Understanding Access Lists
Access lists perform packet filtering to control which packets move through the network and where. Such controls help to limit network traffic and restrict the access of users and devices to the network. Access lists have many uses, and therefore many commands accept a reference to an access list in their command syntax. Access lists can be used to do the following:
An access control list (ACL) consists of one or more access control entries (ACE) that collectively define the network traffic profile. This profile can then be referenced by Cisco IOS XR software features such as traffic filtering, route filtering, QoS classification, and access control.
ACL compression refers to the concept of "compressing" the ACL in hardware in order to save TCAM space for large ACLs.
Traditional ACLs don’t support compression. Object-group ACLs use compression to accommodate the large number of ACEs. However, traditional ingress IPv4 and IPv6 ACLs are configured on external TCAM of NC57-18DD-SE line cards for both NCS 5500 and NCS 5700. Configuration of ACLs on external TCAM provides more space in the internal TCAM for other configurations.
Traditional ACLs are configured on internal TCAMs of routers.
Note |
|
Purpose of IP Access Lists
-
Filter incoming or outgoing packets on an interface.
-
Filter packets for mirroring.
-
Redirect traffic as required.
-
Restrict the contents of routing updates.
-
Limit debug output based on an address or protocol.
-
Control vty access.
-
Identify or classify traffic for advanced features, such as congestion avoidance, congestion management, and priority and custom queueing.
How an IP Access List Works
An access list is a sequential list consisting of permit and deny statements that apply to IP addresses and possibly upper-layer IP protocols. The access list has a name by which it is referenced. Many software commands accept an access list as part of their syntax.
An access list can be configured and named, but it is not in effect until the access list is referenced by a command that accepts an access list. Multiple commands can reference the same access list. An access list can control traffic arriving at the router or leaving the router, but not traffic originating at the router.
Source address and destination addresses are two of the most typical fields in an IP packet on which to base an access list. Specify source addresses to control packets from certain networking devices or hosts. Specify destination addresses to control packets being sent to certain networking devices or hosts.
You can also filter packets on the basis of transport layer information, such as whether the packet is a TCP, UDP, ICMP, or IGMP packet.
ACL Workflow
The following image illustrates the workflow of an ACL.
ACL Protocols
The following ACL protocol types are supported on NCS5500:
-
IPv4
-
IPv6
-
L2 (Ethernet-Services)
When an ACL of a particular protocol type is attached to an interface in a given direction, that interface must be configured for the specific protocol and the ACL only applies to traffic of that protocol type flowing on the interface.
IP Access List Process and Rules
Use the following process and rules when configuring an IP access list:-
The software tests the source or destination address or the protocol of each packet being filtered against the conditions in the access list, one condition (permit or deny statement) at a time.
-
The packet is matched with ACE within and ACL in the order of the sequence number.
-
If a packet and an access list statement match, the remaining statements in the list are skipped and the packet is permitted or denied as specified in the matched statement. The first entry that the packet matches determines whether the software permits or denies the packet. That is, after the first match, no subsequent entries are considered.
-
If the access list denies the address or protocol, the software discards the packet.
-
If no conditions match, the software drops the packet because each access list ends with an unwritten or implicit deny statement. That is, if the packet has not been permitted or denied by the time it was tested against each statement, it is denied.
-
The access list should contain at least one permit statement or else all packets are denied.
-
Because the software stops testing conditions after the first match, the order of the conditions is critical. The same permit or deny statements specified in a different order could result in a packet being passed under one circumstance and denied in another circumstance.
-
Only one access list per interface, per protocol, per direction is allowed.
-
Inbound access lists process packets arriving at the router. Incoming packets are processed before being routed to an outbound interface. An inbound access list is efficient because it saves the overhead of routing lookups if the packet is to be discarded because it is denied by the filtering tests. If the packet is permitted by the tests, it is then processed for routing. For inbound lists, permit means continue to process the packet after receiving it on an inbound interface; deny means to discard the packet.
-
Outbound access lists process packets before they leave the router. Incoming packets are routed to the outbound interface and then processed through the outbound access list. For outbound lists, permit means send it to the output buffer; deny means discard the packet.
-
An access list cannot be removed if that access list is being applied by an access group in use. To remove an access list, remove the access group that is referencing the access list and then remove the access list.
-
Before removing an interface, which is configured with an ACL that denies certain traffic, you must remove the ACL and commit your configuration. If this is not done, then some packets are leaked through the interface as soon as the no interface <interface-name> command is configured and committed.
-
An access list must exist before you can use the ipv4 access group command.
-
ACL-based Forwarding (ABF) is supported in common ACLs.
-
Filtering of MPLS packets with the explicit-null or de-aggregation label is supported on the ingress direction.
