The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
An access control list (ACL) consists of one or more access control entries (ACE) that collectively define the network traffic profile. This profile can then be referenced by Cisco IOS XR softwarefeatures such as traffic filtering, route filtering, QoS classification, and access control. Each ACL includes an action element (permit or deny) and a filter element based on criteria such as source address, destination address, protocol, and protocol-specific parameters.
Prefix lists are used in route maps and route filtering operations and can be used as an alternative to access lists in many Border Gateway Protocol (BGP) route filtering commands. A prefix is a portion of an IP address, starting from the far left bit of the far left octet. By specifying exactly how many bits of an address belong to a prefix, you can then use prefixes to aggregate addresses and perform some function on them, such as redistribution (filter routing updates).
This module describes the new and revised tasks required to implement access lists and prefix lists on the Cisco ASR 9000 Series Router
 Note |
For a complete description of the access list and prefix list commands listed in this module, refer to the IP Addresses and Services Command Reference for Cisco ASR 9000 Series Routers. |
|
Release |
Modification |
|---|---|
|
Release 3.7.2 |
This feature was introduced. |
|
Release 4.2.1 |
IPv6 ACL over BVI interface feature was added. |
|
Release 4.2.1 |
ACL in Class map feature was added. |
|
Release 5.3.2 |
Multi-level ACL Chaining feature was added for Cisco ASR 9000 High Density 100GE Ethernet Line Card. |
The following prerequisite applies to implementing access lists and prefix lists:
All command task IDs are listed in individual command references and in the Cisco IOS XR Task ID Reference Guide.If you need assistance with your task group assignment, contact your system administrator.
The following restrictions apply to implementing access lists and prefix lists:
From Release 5.3.2 onward, on Cisco ASR 9000 High Density 100GE Ethernet Line Cards, up to 4095 unique IPv4 and Ethernet Service (ES) ACLs and up to 4095 unique IPv6 ACLs are supported.
IPv4 ACLs are not supported for loopback and interflex interfaces.
IPv4 and IPv6 ACLs are not supported on service application and service infrastructure interfaces.
If the TCAM utilization is high and large ACLs are modified, then an error may occur. During such instances, do the following to edit an ACL:
Note |
Use the show prm server tcam summary all acl all location and show pfilter-ea fea summary location commands to view the TCAM utilization. |
Filtering of MPLS packets through common ACL and interface ACL is not supported.
If the packet comes on an ASR 9000 Ethernet Line Card, and is labeled as part of an MPLS flow, then the ingress ASR 9000 Ethernet Line Card cannot apply ACL. Also, for ASR 9000 Ethernet Line Cards, if the label is popped because it is routed to an attached customer edge (CE), then the egress line card (LC) sees a plain IP. But, it still cannot apply an egress (outbound) ACL on the IP packet. Whereas, an ASR 9000 Enhanced Ethernet Line Card can perform an egress IP ACL on this packet before sending it to the directly attached CE.
Video Monitoring is not supported through ACLs on IPv6 interfaces.
You can configure an ACL name with a maximum of 64 characters.
You can configure an ACL name to comprise of only letters and numbers.
In IPv6 Egress ACLs, TCP flag filtering does not function for IPv6 packets with a fragmentation header. As a result, IPv6 packets with both a fragmentation header and a TCP header (ACK+SYN flags) are not appropriately filtered by the ACL rules.
The following restrictions apply for implementing ACL-based forwarding (ABF):
ABF is not supported for for-us packets (packets destined for the router).
The following nexthop configurations are not supported: attaching ACL having a nexthop option in the egress direction, modifying an ACL attached in the egress direction having nexthop, denying an ACE with a nexthop.
The A9K-SIP-700 LC and ASR 9000 Enhanced Ethernet LC support ABFv4 and ABFv6 in Release 4.2.0. ASR 9000 Ethernet LC does not support ABFv6 in Release 4.2.0, it only supports ABFv4.
ABFv4 is supported on BVI interfaces for ASR 9000 Enhanced Ethernet line card. It is not supported for ASR 9000 Ethernet line card.
Note |
Nexthop egress over A9K-SIP-700 line card, ASR 9000 Ethernet line card, or virtual interfaces like GRE or BVI is supported when ABFv4 is configured for a BVI interface. |
ABFv6 is supported on IRB/BVI interfaces for ASR 9000 Enhanced Ethernet line card. It is not supported for ASR 9000 Ethernet line card.
Note |
There is one exception to this. In case of IP to TAG, the label is imposed by the ingress LC (based on ABF nexthop), and the packet crosses the fabric as a tag packet. These packets are handled by A9K-SIP-700 without any issue. |
Packets punted in the ingress direction from the NPU to the LC CPU are not subjected to ABF treatment due to lack of ABF support in the slow path.
IP packet(s) needing fragmentation are not subjected to ABF. The packet is forwarded in the traditional way. Fragmented packets received are handled by ABF.
Support for ABF is only for IPv4 and Ethernet line cards. IPv6 and other interfaces are not supported.
ABF is an ingress line card feature and the egress line card must be ABF aware.
To implement access lists and prefix lists, you must understand the following concepts:
This section lists the feature highlights for access lists and prefix lists.
Cisco IOS XR software provides the ability to clear counters for an access list or prefix list using a specific sequence number.
Cisco IOS XR software provides the ability to copy the contents of an existing access list or prefix list to another access list or prefix list.
Cisco IOS XR software allows users to apply sequence numbers to permit or deny statements and to resequence, add, or remove such statements from a named access list or prefix list.
Note |
Resequencing is only for IPv4 prefix lists. |
Cisco IOS XR software does not differentiate between standard and extended access lists. Standard access list support is provided for backward compatibility.
