Understanding Access Lists
Access lists perform packet filtering to control which packets move through the network and where. Such controls help to limit network traffic and restrict the access of users and devices to the network. Access lists have many uses, and therefore many commands accept a reference to an access list in their command syntax. Access lists can be used to do the following:
An access control list (ACL) consists of one or more access control entries (ACE) that collectively define the network traffic profile. This profile can then be referenced by Cisco IOS XR software features such as traffic filtering, route filtering, QoS classification, and access control.
Traditional ACLs don’t support compression. Object-group ACLs use compression to accommodate the large number of ACEs.
Purpose of IP Access Lists
-
Filter incoming or outgoing packets on an interface.
-
Filter packets for mirroring.
-
Redirect traffic as required.
-
Restrict the contents of routing updates.
-
Limit debug output based on an address or protocol.
-
Control vty access.
-
Identify or classify traffic for advanced features, such as congestion avoidance, congestion management, and priority and custom queueing.
How an IP Access List Works
An access list is a sequential list consisting of permit and deny statements that apply to IP addresses and possibly upper-layer IP protocols. The access list has a name by which it is referenced. Many software commands accept an access list as part of their syntax.
An access list can be configured and named, but it is not in effect until the access list is referenced by a command that accepts an access list. Multiple commands can reference the same access list. An access list can control traffic arriving at the router or leaving the router, but not traffic originating at the router.
Source address and destination addresses are two of the most typical fields in an IP packet on which to base an access list. Specify source addresses to control packets from certain networking devices or hosts. Specify destination addresses to control packets being sent to certain networking devices or hosts.
You can also filter packets on the basis of transport layer information, such as whether the packet is a TCP, UDP, ICMP, or IGMP packet.
ACL Workflow
The following image illustrates the workflow of an ACL.
IP Access List Process and Rules
Use the following process and rules when configuring an IP access list:-
The software tests the source or destination address or the protocol of each packet being filtered against the conditions in the access list, one condition (permit or deny statement) at a time.
-
If a packet does not match an access list statement, the packet is then tested against the next statement in the list.
-
If a packet and an access list statement match, the remaining statements in the list are skipped and the packet is permitted or denied as specified in the matched statement. The first entry that the packet matches determines whether the software permits or denies the packet. That is, after the first match, no subsequent entries are considered.
-
If the access list denies the address or protocol, the software discards the packet and returns an Internet Control Message Protocol (ICMP) Host Unreachable message. ICMP is configurable in the Cisco IOS XR software.
-
If no conditions match, the software drops the packet because each access list ends with an unwritten or implicit deny statement. That is, if the packet has not been permitted or denied by the time it was tested against each statement, it is denied.
-
The access list should contain at least one permit statement or else all packets are denied.
-
Because the software stops testing conditions after the first match, the order of the conditions is critical. The same permit or deny statements specified in a different order could result in a packet being passed under one circumstance and denied in another circumstance.
-
Only one access list per interface, per protocol, per direction is allowed.
-
Inbound access lists process packets arriving at the router. Incoming packets are processed before being routed to an outbound interface. An inbound access list is efficient because it saves the overhead of routing lookups if the packet is to be discarded because it is denied by the filtering tests. If the packet is permitted by the tests, it is then processed for routing. For inbound lists, permit means continue to process the packet after receiving it on an inbound interface; deny means to discard the packet.
-
Outbound access lists process packets before they leave the router. Incoming packets are routed to the outbound interface and then processed through the outbound access list. For outbound lists, permit means send it to the output buffer; deny means discard the packet.
-
An access list cannot be removed if that access list is being applied by an access group in use. To remove an access list, remove the access group that is referencing the access list and then remove the access list.
-
Before removing an interface, which is configured with an ACL that denies certain traffic, you must remove the ACL and commit your configuration. If this is not done, then some packets are leaked through the interface as soon as the no interface <interface-name> command is configured and committed.
-
An access list must exist before you can use the ipv4 access group command.
-
ACL-based Forwarding (ABF) is not supported in common ACLs.
-
Filtering of MPLS packets with the explicit-null or de-aggregation label is supported on the ingress direction.
-
If the Ternary content-addressable memory (TCAM) utilization is high and large ACLs are modified, then an error may occur. During such instances, remove the ACL from the interface and reconfigure the ACL. Later, reapply the ACL to the interface.
-
You can configure an ACL name with a maximum of 64 characters.
-
You can configure an ACL name to comprise of only letters and numbers.
ACL Filtering by Wildcard Mask and Implicit Wildcard Mask
Address filtering uses wildcard masking to indicate whether the software checks or ignores corresponding IP address bits when comparing the address bits in an access-list entry to a packet being submitted to the access list. By carefully setting wildcard masks, an administrator can select a single or several IP addresses for permit or deny tests.