-
If the Ternary Content-Addressable Memory (TCAM) utilization is high and large ACLs are modified, then an error may occur. During such instances, remove the ACL from the interface and reconfigure the ACL. Later, reapply the ACL to the interface.
-
You can configure an ACL name with a maximum of 64 characters.
-
You can configure an ACL name to comprise of only letters and numbers.
ACL Filtering by Wildcard Mask and Implicit Wildcard Mask
Address filtering uses wildcard masking to indicate whether the software checks or ignores corresponding IP address bits when comparing the address bits in an access-list entry to a packet being submitted to the access list. By carefully setting wildcard masks, an administrator can select a single or several IP addresses for permit or deny tests.
Wildcard masking for IP address bits uses the number 1 and the number 0 to specify how the software treats the corresponding IP address bits. A wildcard mask is sometimes referred to as an inverted mask, because a 1 and 0 mean the opposite of what they mean in a subnet (network) mask.
-
A wildcard mask bit 0 means check the corresponding bit value.
-
A wildcard mask bit 1 means ignore that corresponding bit value.
You do not have to supply a wildcard mask with a source or destination address in an access list statement. If you use the host keyword, the software assumes a wildcard mask of 0.0.0.0.
Unlike subnet masks, which require contiguous bits indicating network and subnet to be ones, wildcard masks allow noncontiguous bits in the mask.
You can also use CIDR format (/x) in place of wildcard bits. For example, the IPv4 address 1.2.3.4 0.255.255.255 corresponds to 1.2.3.4/8 and for IPv6 address 2001:db8:abcd:0012:0000:0000:0000:0000 corresponds to 2001:db8:abcd:0012::0/64.
Including Comments in Access Lists
You can include comments (remarks) about entries in any named IP access list using the remark access list configuration command. The remarks make the access list easier for the network administrator to understand and scan. Each remark line is limited to 255 characters.
The remark can go before or after a permit or deny statement. You should be consistent about where you put the remark so it is clear which remark describes which permit or deny statement. For example, it would be confusing to have some remarks before the associated permit or deny statements and some remarks after the associated statements. Remarks can be sequenced.
Remember to apply the access list to an interface or terminal line after the access list is created.
Limitations
-
For Cisco NCS 5700 Series platforms and NC57 line cards in native mode, if you configure an IPv4 ACL with an ACE that permits UDP packets on the L2TP reserved port, the UDP packets on the port are implicitly denied despite meeting the permit conditions.
Display Access Lists
Feature Name |
Release Information |
Description |
---|---|---|
Identify Internal TCAM Entries for Hybrid ACLs |
Release 7.10.1 |
Introduced in this release on: NCS 5500 modular routers (NCS 5700 line cards [Mode: Compatibility; Native]) (select variants only*) From this release onwards, you'll be able to identify the internal TCAM entries required to create a hybrid ACL, before you attach them to an interface. Because you define the ACLs based on the available internal TCAM resources, you are assured that you can successfully attach the hybrid ACLs to an interface and filter traffic based on the ACEs defined. Previously, when you'd create an ACL and then attach that ACL to an interface, there was no way to assess upfront if the internal TCAM resources were enough for the ACL to work. In such instances, there was a higher chance of ACLs failing to attach to an interface because of insufficient TCAM resources. A new keyword, resource-check is introduced in the following commands: * This feature is supported on:
|
Display ACL Statistics in Bytes |
Release 7.9.1 |
We have enabled better visibility of traffic distribution, thus helping you in capacity planning, network optimization, and identifying potential bottlenecks in network planning by displaying ACL statistics in bytes in ingress and egress directions. Previously, the statistics were available only in packet counts. The ACL statistics in bytes addition to packet count, help identify the average package size in the network and detect if the packets are truncated or not. You can view the ACL statistics in bytes for ACL-Based Policing only in Cisco NCS 5700 Series Routers and Cisco NC 57 line cards installed and operate in native and compatibility mode. The following commands are modified in this feature: |
You can display the contents of the access lists access using the show access-lists command. Use the show access-lists ipv4 command to display the contents of all IPv4 access lists and for IPv6 access lists, use the show access-lists ipv6 command.
In the following example, the contents of all IPv4 access lists are displayed:
Router# show access-lists ipv4
ipv4 access-list test_ipv4
10 permit ipv4 any any
20 deny tcp any eq 2000 any eq 2000
30 permit tcp any eq 3000 any eq 3000
In the following example, the contents of all IPv6 access lists are displayed:
Router# show access-lists ipv6
ipv6 access-list test_ipv6
10 permit ipv6 any any
20 permit tcp any eq 3000 any eq 3000
To display the contents of a specific access list, use the name argument. Use the sequence-number argument to specify the sequence number of the access list.