To double the TCAM scale value of the extended ACL for IPv4/IPv6 in Cisco ASR 9000 High Density 100GE Ethernet line cards, users must disable ISSU (and reload).
Layer 2 (Ethernet) ACL is supported on Layer 2 interfaces.
Layer 3 (IPv4 and IPv6) ACL over Layer 2 interfaces for the IPOE model is supported in both ingress and egress directions.
Access lists perform packet filtering to control which packets move through the network and where. Such controls help to limit network traffic and restrict the access of users and devices to the network. Access lists have many uses, and therefore many commands accept a reference to an access list in their command syntax. Access lists can be used to do the following:
Filter incoming packets on an interface.
Filter outgoing packets on an interface.
Restrict the contents of routing updates.
Limit debug output based on an address or protocol.
Control vty access.
Identify or classify traffic for advanced features, such as congestion avoidance, congestion management, and priority and custom queueing.
An access list is a sequential list consisting of permit and deny statements that apply to IP addresses and possibly upper-layer IP protocols. The access list has a name by which it is referenced. Many software commands accept an access list as part of their syntax.
An access list can be configured and named, but it is not in effect until the access list is referenced by a command that accepts an access list. Multiple commands can reference the same access list. An access list can control traffic arriving at the router or leaving the router, but not traffic originating at the router. Note that, traffic such as SSH, ICMP and telnet traffic are blocked by ACL, in spite of being originated from the router. This is because, those packets are not injected as high priority packets, and hence get subjected to ACL processing. At the same time, BGP traffic bypasses the ACL applied on the interface, as it is a control packet which is injected as a critical inject packet from RSP or LC. Such packets are handled in the system with high priority and do not get dropped.
Use the following process and rules when configuring an IP access list:
The software tests the source or destination address or the protocol of each packet being filtered against the conditions in the access list, one condition (permit or deny statement) at a time.
If a packet does not match an access list statement, the packet is then tested against the next statement in the list.
If a packet and an access list statement match, the remaining statements in the list are skipped and the packet is permitted or denied as specified in the matched statement. The first entry that the packet matches determines whether the software permits or denies the packet. That is, after the first match, no subsequent entries are considered.
If the access list denies the address or protocol, the software discards the packet and returns an Internet Control Message Protocol (ICMP) Host Unreachable message. ICMP is configurable in the Cisco IOS XR software.
If no conditions match, the software drops the packet because each access list ends with an unwritten or implicit deny statement. That is, if the packet has not been permitted or denied by the time it was tested against each statement, it is denied.
The access list should contain at least one permit statement or else all packets are denied.
Because the software stops testing conditions after the first match, the order of the conditions is critical. The same permit or deny statements specified in a different order could result in a packet being passed under one circumstance and denied in another circumstance.
Only one access list per interface, per protocol, per direction is allowed.
Inbound access lists process packets arriving at the router. Incoming packets are processed before being routed to an outbound interface. An inbound access list is efficient because it saves the overhead of routing lookups if the packet is to be discarded because it is denied by the filtering tests. If the packet is permitted by the tests, it is then processed for routing. For inbound lists, permit means continue to process the packet after receiving it on an inbound interface; deny means discard the packet.
Outbound access lists process packets before they leave the router. Incoming packets are routed to the outbound interface and then processed through the outbound access list. For outbound lists, permit means send it to the output buffer; deny means discard the packet.
An access list can not be removed if that access list is being applied by an access group in use. To remove an access list, remove the access group that is referencing the access list and then remove the access list.
An access list must exist before you can use the ipv4 access group command.
Consider the following when creating an IP access list:
Create the access list before applying it to an interface.
Organize your access list so that more specific references in a network or subnet appear before more general ones.
To make the purpose of individual statements more easily understood at a glance, you can write a helpful remark before or after any statement.
Source address and destination addresses are two of the most typical fields in an IP packet on which to base an access list. Specify source addresses to control packets from certain networking devices or hosts. Specify destination addresses to control packets being sent to certain networking devices or hosts.
Address filtering uses wildcard masking to indicate whether the software checks or ignores corresponding IP address bits when comparing the address bits in an access-list entry to a packet being submitted to the access list. By carefully setting wildcard masks, an administrator can select a single or several IP addresses for permit or deny tests.
Wildcard masking for IP address bits uses the number 1 and the number 0 to specify how the software treats the corresponding IP address bits. A wildcard mask is sometimes referred to as an inverted mask, because a 1 and 0 mean the opposite of what they mean in a subnet (network) mask.
A wildcard mask bit 0 means check the corresponding bit value.
A wildcard mask bit 1 means ignore that corresponding bit value.
You do not have to supply a wildcard mask with a source or destination address in an access list statement. If you use the host keyword, the software assumes a wildcard mask of 0.0.0.0.
From Release 5.2.2, you can supply a wildcard mask with a source or destination address in an access list statement. The wildcard masking feature now supports IPv6 ACL with wildcard masking. This feature is supported in ASR 9000 Enhanced Ethernet Line Card.
Unlike subnet masks, which require contiguous bits indicating network and subnet to be ones, wildcard masks allow noncontiguous bits in the mask. For IPv6 access lists, only contiguous bits are supported.
You can also use CIDR format (/x) in place of wildcard bits. For example, the IPv4 address 1.2.3.4 0.255.255.255 corresponds to 1.2.3.4/8 and for IPv6 address 2001:db8:abcd:0012:0000:0000:0000:0000 corresponds to 2001:db8:abcd:0012::0/64.
You can filter packets on the basis of transport layer information, such as whether the packet is a TCP, UDP, ICMP, or IGMP packet.