Wildcard masking for IP address bits uses the number 1 and the number 0 to specify how the software treats the corresponding IP address bits. A wildcard mask is sometimes referred to as an inverted mask, because a 1 and 0 mean the opposite of what they mean in a subnet (network) mask.
-
A wildcard mask bit 0 means check the corresponding bit value.
-
A wildcard mask bit 1 means ignore that corresponding bit value.
You do not have to supply a wildcard mask with a source or destination address in an access list statement. If you use the host keyword, the software assumes a wildcard mask of 0.0.0.0.
Unlike subnet masks, which require contiguous bits indicating network and subnet to be ones, wildcard masks allow noncontiguous bits in the mask.
You can also use CIDR format (/x) in place of wildcard bits. For example, the IPv4 address 1.2.3.4 0.255.255.255 corresponds to 1.2.3.4/8 and for IPv6 address 2001:db8:abcd:0012:0000:0000:0000:0000 corresponds to 2001:db8:abcd:0012::0/64.
Including Comments in Access Lists
You can include comments (remarks) about entries in any named IP access list using the remark access list configuration command. The remarks make the access list easier for the network administrator to understand and scan. Each remark line is limited to 255 characters.
The remark can go before or after a permit or deny statement. You should be consistent about where you put the remark so it is clear which remark describes which permit or deny statement. For example, it would be confusing to have some remarks before the associated permit or deny statements and some remarks after the associated statements. Remarks can be sequenced.
Remember to apply the access list to an interface or terminal line after the access list is created.
Display Access Lists
You can display the contents of the access lists access using the show access-lists command. Use the show access-lists ipv4 command to display the contents of all IPv4 access lists and for IPv6 access lists, use the show access-lists ipv6 command.
In the following example, the contents of all IPv4 access lists are displayed:
Router# show access-lists ipv4
ipv4 access-list test_ipv4
10 permit ipv4 any any
20 deny tcp any eq 2000 any eq 2000
30 permit tcp any eq 3000 any eq 3000
In the following example, the contents of all IPv6 access lists are displayed:
Router# show access-lists ipv6
ipv6 access-list test_ipv6
10 permit ipv6 any any
20 permit tcp any eq 3000 any eq 3000
To display the contents of a specific access list, use the name argument. Use the sequence-number argument to specify the sequence number of the access list.
In the following example, the contents of an access list named Internetfilter is displayed:
Router# show access-lists ipv6 Internetfilter
ipv6 access-list Internetfilter
3 remark Block BGP traffic from a given host
4 deny tcp host 6666:1:2:3::10 eq bgp host 7777:1:2:3::20 range 1300 1404 deny tcp host 171.69.2.88 255.255.0.0 any eq telnet
20 permit ipv6 3333:1:2:3::/64 any
25 permit ipv6 4444:1:2:3::/64 any
30 permit ipv6 5555:1:2:3::/64 any
You can see the hardware , ingress , and location keywords to display the access list hardware contents and counters for all interfaces that use the specified access list in a given direction. To display the contents of a specific access list entry, use the sequencenumber keyword and argument. The access group for an interface must be configured using the ipv4/ipv6 access-group command for access list hardware counters to be enabled.
In the following example, the contents of an access list named Test that has ACL-based policing is configured is displayed:
Router(config)# show ipv4 access-list Test hardware ingress location 0/1/CPU0 10 permit 192.168.34.0 0.0.0.255 (Accepted: 130 packets, Dropped: 0 packets) 20 permit 172.16.0.0 0.0.255.255 (Accepted: 1005 packets, Dropped: 0 packets) 30 permit 10.0.0.0 0.255.255.255 (Accepted: 10303 packets, Dropped: 7 packets)
In the following example, the contents of an access list named Test that has ACL-based policing is configured is displayed:
Router# show ipv6 access-lists Test hardware ingress location 0/1/CPU0
10 permit fec0:0:0:2::/64 any (Accepted: 24303 packets, Dropped: 0 packets)
20 permit any any (Accepted: 13 packets, Dropped: 0 packets)
The following example displays the ACL contents:
Router# show access-lists IPv4-ABF hardware ingress location 0/6/CPU0
Wed Feb 19 13:36:26.663 PST
ipv4 access-list IPv4-ABF
100 permit tcp host 27.0.0.2 any eq 8080 (6854367 matches) (next-hop: addr=21.0.0.2, vrf name=vrf1)
110 permit tcp any eq https any (6858321 matches) (next-hop: addr=200.1.1.2, vrf name=vrf2)
120 permit ipv4 any any (6940396 matches) (next-hop: addr=50.0.0.1, vrf name=default)
In the following example, the contents of all IPv6 access lists are displayed:
Router# show access-lists ipv6
ipv6 access-list test_ipv6
10 permit ipv6 any any
20 permit tcp any eq 3000 any eq 3000
In the following example, the details of a IPv4 access list for a hardware interface in ingress direction are displayed:
Router# show access-lists ipv4 objv4acl hardware ingress detail location 0/0/CPU0
objv4acl Details:
Sequence Number: 10
NPU ID: 0
Number of DPA Entries: 1
ACL ID: 2
ACE Action: PERMIT
ACE Logging: DISABLED
ABF Action: 0(ABF_NONE)
Hit Packet Count: 477 Byte Count: 30528
Source Address: 0.0.0.1 (Mask 255.255.255.254)
Destination Address: 0.0.0.1 (Mask 255.255.255.254)
DPA Entry: 1
Entry Index: 0
DPA Handle: 0x8E08F0A8
DSCP: 0x28 (Mask 0xFC)
Sequence Number: IMPLICIT DENY
NPU ID: 0
Number of DPA Entries: 1
ACL ID: 2
ACE Action: DENY
ACE Logging: DISABLED
ABF Action: 0(ABF_NONE)
Hit Packet Count: 0 Byte Count: 0
Source Address: 0.0.0.2 (Mask 255.255.255.253)
Destination Address: 0.0.0.2 (Mask 255.255.255.253)
DPA Entry: 1
Entry Index: 0
DPA Handle: 0x8E08F390
In the following example, the details of a IPv6 access list for a hardware interface in ingress direction are displayed:
Router# show access-lists ipv6 v6t1 hardware ingress detail location 0/0/CPU0
v6t1 Details:
Sequence Number: 10
NPU ID: 0
Number of DPA Entries: 1
ACL ID: 1
ACE Action: PERMIT
ACE Logging: DISABLED
ABF Action: 0(ABF_NONE)
Hit Packet Count: 0 Byte Count: 0
Source Address: 0:0:0:0::
Source Address Mask: 0:0:0:0::
Destination Address: 2222:0:0:0::
Destination Address Mask: ffff:ffff:ffff:ffff::
DPA Entry: 1
Entry Index: 0
DPA Handle: 0x8E3000A8
DSCP: 0x28 (Mask 0xFC)
Sequence Number: 20
NPU ID: 0
Number of DPA Entries: 1
ACL ID: 1
ACE Action: PERMIT
ACE Logging: DISABLED
ABF Action: 0(ABF_NONE)
Hit Packet Count: 0 Byte Count: 0
TCP Flags: 0x01 (Mask 0x01)
Protocol: 0x06 (Mask 0xFF)
Source Address: 0:0:0:0::
Source Address Mask: 0:0:0:0::
Destination Address: 2222:0:0:0::
Destination Address Mask: ffff:ffff:ffff:ffff::
DPA Entry: 1
Entry Index: 0
DPA Handle: 0x8E300390
Sequence Number: IMPLICIT NDNA PERMIT
NPU ID: 0
Number of DPA Entries: 1
ACL ID: 1
ACE Action: PERMIT
ACE Logging: DISABLED
ABF Action: 0(ABF_NONE)
Hit Packet Count: 0 Byte Count: 0
Protocol: 0x3A (Mask 0xFF)
Source Address: 0:0:0:0::
Source Address Mask: 0:0:0:0::
Destination Address: 0:0:0:0::
Destination Address Mask: 0:0:0:0::
DPA Entry: 1
Entry Index: 0
DPA Handle: 0x8E300678
Sequence Number: IMPLICIT NDNS PERMIT
NPU ID: 0
Number of DPA Entries: 1
ACL ID: 1
ACE Action: PERMIT
ACE Logging: DISABLED
ABF Action: 0(ABF_NONE)
Hit Packet Count: 0 Byte Count: 0
Protocol: 0x3A (Mask 0xFF)
Source Address: 0:0:0:0::
Source Address Mask: 0:0:0:0::
Destination Address: 0:0:0:0::
Destination Address Mask: 0:0:0:0::
DPA Entry: 1
Entry Index: 0
DPA Handle: 0x8E300960
Sequence Number: IMPLICIT DENY
NPU ID: 0
Number of DPA Entries: 1
ACL ID: 1
ACE Action: DENY
ACE Logging: DISABLED
ABF Action: 0(ABF_NONE)
Hit Packet Count: 0 Byte Count: 0
Source Address: 0:0:0:0::
Source Address Mask: 0:0:0:0::
Destination Address: 0:0:0:0::
Destination Address Mask: 0:0:0:0::
DPA Entry: 1
Entry Index: 0
DPA Handle: 0x8E300C48
Router# show ipv6 access-lists Test hardware ingress location 0/1/CPU0
ipv6 access-list Test
10 permit fec0:0:0:2::/64 any (24303 matches) (2459695 byte matches)
20 permit any any (13 matches) (246 byte matches)