IP Access Lists

This chapter describes how to configure IPv4 and IPv6 Access Control Lists (ACL).

IP Access List

How an IP Access List Works

An access list is a sequential list consisting of permit and deny statements that apply to IP addresses and possibly the upper-layer IP protocols. ACLs are used to permit or deny the flow of packets based on matching criteria of access list parameters and information contained in packets. For it to be in effect, an access list must be created and applied to an interface.

An access list can control traffic arriving or leaving the system, but not traffic originating at the system.

IP Access List Process and Rules

There are two paths for interface packet filtering for ACL configuration:

  • Hardware programming path: Hardware programming path is the fast path ACL configuration. The fast path ACL configuration requires Ternary Content Addressable Memory (TCAM) through packet filter Execution Agent.

  • Software programming path: Software programming path is the slow path ACL configuration. The slow path ACL configuration requires adding caps to Interface Manager and NetIO.

Use the following process and rules when configuring an IP access list:

  • The software tests the source or destination address or the protocol of each packet being filtered against the conditions in the access list, one condition (permit or deny statement) at a time.

  • If a packet does not match a statement in the access list, it is tested against the next statement in the list.

  • If a packet matches an access list statement, the remaining statements in the list are skipped, and the packet is permitted or denied as specified in the matched statement.

  • If the access list denies the address or the protocol, the software discards the packet and returns an Internet Control Message Protocol (ICMP) Host Unreachable message. ICMP is configurable in the Cisco IOS XR software.

  • If no conditions match, the software drops the packet because each access list ends with an unwritten or implicit deny statement.

  • The access list should contain at least one permit statement; otherwise, all packets are denied.

  • The software stops testing the conditions after the first match; so, the order of the conditions is critical. The same permit or deny statements specified in a different order could result in a packet being passed under one circumstance and denied in another circumstance.

  • Only one access list per interface, per protocol, per direction is allowed.

  • Inbound access lists process packets arriving at the system. Incoming packets are processed before being routed to an outbound interface. An inbound access list is efficient as it saves the overhead of routing lookups if the packet is to be discarded because it is denied by the filtering tests. If the packet is permitted by the tests, it is then processed for routing. For inbound lists, "permit" means continue to process the packet after receiving it on an inbound interface; "deny" means discard the packet.

  • Outbound access lists process packets before they leave the system. Incoming packets are routed to the outbound interface and then processed through the outbound access list. For outbound lists, "permit" means send it to the output buffer; "deny" means discard the packet.

  • An access list cannot be removed if that access list is being applied by an access group in use. To remove an access list, remove the access group that is referencing the access list and then remove the access list.

  • An access-list must be created first before it can actually be applied on the management interface using access-group command.

  • ACLs apply only on management interfaces and not on any other type of interfaces or controllers.

Statistics collections are also divided into fast path packets and slow path packets. ACLs information is stored as a global data on the route processor.

Support of IP Access list in NCS 1004:

NCS 1004 supports the following:

  • Ingress ACL for both IPv4 and IPv6.

  • Slow packet path for Management Interface.

  • Egress ACL: Self-Originated Packet is not supported by ACL, because this is already controlled by the user. Only forwarded packets or traffic classify under ACL. This rule is applicable for both IPv4 and IPv6 ACL.

Configuring an IP Access List

To configure the ACL, use the following commands at the IPv4 or IPv6 interface:

configure

interface interface-type Rack/Slot/Instance/Port

ipv4 | ipv6 access-group access-list-name {ingress | egress}

commit

Example

interface MgmtEth0/RP0/CPU0/0
ipv4 address 10.1.1.1 255.255.255.0
ipv6 address 1000::1/64
ipv4 access-group IPV4_ICMP_DENY ingress
ipv4 access-group IPV4_ROUTER_FWD_TELNET_TRAFFIC_DENY egress
ipv6 access-group IPV6_SSH_DENY ingress
ipv6 access-group IPV6_ROUTER_FWD_TELNET_TRAFFIC_DENY egress

Sample Configuration for IPv4 Access Lists

ipv4 access-list IPV4_ICMP_DENY
10 deny icmp any any
20 permit ipv4 any any
!
ipv4 access-list IPV4_ROUTER_FWD_TELNET_TRAFFIC_DENY
10 deny tcp any any eq telnet
20 permit ipv4 any any
!

Sample Configuration for IPv6 Access Lists

ipv6 access-list IPV6_SSH_DENY
10 deny tcp any any eq ssh
20 permit ipv6 any any
!
ipv6 access-list IPV6_ROUTER_FWD_TELNET_TRAFFIC_DENY
10 deny tcp any any eq telnet
20 permit ipv6 any any
!

Verifying ACLs

The following examples verify the number of packets filtered by the respective ACLs:

IPv4:

RP/0/RP0/CPU0:ios#show access-lists ipv4
Wed Jan 17 09:52:12.448 IST
ipv4 access-list IPV4_ICMP_DENY
10 deny icmp any any (8 matches)
20 permit ipv4 any any (106 matches)
ipv4 access-list IPV4_ROUTER_FWD_TELNET_TRAFFIC_DENY
10 deny tcp any any eq telnet (3 matches)
20 permit ipv4 any any (6 matches)

IPv6:

RP/0/RP0/CPU0:ios#show access-lists ipv6
Wed Jan 17 09:52:14.591 IST
ipv6 access-list IPV6_ROUTER_FWD_TELNET_TRAFFIC_DENY
10 deny tcp any any eq telnet (3 matches)
20 permit ipv6 any any (5 matches)
ipv6 access-list IPV6_SSH_DENY
10 deny tcp any any eq ssh (9 matches)
20 permit ipv6 any any (100 matches)