The ability to apply sequence numbers to IP access-list entries simplifies access list changes. Prior to this feature, there was no way to specify the position of an entry within an access list. If a user wanted to insert an entry (statement) in the middle of an existing list, all the entries after the desired position had to be removed, then the new entry was added, and then all the removed entries had to be reentered. This method was cumbersome and error prone.
The IP Access List Entry Sequence Numbering feature allows users to add sequence numbers to access-list entries and resequence them. When you add a new entry, you choose the sequence number so that it is in a desired position in the access list. If necessary, entries currently in the access list can be resequenced to create room to insert the new entry.
The following details the sequence numbering behavior:
If entries with no sequence numbers are applied, the first entry is assigned a sequence number of 10, and successive entries are incremented by 10. The maximum configurable sequence number is 2147483643 for IPv4 and IPv6 entries. For other entries, the maximum configurable sequence number is 2147483646. If the generated sequence number exceeds this maximum number, the following message displays:
Exceeded maximum sequence number.
If you provide an entry without a sequence number, it is assigned a sequence number that is 10 greater than the last sequence number in that access list and is placed at the end of the list.
ACL entries can be added without affecting traffic flow and hardware performance.
If a new access list is entered from global configuration mode, then sequence numbers for that access list are generated automatically.
Distributed support is provided so that the sequence numbers of entries in the route processor (RP) and line card (LC) are synchronized at all times.
This feature works with named standard and extended IP access lists. Because the name of an access list can be designated as a number, numbers are acceptable.
Cisco IOS XR software can provide logging messages about packets permitted or denied by a standard IP access list. That is, any packet that matches the access list causes an informational logging message about the packet to be sent to the console. The level of messages logged to the console is controlled by the logging console command in global configuration mode.
Note |
ACL logging isn’t supported for ingress MPLS packets. |
The first packet that triggers the access list causes an immediate logging message, and subsequent packets are collected over 5-minute intervals before they are displayed or logged.
However, you can use the { ipv4 | ipv6 } access-list log-update threshold command to set the number of packets that, when they match an access list (and are permitted or denied), cause the system to generate a log message. You might do this to receive log messages more frequently than at 5-minute intervals.
 Caution |
If you set the update-number argument to 1, a log message is sent right away, rather than caching it; every packet that matches an access list causes a log message. A setting of 1 isn’t recommended because the volume of log messages could overwhelm the system. |
Even if you use the { ipv4 | ipv6} access-list log-update threshold command, the 5-minute timer remains in effect, so each cache is emptied at the end of 5 minutes, regardless of the number of messages in each cache. Regardless of when the log message is sent, the cache is flushed and the count reset to 0 for that message the same way it’s when a threshold isn’t specified.
Note |
The logging facility might drop some logging message packets if there are too many to be handled or if more than one logging message is handled in 1 second. This behavior prevents the router from using excessive CPU cycles because of too many logging packets. Therefore, the logging facility shouldn’t be used as a billing tool or as an accurate source of the number of matches to an access list. |
This section shows you how to enable the ACE of an ACL to log informational messages when it matches incoming packets, using the optional keyword log . The router supports this feature only for IPv4 or IPv6 ingress ACLs. The logging message includes the access list number, whether the packet was permitted or denied, the source IP address of the packet, and the number of packets from that source permitted or denied in the prior 5-minute interval.
Router#configure
Router(config)#ipv4 access-list test
Router(config-ipv4-acl)#10 permit udp 10.85.1.0 255.255.255.0 log
Router(config-ipv4-acl)#exit
Router(config)# interface FortyGigE0/0/0/22
Router(config-if)# ipv4 access-group test ingress
Router(config-if)# commitNote |
Set log-level to informational or higher with the logging console command, so that the router displays the ACL log-messages on the console. For more information on log-levels, see section Syslog Message Severity Levels in the Implementing System Logging chapter of the System Monitoring Configuration Guide. |
The following snippet shows a sample log message:
Router: ipv4_acl_mgr[350]: %ACL-IPV4_ACL-6-IPACCESSLOGP : access-list test (10) permit udp
10.85.1.2(0) -> 10.0.0.1(0), 1 packet In earlier releases, the non-fragmented packets and the initial fragments of a packet were processed by IP extended access lists (if you apply this access list), but non-initial fragments were permitted, by default. However, now, the IP Extended Access Lists with Fragment Control feature allows more granularity of control over non-initial fragments of a packet. Using this feature, you can specify whether the system examines non-initial IP fragments of packets when applying an IP extended access list.
As non-initial fragments contain only Layer 3 information, these access-list entries containing only Layer 3 information, can now be applied to non-initial fragments also. The fragment has all the information the system requires to filter, so the access-list entry is applied to the fragments of a packet.
This feature adds the optional fragments keyword to the following IP access list commands: deny (IPv4), permit (IPv4) , deny (IPv6) , permit (IPv6). By specifying the fragments keyword in an access-list entry, that particular access-list entry applies only to non-initial fragments of packets; the fragment is either permitted or denied accordingly.
The behavior of access-list entries regarding the presence or absence of the fragments keyword can be summarized as follows:
|
If the Access-List Entry has... |
Then... |
||
|---|---|---|---|
|
...no fragments keyword and all of the access-list entry information matches |
For an access-list entry containing only Layer 3 information:
For an access-list entry containing Layer 3 and Layer 4 information:
|
||
|
...the fragments keyword and all of the access-list entry information matches |
The access-list entry is applied only to non-initial fragments.
|
You should not add the fragments keyword to every access-list entry, because the first fragment of the IP packet is considered a non-fragment and is treated independently of the subsequent fragments. Because an initial fragment will not match an access list permit or deny entry that contains the fragments keyword, the packet is compared to the next access list entry until it is either permitted or denied by an access list entry that does not contain the fragments keyword. Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair will not include the fragments keyword, and applies to the initial fragment. The second deny entry of the pair will include the fragments keyword and applies to the subsequent fragments. In the cases where there are multiple deny access list entries for the same host but with different Layer 4 ports, a single deny access-list entry with the fragments keyword for that host is all that has to be added. Thus all the fragments of a packet are handled in the same manner by the access list.
