The Cisco CG-OS router does not maintain statistics for implicit rules in an ACL. For example, the Cisco CG-OS router does not maintain a count of packets that match the implicit deny ip any any rule at the end of all IPv4 ACLs. If you want to maintain statistics for implicit rules, then you must explicitly configure the ACL with rules that are identical to the implicit rules. For more information, see Implicit Rules.
For information about displaying IP ACL statistics, see Monitoring and Clearing IP ACL Statistics.
You must be familiar with IP addressing and protocols to configure IP ACLs.
You must be familiar with the interface types that you want to configure with ACLs.
Cisco recommends that you perform ACL configuration using the Session Manager. This feature allows you to verify ACL configuration and confirm that the resources required by the configuration are available prior to committing them to the running configuration. This is especially useful for ACLs that include more than about 1000 rules.
In most cases, ACL processing for IP packets occurs on the interfaces, which use hardware that accelerates ACL processing. Management interface traffic is always processed on the main board of the Cisco CG-OS router as are IP packets (in any of the following categories) that are exiting a Layer 3 interface:
Table 9-2 lists the default settings for IP ACL parameters.
Implicit rules apply to all ACLs. (See Implicit Rules.) |
|
This section includes the following topics:
You can create an IPv4 ACL or IPv6 ACL on the Cisco CG-OS router and add rules to it.
Cisco recommends that you perform ACL configuration using the Session Manager. This feature allows you to verify ACL configuration and confirm that the resources required by the configuration are available prior to committing them to the running configuration.
You can add and remove rules in an existing IPv4 or IPv6 ACL. You cannot change existing rules. Instead, to change a rule, you can remove it and recreate it with the desired changes.
If you need to add more rules between existing rules than the current sequence numbering allows, you can use the resequence command to reassign sequence numbers. For more information, see Changing Sequence Numbers in an IP ACL.
Cisco recommends that you perform ACL configuration using the Session Manager. This feature allows you to verify ACL configuration and confirm that the resources required by the configuration are available prior to committing them to the running configuration.
You can change all the sequence numbers assigned to the rules in an IP ACL.
Ensure that you know whether the ACL is applied to an interface. The Cisco CG-OS router allows you to remove ACLs that are currently applied. Removing an ACL does not affect the configuration of interfaces where you have applied the ACL. Instead, the Cisco CG-OS router considers the removed ACL to be empty. Use the show ip access-lists command or the show ipv6 access-lists command with the summary keyword to find the interfaces that an IP ACL is configured on.
You can apply an IPv4 or IPv6 ACL to any of the following types of interfaces:
ACLs applied to these interface types are considered router ACLs.
Ensure that the ACL you want to apply exists and that it is configured to filter traffic in the manner that you need for this application. For more information, see Creating an IP ACL or Changing an IP ACL.
To display IP ACL configuration information, use one of the following commands:
Displays the ACL configuration, including IP ACL configuration and interfaces that IP ACLs are applied to. |
|
Displays the configuration of an interface to which you have applied an ACL. |
For detailed information about the fields in the output from these commands, refer to the Command Lookup Tool on Cisco.com.
To display or clear IP ACL statistics, use one of the following commands:
For detailed information about the fields in the output from these commands, refer to the Command Lookup Tool on Cisco.com.
The following example shows how to create an IPv6 ACL named acl-120 and apply it as a router ACL to Ethernet interface 2/3, which is a Layer 3 interface:
You can use object groups to specify source and destination addresses in IPv4 ACL and IPv6 ACL rules.
This section includes the following topics:
Session Manager supports the configuration of object groups. This feature allows you to create a configuration session and verify your object group configuration changes prior to committing them to the running configuration.
You can remove an IPv4 address object group and an IPv6 address object group.
To display object-group configuration information, use one of the following commands:
For detailed information about the fields in the output from these commands, see the Command Lookup Tool on Cisco.com.
This section includes the following topics:
Session Manager supports the configuration of time ranges. This feature allows you to create a configuration session and verify your time-range configuration changes prior to committing them to the running configuration.
This example shows how to create a time range on the Cisco CG-OS router and add rules to it.
You can add and remove rules in an existing time range.
Note You cannot change existing rules. Instead, to change a rule, you can remove it using the no version of the command and recreate it with the desired changes.
When you need to add more rules between existing rules than the current sequence numbering allows, you can use the resequence command to reassign sequence numbers. For more information, see the Changing Sequence Numbers in a Time Range.
Ensure that you know whether the time range is used in any ACL rules. The Cisco CG-OS router allows you to remove time ranges that are used in ACL rules. Removing a time range that is in use in an ACL rule does not affect the configuration of interfaces where you have applied the ACL. Instead, the
Cisco CG-OS router considers the ACL rule using the removed time range to be empty.
You can change all the sequence numbers assigned to rules in a time range.
To display time-range configuration information, use one of the following commands:
For detailed information about the fields in the output from these commands, see the Command Lookup Tool on Cisco.com.