In the following example, the contents of an access list named Internetfilter is displayed:
Router# show access-lists ipv6 Internetfilter
ipv6 access-list Internetfilter
3 remark Block BGP traffic from a given host
4 deny tcp host 6666:1:2:3::10 eq bgp host 7777:1:2:3::20 range 1300 1404 deny tcp host 171.69.2.88 255.255.0.0 any eq telnet
20 permit ipv6 3333:1:2:3::/64 any
25 permit ipv6 4444:1:2:3::/64 any
30 permit ipv6 5555:1:2:3::/64 any
You can use the hardware , ingress , and location keywords to display the access list hardware contents and counters for all interfaces that use the specified access list in a given direction. To display the contents of a specific access list entry, use the sequencenumber keyword and argument. The access group for an interface must be configured using the ipv4/ipv6 access-group command for access list hardware counters to be enabled.
In the following example, the contents of an access list named Test that has ACL-based policing configured is displayed:
Router(config)# show ipv4 access-list Test hardware ingress location 0/1/CPU0 10 permit 192.168.34.0 0.0.0.255 (Accepted: 130 packets, Dropped: 0 packets) 20 permit 172.16.0.0 0.0.255.255 (Accepted: 1005 packets, Dropped: 0 packets) 30 permit 10.0.0.0 0.255.255.255 (Accepted: 10303 packets, Dropped: 7 packets)
In the following example, the contents of an access list named Test that has ACL-based policing configured is displayed:
Router# show ipv6 access-lists Test hardware ingress location 0/1/CPU0
10 permit fec0:0:0:2::/64 any (Accepted: 24303 packets, Dropped: 0 packets)
20 permit any any (Accepted: 13 packets, Dropped: 0 packets)
The following example displays the ACL contents:
Router# show access-lists IPv4-ABF hardware ingress location 0/6/CPU0
Wed Feb 19 13:36:26.663 PST
ipv4 access-list IPv4-ABF
100 permit tcp host 27.0.0.2 any eq 8080 (6854367 matches) (next-hop: addr=21.0.0.2, vrf name=vrf1)
110 permit tcp any eq https any (6858321 matches) (next-hop: addr=200.1.1.2, vrf name=vrf2)
120 permit ipv4 any any (6940396 matches) (next-hop: addr=50.0.0.1, vrf name=default)
In the following example, the details of a IPv4 access list for a hardware interface in ingress direction are displayed:
Router# show access-lists ipv4 objv4acl hardware ingress detail location 0/0/CPU0
objv4acl Details:
Sequence Number: 10
NPU ID: 0
Number of DPA Entries: 1
ACL ID: 2
ACE Action: PERMIT
ACE Logging: DISABLED
ABF Action: 0(ABF_NONE)
Hit Packet Count: 477 Byte Count: 30528
Source Address: 0.0.0.1 (Mask 255.255.255.254)
Destination Address: 0.0.0.1 (Mask 255.255.255.254)
DPA Entry: 1
Entry Index: 0
DPA Handle: 0x8E08F0A8
DSCP: 0x28 (Mask 0xFC)
Sequence Number: IMPLICIT DENY
NPU ID: 0
Number of DPA Entries: 1
ACL ID: 2
ACE Action: DENY
ACE Logging: DISABLED
ABF Action: 0(ABF_NONE)
Hit Packet Count: 0 Byte Count: 0
Source Address: 0.0.0.2 (Mask 255.255.255.253)
Destination Address: 0.0.0.2 (Mask 255.255.255.253)
DPA Entry: 1
Entry Index: 0
DPA Handle: 0x8E08F390
In the following example, the details of a IPv6 access list for a hardware interface in ingress direction are displayed:
Router# show access-lists ipv6 v6t1 hardware ingress detail location 0/0/CPU0
v6t1 Details:
Sequence Number: 10
NPU ID: 0
Number of DPA Entries: 1
ACL ID: 1
ACE Action: PERMIT
ACE Logging: DISABLED
ABF Action: 0(ABF_NONE)
Hit Packet Count: 0 Byte Count: 0
Source Address: 0:0:0:0::
Source Address Mask: 0:0:0:0::
Destination Address: 2222:0:0:0::
Destination Address Mask: ffff:ffff:ffff:ffff::
DPA Entry: 1
Entry Index: 0
DPA Handle: 0x8E3000A8
DSCP: 0x28 (Mask 0xFC)
Sequence Number: 20
NPU ID: 0
Number of DPA Entries: 1
ACL ID: 1
ACE Action: PERMIT
ACE Logging: DISABLED