Packet fragments of IP datagrams are considered individual packets and each fragment counts individually as a packet in access-list accounting and access-list violation counts.
Note |
The fragments keyword cannot solve all cases involving access lists and IP fragments. |
Note |
Within the scope of ACL processing, Layer 3 information refers to fields located within the IPv4 header; for example, source, destination, protocol. Layer 4 information refers to other data contained beyond the IPv4 header; for example, source and destination ports for TCP or UDP, flags for TCP, type and code for ICMP. |
Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the match ip address command and the access list had entries that match on Layer 4 through Layer 7 information. It is possible that noninitial fragments pass the access list and are policy routed, even if the first fragment was not policy routed or the reverse.
By using the fragments keyword in access-list entries as described earlier, a better match between the action taken for initial and noninitial fragments can be made and it is more likely policy routing will occur as intended.
You can include comments (remarks) about entries in any named IP access list using the remark access list configuration command. The remarks make the access list easier for the network administrator to understand and scan. Each remark line is limited to 255 characters.
The remark can go before or after a permit or deny statement. You should be consistent about where you put the remark so it is clear which remark describes which permit or deny statement. For example, it would be confusing to have some remarks before the associated permit or deny statements and some remarks after the associated statements. Remarks can be sequenced.
Remember to apply the access list to an interface or terminal line after the access list is created. See the“Applying Access Lists” section for more information.
In Cisco IOS XR software, ACL counters are maintained both in hardware and software. Hardware counters are used for packet filtering applications such as when an access group is applied on an interface. Software counters are used by all the applications mainly involving software packet processing.
Packet filtering makes use of 64-bit hardware counters per ACE. If the same access group is applied on interfaces that are on the same line card in a given direction, the hardware counters for the ACL are shared between two interfaces.
To display the hardware counters for a given access group, use the show access-lists ipv4 [access-list-name hardware {ingress | egress} [interface type interface-path-id] {location node-id}] command in EXEC mode.
To clear the hardware counters, use the clear access-list ipv4 access-list-name [hardware {ingress | egress} [interface type interface-path-id] {location node-id}] command in EXEC mode.
Hardware counting is not enabled by default for IPv4 ACLs because of a small performance penalty. To enable hardware counting, use the ipv4 access-group access-list-name {ingress | egress} [hardware-count] command in interface configuration mode. This command can be used as desired, and counting is enabled only on the specified interface.
Note |
Hardware counters are enabled by default on 100Gigabit ethernet interfaces, Cisco ASR 9000 Ethernet line cards, and Cisco ASR 9000 Enhanced Ethernet line cards. |
Software counters are updated for the packets processed in software, for example, exception packets punted to the LC CPU for processing, or ACL used by routing protocols, and so on. The counters that are maintained are an aggregate of all the software applications using that ACL. To display software-only ACL counters, use the show access-lists ipv4 access-list-name [sequence number] command in EXEC mode.
All the above information is true for IPv6, except that hardware counting is always enabled; there is no hardware-count option in the IPv6 access-group command-line interface (CLI).
Prefix lists can be used as an alternative to access lists in many BGP route filtering commands. The advantages of using prefix lists are as follows:
Significant performance improvement in loading and route lookup of large lists.
Incremental updates are supported.
More user friendly CLI. The CLI for using access lists to filter BGP updates is difficult to understand and use because it uses the packet filtering format.
Greater flexibility.
Before using a prefix list in a command, you must set up a prefix list, and you may want to assign sequence numbers to the entries in the prefix list.
Filtering by prefix list involves matching the prefixes of routes with those listed in the prefix list. When there is a match, the route is used. More specifically, whether a prefix is permitted or denied is based upon the following rules:
An empty prefix list permits all prefixes.
An implicit deny is assumed if a given prefix does not match any entries of a prefix list.
When multiple entries of a prefix list match a given prefix, the longest, most specific match is chosen.
Sequence numbers are generated automatically unless you disable this automatic generation. If you disable the automatic generation of sequence numbers, you must specify the sequence number for each entry using the sequence-number argument of the permit and deny commands in either IPv4 or IPv6 prefix list configuration command. Use the no form of the permit or deny command with the sequence-number argument to remove a prefix-list entry.
The show commands include the sequence numbers in their output.
To implement access lists and prefix lists, you must understand the following concepts:
Converged networks carry voice, video and data. Users may need to route certain traffic through specific paths instead of using the paths computed by routing protocols. This is achieved by specifying the next-hop address in ACL configurations, so that the configured next-hop address from ACL is used for fowarding packet towards its destination instead of routing packet-based destination address lookup. This feature of using next-hop in ACL configurations for forwarding is called ACL Based Forwarding (ABF).
ACL-based forwarding enables you to choose service from multiple providers for broadcast TV over IP, IP telephony, data, and so on, which provides a cafeteria-like access to the Internet. Service providers can divert user traffic to various content providers.
The ABF feature can be configured along with object groups while defining an ACEs (Access Control Entry).
To provide flexibility to the user in selecting the suitable next hop, the ABF functionality is enhanced to interact with object-tracking (OT), which impacts:
Tracking prefix in CEF
Tracking the line-state protocol
IPSLA (IP Service Level Agreement)
The IPv6 ACL based forwarding (ABF) object tracking feature enables ABF to decide which next hop address to use, based on the state of the object being tracked for the next hop. IPv6 SLA echos are used to determine reachability to the next hop address. If the primary route is unreachable, the secondary route is used to forward traffic. IPv6 ABF object tracking is supported on ASR 9000 Enhanced Ethernet line cards only.
For information about the object command which is used to configure an object for tracking, see the System Management Command Reference for Cisco ASR 9000 Series Routers.
The OT-module interacts with the IPSLA-module to get reachability information. With IPSLA, the routers perform periodic measurements
You can configure an access control list to filter packets by the packet length at an ingress or egress interface. Depending on whether a packet matches the packet-length condition in a permit or deny statement, the packet is either processed or dropped respectively at the interface.
The ACL packet length match condition can be configured in simple or scaled ACLs in IPv4 or IPv6 networks.
To learn about the various packet-length options, see the Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Command Reference.
Note |
ACLs with packet length filtering are supported in both IPv4 and IPv6 networks only on Cisco ASR 9000 High Density 100GE Ethernet line cards. The following limitations must be noted:
|
In Cisco IOS XR software, ACL counters are maintained both in hardware and software. Hardware counters are used for packet filtering applications such as when an access group is applied on an interface. Software counters are used by all the applications mainly involving software packet processing.
Packet filtering makes use of 64-bit hardware counters per ACE. If the same access group is applied on interfaces that are on the same line card in a given direction, the hardware counters for the ACL are shared between two interfaces.
To display the hardware counters for a given access group, use the show access-lists ipv4 [access-list-name hardware {ingress | egress} [interface type interface-path-id] {location node-id}] command in EXEC mode.
To clear the hardware counters, use the clear access-list ipv4 access-list-name [hardware {ingress | egress} [interface type interface-path-id] {location node-id}] command in EXEC mode.
Hardware counting is not enabled by default for IPv4 ACLs because of a small performance penalty. To enable hardware counting, use the ipv4 access-group access-list-name {ingress | egress} [hardware-count] command in interface configuration mode. This command can be used as desired, and counting is enabled only on the specified interface.
Note |
Hardware counters are enabled by default on 100Gigabit ethernet interfaces, Cisco ASR 9000 Ethernet line cards, and Cisco ASR 9000 Enhanced Ethernet line cards. |
Software counters are updated for the packets processed in software, for example, exception packets punted to the LC CPU for processing, or ACL used by routing protocols, and so on. The counters that are maintained are an aggregate of all the software applications using that ACL. To display software-only ACL counters, use the show access-lists ipv4 access-list-name [sequence number] command in EXEC mode.
All the above information is true for IPv6, except that hardware counting is always enabled; there is no hardware-count option in the IPv6 access-group command-line interface (CLI).
The ACL statistics counter feature allows you to track the count of packets that a router either permits or denies. A router permits or denies packets based on the ACL rules that you configure on a router interface. By default, the ACL statistics counter allows you to track only the the count of packets denied. By configuring the command, hw-module profile stats acl-permit , you can also track the count of packets that are permitted. Routers use this knowledge of the count of packets for ACL-based traffic mirroring. Support for ACL permit counters also allows you to track the ACE through which a router permits a packet.
ACL-based forwarding (ABF) is not supported on a router after you configure the hw-module profile stats acl-permit command on that router.
After you configure the hw-module profile stats acl-permit command on the router, based on the requirement, you must reload the router or the line cards. Configuring of the command followed by reloading the router or line cards enables the tracking of the permitted packet count on the router or line cards.
To enable the tracking of the permitted packet count based on the ACL rules, use the following steps:
Enter global configuration mode and configure an ACL.
Router# configure
Router(config)# ipv4 access-list TEST
Router(config-ipv4-acl)# 10 permit ipv4 any any
Router(config-ipv4-acl)# 20 deny udp any any
Router(config-ipv4-acl)# commit
Router(config)# exitEnter interface configuration mode and attach the configured ACL on an interface.
Router(config)# interface HundredGigE 0/0/0/0
Router(config-if)# ipv4 access-group TEST ingress
Router(config-if)# commit
Router(config-if)# exitEnable the tracking of the permitted packet count.
Router(config)# hw-module profile stats acl-permit
Router(config)# commitBased on the requirement, reload the router or line cards.
Router# reload location 0/0/CPU0Running Configuration.
Router# show running-configuration
ipv4 access-list TEST
10 permit ipv4 any any
20 deny udp any any
!
interface HundredGigE 0/0/0/0
ipv4 access-group TEST ingress
!
hw-module profile stats acl-permit
endVerification.
Use the show access-lists ipv4 acl-name hardware ingress location node-id command to verify that you have enabled or disabled the tracking of the permitted packet count.
Router# show access-lists ipv4 TEST hardware ingress location 0/0/CPU0
ipv4 access-list test-v4-ttl
10 permit ipv4 any any ttl eq 100
20 deny ipv4 any any ttl eq 200 (44043 matches)
Router# configure
Router(config)# hw-module profile stats acl-permit
In order to activate/deactivate this stats profile, you must manually reload the chassis/all line cards
Router(config)# commit
Router# reload location 0/0/CPU0
Router# show access-lists ipv4 TEST hardware ingress location 0/0/CPU0
ipv4 access-list test-v4-ttl
10 permit ipv4 any any ttl eq 100 (346318 matches)
20 deny ipv4 any any ttl eq 200 (44043 matches)Apart from viewing the access control list counters using commands, you can also get the ACL counter information using SNMP. When the router receives an SNMP request for ACE counters, the router responds by sending the packet count that matches each access control entry along with the byte count to the SNMP server.
You can use the counter counter-name command to aggregate several ACEs into a single counter.
Hardware counters for interface ACLs applied with the interface-statistics command.