ABF Action: 0(ABF_NONE)
Hit Packet Count: 0 Byte Count: 0
TCP Flags: 0x01 (Mask 0x01)
Protocol: 0x06 (Mask 0xFF)
Source Address: 0:0:0:0::
Source Address Mask: 0:0:0:0::
Destination Address: 2222:0:0:0::
Destination Address Mask: ffff:ffff:ffff:ffff::
DPA Entry: 1
Entry Index: 0
DPA Handle: 0x8E300390
Sequence Number: IMPLICIT NDNA PERMIT
NPU ID: 0
Number of DPA Entries: 1
ACL ID: 1
ACE Action: PERMIT
ACE Logging: DISABLED
ABF Action: 0(ABF_NONE)
Hit Packet Count: 0 Byte Count: 0
Protocol: 0x3A (Mask 0xFF)
Source Address: 0:0:0:0::
Source Address Mask: 0:0:0:0::
Destination Address: 0:0:0:0::
Destination Address Mask: 0:0:0:0::
DPA Entry: 1
Entry Index: 0
DPA Handle: 0x8E300678
Sequence Number: IMPLICIT NDNS PERMIT
NPU ID: 0
Number of DPA Entries: 1
ACL ID: 1
ACE Action: PERMIT
ACE Logging: DISABLED
ABF Action: 0(ABF_NONE)
Hit Packet Count: 0 Byte Count: 0
Protocol: 0x3A (Mask 0xFF)
Source Address: 0:0:0:0::
Source Address Mask: 0:0:0:0::
Destination Address: 0:0:0:0::
Destination Address Mask: 0:0:0:0::
DPA Entry: 1
Entry Index: 0
DPA Handle: 0x8E300960
Sequence Number: IMPLICIT DENY
NPU ID: 0
Number of DPA Entries: 1
ACL ID: 1
ACE Action: DENY
ACE Logging: DISABLED
ABF Action: 0(ABF_NONE)
Hit Packet Count: 0 Byte Count: 0
Source Address: 0:0:0:0::
Source Address Mask: 0:0:0:0::
Destination Address: 0:0:0:0::
Destination Address Mask: 0:0:0:0::
DPA Entry: 1
Entry Index: 0
DPA Handle: 0x8E300C48
Starting with IOS XR Release 7.9.1, the show access-lists ipv4 and show access-lists ipv6 commands are enhanced to include the ACL statistics in bytes. Previously, these commands displayed the statistics in packet counts only.
Note |
You can view the ACL statistics for ACL-Based Policing in bytes only in Cisco NCS 5700 Series Routers and Cisco NC 57 line cards installed and operate in native and compatibility mode. |
Note |
The Layer 2 ACL doesn't display ACL statistics in bytes. You can only view ACL statistics in packet counts for Layer 2 ACL. |
Note |
The ACL statistics in bytes is an approximate value with about 90%-95% accuracy. |
In the following example, the statistics IPv4 access lists are displayed in bytes and packet counts:
Router:ios# show access-lists ipv4 ac hardware ingress location 0/0/CPU0
ipv4 access-list ac
10 permit ipv4 any 2.2.0.0 0.0.255.255 dscp af11 (477 matches) (30528 byte matches)
20 permit ipv4 any 2.2.0.0 0.0.255.255 police 5 gbps (Accepted: 464 matches, Dropped: 0) (Accepted: 29696 byte matches, Dropped: 0 bytes)
In the following example, the statistics IPv6 access lists are displayed in bytes and packet counts:
Router# show ipv6 access-lists Test hardware ingress location 0/1/CPU0
ipv6 access-list Test
10 permit fec0:0:0:2::/64 any (24303 matches) (2459695 byte matches)
20 permit any any (13 matches) (246 byte matches)
Identify Internal TCAM Entries for Hybrid ACLs
From Release 7.10.1 onwards, you can identify the internal TCAM entries required to create a hybrid ACL before attaching the hybrid ACL to an interface for ingress and egress traffic. To identify the internal TCAM entries required for an ACL, use the resource-check option in the show access-list ipv4 | ipv6 acl name hardware ingress|egress resource-check location loc command. For more details on the usage, see the Access List Commands chapter.
Note |
|
Router#show access-lists ipv4 acl_NTP hardware ingress resource-check location 0/6/CPU0
Wed Jan 25 03:33:42.945 UTC
ACL name : acl_NTP
ACL compression level : 3
Internal TCAM Entries required : 8
Router#show access-lists ipv4 acl_NTP hardware egress resource-check location 0/6/CPU0
Wed Jan 25 03:33:42.945 UTC
ACL name : acl_NTP
ACL compression level : 3
Internal TCAM Entries required : 8