Hardware ACL statistics on GigabitEthernet, TenGigabitEthernet, HundredGigabitEthernet, Bundle Ethernet interfaces, and subinterfaces.
ACE label counter statistics.
Software counters.
Counter names cannot be configured on ABF ACLs.
Common ACLs. If an interface has both common ACL and interface ACL, statistics pertaining to ACEs from the common ACL are not returned.
Hardware statistics for subscriber interfaces.
Hardware statistics for ACEs with the same counter name.
Only Cisco ASR 9000 Enhanced Ethernet Line Cards support this feature. We recommend that you do not enable more than 50 unique counters in an ACL.
IPv6 ACL support is available on the Cisco ASR 9000 SIP 700 linecard and the ASR 9000 Ethernet linecards. The relevant scale is:
ACL enabled interfaces - 1000 (500 in each direction); for ASR 9000 Ethernet linecards- 4000
Unique ACLs - 512 (with 5 ACEs each); for ASR 9000 Ethernet linecards- 2000
Maximum ACEs per ACL - 8000 (for ASR 9000 Ethernet lincards, ACEs could be 16000, 8000, 4000- based on the LC model)
IPv6 ACL log will also be supported.
This section contains the following procedures:
This task configures an extended IPv4 or IPv6 access list.
| Command or Action | Purpose | |||||
|---|---|---|---|---|---|---|
|
Step 1 |
configure |
|||||
|
Step 2 |
{ipv4 | ipv6} access-list name Example:or |
Enters either IPv4 or IPv6 access list configuration mode and configures the named access list. |
||||
|
Step 3 |
[ sequence-number ] remark remark Example: |
(Optional) Allows you to comment about a permit or deny statement in a named access list.
|
||||
|
Step 4 |
Do one of the following:
Example:or |
Specifies one or more conditions allowed or denied in IPv4 access list acl_1.
or Specifies one or more conditions allowed or denied in IPv6 access list acl_2.
|
||||
|
Step 5 |
Repeat Step 4 as necessary, adding statements by sequence number where you planned. Use the no sequence-number command to delete an entry. |
Allows you to revise an access list. |
||||
|
Step 6 |
commit |
|||||
|
Step 7 |
show access-lists {ipv4 | ipv6} [access-list-name hardware {ingress | egress} [interface type interface-path-id] {sequence number | location node-id} | summary [access-list-name] | access-list-name [sequence-number] | maximum [detail] [usage {pfilter location node-id}]] Example: |
(Optional) Displays the contents of current IPv4 or IPv6 access lists.
|
After creating an access list, you must apply it to a line or interface. See the Applying Access Lists section for information about how to apply an access list.
ACL commit fails while adding and removing unique Access List Entries (ACE). This happens due to the absence of an assigned manager process. The user has to exit the config-ipv4-acl mode to configuration mode and re-enter the config-ipv4-acl mode before adding the first ACE.
After you create an access list, you must reference the access list to make it work. Access lists can be applied on either outbound or inbound interfaces. This section describes guidelines on how to accomplish this task for both terminal lines and network interfaces.
Set identical restrictions on all the virtual terminal lines, because a user can attempt to connect to any of them.
For inbound access lists, after receiving a packet, Cisco IOS XR software checks the source address of the packet against the access list. If the access list permits the address, the software continues to process the packet. If the access list rejects the address, the software discards the packet and returns an ICMP host unreachable message. The ICMP message is configurable.
For outbound access lists, after receiving and routing a packet to a controlled interface, the software checks the source address of the packet against the access list. If the access list permits the address, the software sends the packet. If the access list rejects the address, the software discards the packet and returns an ICMP host unreachable message.
When you apply an access list that has not yet been defined to an interface, the software acts as if the access list has not been applied to the interface and accepts all packets. Note this behavior if you use undefined access lists as a means of security in your network.
This task applies an access list to an interface to restrict access to that interface.
Access lists can be applied on either outbound or inbound interfaces.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure |
|
|
Step 2 |
interface type interface-path-id Example: |
Configures an interface and enters interface configuration mode.
|
|
Step 3 |
Do one of the following:
Example: |
Controls access to an interface.
This example applies filters on packets inbound and outbound from GigabitEthernet interface 0/2/0/2. |
|
Step 4 |
commit |
This task applies an access list to a line to control access to that line.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure |
|
|
Step 2 |
line {aux | console | default | template template-name} Example: |
Specifies either the auxiliary, console, default, or a user-defined line template and enters line template configuration mode.
|
|
Step 3 |
access-class list-name{ingress | egress} Example: |
Restricts incoming and outgoing connections using an IPv4 or IPv6 access list.
|
|
Step 4 |
commit |
This task configures an IPv4 or IPv6 prefix list.
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
Step 1 |
configure |
|||
|
Step 2 |
{ipv4 | ipv6} prefix-list name Example:or |
Enters either IPv4 or IPv6 prefix list configuration mode and configures the named prefix list.
|
||
|
Step 3 |
[ sequence-number ] remark remark Example: |
(Optional) Allows you to comment about the following permit or deny statement in a named prefix list.
|
||
|
Step 4 |
[ sequence-number] {permit | deny} network/length [ge value] [le value] [eq value] Example: |
Specifies one or more conditions allowed or denied in the named prefix list.
|
||
|
Step 5 |
Repeat Step 4 as necessary. Use the no sequence-number command to delete an entry. |
Allows you to revise a prefix list. |
||
|
Step 6 |
commit |
|||
|
Step 7 |
Do one of the following:
Example:or |
(Optional) Displays the contents of current IPv4 or IPv6 prefix lists.
|
||
|
Step 8 |
clear {ipv4 | ipv6} prefix-list name [sequence-number] Example: |
(Optional) Clears the hit count on an IPv4 or IPv6 prefix list.
|
This task configures a standard IPv4 access list.
Standard access lists use source addresses for matching operations.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure |
|
|
Step 2 |
ipv4 access-list name Example: |
Enters IPv4 access list configuration mode and configures access list acl_1. |
|
Step 3 |
[ sequence-number ] remark remark Example: |
(Optional) Allows you to comment about the following permit or deny statement in a named access list.
|
|
Step 4 |
[ sequence-number ] {permit | deny} source [source-wildcard] [log | log-input] Example:or |
Specifies one or more conditions allowed or denied, which determines whether the packet is passed or dropped.
|
|
Step 5 |
Repeat Step 4 as necessary, adding statements by sequence number where you planned. Use the no sequence-number command to delete an entry. |
Allows you to revise an access list. |
|
Step 6 |
commit |
|
|
Step 7 |
show access-lists [ipv4 | ipv6] [access-list-name hardware {ingress | egress} [interface type interface-path-id] {sequence number | location node-id} | summary [access-list-name] | access-list-name [sequence-number] | maximum [detail] [usage {pfilter location node-id}]] Example: |
(Optional) Displays the contents of the named IPv4 access list.
|
After creating a standard access list, you must apply it to a line or interface. See the Applying Access Lists” section for information about how to apply an access list.
This task copies an IPv4 or IPv6 access list.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
copy access-list {ipv4 | ipv6}source-acl destination-acl Example: |
Creates a copy of an existing IPv4 or IPv6 access list.
|
|
Step 2 |
show access-lists {ipv4 | ipv6}[access-list-name hardware {ingress | egress} [interface type interface-path-id] {sequence number | location node-id} | summary [access-list-name] | access-list-name [sequence-number] | maximum [detail] [usage {pfilter location node-id}]] Example: |
(Optional) Displays the contents of a named IPv4 or IPv6 access list. For example, you can verify the output to see that the destination access list list-2 contains all the information from the source access list list-1. |
This task shows how to assign sequence numbers to entries in a named access list and how to add or delete an entry to or from an access list. It is assumed that a user wants to revise an access list. Resequencing an access list is optional.
Note |
When an ACL is configured under an interface and its resequenced and rolled back, the interface experiences traffic loss for a short period of time. |
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
Step 1 |
resequence access-list {ipv4 | ipv6} name [base [increment]] Example: |
(Optional) Resequences the specified IPv4 or IPv6 access list using the starting sequence number and the increment of sequence numbers.
|
||
|
Step 2 |
configure |
|||
|
Step 3 |
{ipv4 | ipv6} access-list name Example:or |
Enters either IPv4 or IPv6 access list configuration mode and configures the named access list. |
||
|
Step 4 |
Do one of the following:
Example:or |
Specifies one or more conditions allowed or denied in IPv4 access list acl_1.
or Specifies one or more conditions allowed or denied in IPv6 access list acl_2.
|
||
|
Step 5 |
Repeat Step 4 as necessary, adding statements by sequence number where you planned. Use the no sequence-number command to delete an entry. |
Allows you to revise the access list. |
||
|
Step 6 |
commit |
|||
|
Step 7 |
show access-lists [ipv4 | ipv6] [access-list-name hardware {ingress | egress} [interface type interface-path-id] {sequence number | location node-id} | summary [access-list-name] | access-list-name [sequence-number] | maximum [detail] [usage {pfilter location node-id}]] Example: |
(Optional) Displays the contents of a named IPv4 or IPv6 access list.
|
If your access list is not already applied to an interface or line or otherwise referenced, apply the access list. See the “Applying Access Lists” section for information about how to apply an access list.
This task copies an IPv4 or IPv6 prefix list.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
copy prefix-list {ipv4 | ipv6} source-name destination-name Example: |
Creates a copy of an existing IPv4 or IPv6 prefix list.
|
|
Step 2 |
Do one of the following:
Example: |
(Optional) Displays the contents of current IPv4 or IPv6 prefix lists.
|
This task shows how to assign sequence numbers to entries in a named prefix list and how to add or delete an entry to or from a prefix list. It is assumed a user wants to revise a prefix list. Resequencing a prefix list is optional.
Note |
Resequencing IPv6 prefix lists is not supported. |
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
resequence prefix-list ipv4 name [base [increment]] Example: |
(Optional) Resequences the named IPv4 prefix list using the starting sequence number and the increment of sequence numbers.
|
|
Step 2 |
configure |
|
|
Step 3 |
{ipv4 | ipv6} prefix-list name Example: |
Enters either IPv4 or IPv6 prefix list configuration mode and configures the named prefix list. |
|
Step 4 |
[ sequence-number ] {permit | deny} network/length [ge value] [le value] [eq value] Example: |
Specifies one or more conditions allowed or denied in the named prefix list. |
|
Step 5 |
Repeat Step 4 as necessary, adding statements by sequence number where you planned. Use the no sequence-number command to delete an entry. |
Allows you to revise the prefix list. |
|
Step 6 |
commit |
|
|
Step 7 |
Do one of the following:
Example: |
(Optional) Displays the contents of current IPv4 or IPv6 prefix lists.
|
This section contains the following procedures:
Perform this task to configure ACL-based forwarding with security ACL.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure |
|
|
Step 2 |
ipv4 access-list name Example: |
Enters IPv4 access list configuration mode and configures the specified access list. |
|
Step 3 |
[ sequence-number ] permit protocol source source-wildcard destination destination-wildcard [precedence precedence] [[default] nexthop1 [ipv4 ipv4-address1] nexthop2[ipv4 ipv4-address2] nexthop3[ipv4 ipv4-address3]] [dscp dscp] [fragments] [log | log-input] [[track track-name] [ttl ttl [value1 ... value2]] Example: |
Sets the conditions for an IPv4 access list. The configuration example shows how to configure ACL-based forwarding with security ACL.
|
|
Step 4 |
commit |
|
|
Step 5 |
show access-list ipv4 [[access-list-name hardware {ingress | egress} [interface type interface-path-id] {sequence number | location node-id} | summary [access-list-name] | access-list-name [sequence-number] | maximum [detail] [usage {pfilter location node-id}]] Example: |
Displays the information for ACL software. |
In this section, the following procedures are discussed:
Note |
When a large number of IPSLA instances need to be configured, it's more convenient to create a configuration file with all the configurations and then load the configuration file. The configuration statements in the configuration file should be properly indented including the exit statements, otherwise the configuration won't work when loading the configuration file. |
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure Example: |
Enters global configuration mode. |
|
Step 2 |
track track-name Example: |
Enters track configuration mode. |
|
Step 3 |
commit |
There are different mechanisms to track the availability of the next-hop device. The tracking type can be of four types, using:
line protocol
list
route
IPSLA
Line protocol is one of the object types the object tracker component can track. This object type provides an option for tracking state change notification from an interface. Based on the interface state change notification, it decides whether the track state should be UP or DOWN.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure Example: |
Enters global configuration mode. |
|
Step 2 |
track track-name Example: |
Enters track configuration mode. |
|
Step 3 |
type line-protocol state interface type interface-path-id Example: |
Sets the interface which needs to be tracked for state change notifications. |
|
Step 4 |
commit |
List is a boolen object type. Boolean refers to the capability of performing a boolean AND or boolean OR operation on combinations of different object types supported by object tracker.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure Example: |
Enters global configuration mode. |
|
Step 2 |
track track-name Example: |
Enters track configuration mode. |
|
Step 3 |
type list boolean and Example: |
Sets the list of track objects on which boolean AND or boolean OR operations could be performed. |
|
Step 4 |
commit |
Route is a route object type. The object tracker tracks the fib notification to determine the route reachability and the track state.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure Example: |
Enters global configuration mode. |
|
Step 2 |
track track-name Example: |
Enters track configuration mode. |
|
Step 3 |
type route reachability Example: |
Sets the route on which reachability state needs to be learnt dynamically. |
|
Step 4 |
commit |
IPSLA is an ipsla object type. The object tracker tracks the return code of ipsla operation to determine the track state changes.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure Example: |
Enters global configuration mode. |
|
Step 2 |
track track-name Example: |
Enters track configuration mode. |
|
Step 3 |
type rtr ipsla operation id reachability Example: |
Sets the ipsla operation id which needs to be tracked for reachability. |
|
Step 4 |
commit |
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure |
|
|
Step 2 |
{ipv6 } access-list name Example: |
Enters IPv6 access list configuration mode and configures the specified access list. |
|
Step 3 |
[ sequence-number ] permit protocol source source-wildcard destination destination-wildcard [precedence precedence] [dscp dscp] [fragments] [log | log-input]] [ttl ttl value [value1 ... value2]][default] nexthop1 [track track-name-1] [ vrf vrf-name1 ][ipv6 ipv6-address1] [ nexthop2 [track track-name-2] [ vrf vrf-name2 ] [ipv6 ipv6-address2 ] [ nexthop3 [ track track-name-3] [ vrf vrf-name3 ] [ipv6ipv6-address3 ]]] Example: |
Sets the conditions for an IPv6 access list. The configuration example shows how to configure pure ACL-based forwarding for ACL.
|
|
Step 4 |
commit |
ACL-Chaining also known as Multi-ACL enables customers to apply two IPv4 or IPv6 (common and interface) ACLs on an interface for packet filtering at the router. One ACL is common across multiple interfaces on the line card. This provides Ternary Content Addressable Memory(TCAM)/HW scalability. This feature is supported on A9K-SIP-700 Line Card and ASR 9000 Enhanced Ethernet Line Card only.
Currently, the packet filter process (pfilter_ea) supports only one ACL to be applied per direction and per protocol on an interface. This leads to manageability issues if there are common ACL entries needed on most interfaces. Duplicate ACEs are configured for all those interfaces, and any modification to the common ACEs needs to be performed for all ACLs.
A typical ACL on the edge box for an ISP has two sets of ACEs:
common ISP specific ACEs (ISP protected address block)
customer/interface specific ACEs (Customer source address block)
The purpose of these address blocks is to deny access to ISP’s protected infrastructure networks and anti-spoofing protection by allowing only customer source address blocks. This results in configuring unique ACL per interface and most of the ACEs being common across all the ACLs on a box. ACL provisioning and modification is very cumbersome. Any changes to the ACE impacts every customer interface. (This also wastes the HW/TCAM resources as the common ACEs are being replicated in all ACLs).
The ACL chaining feature also known as Multi-ACL allows you to configure more than one ACL that can be applied to a single interface. The goal is to separate various types of ACLs for management, and also allow you to apply both of them on the same interface, in a defined order.
The following restrictions apply while implementing Common ACL:
Common ACL is supported in only ingress direction and for L3 interfaces only.
The interface-statistics option is not available for common ACLs.
The hardware-count option is available for only IPv4 ACLs.
Only one common IPv4 and IPv6 ACL is supported on each line card.
The common ACL option is not available for Ethernet Service (ES) ACLs.
The IPv4 and IPv6 common ACL is limited to 200 Ternary Content Addressable Memory(TCAM) entries for the ASR 9000 Enhanced Ethernet line card and A9K-SIP-700 line card. Although, A9K-SIP-700 line card may support more.
Common ACL is not supported on ASR 9000 Ethernet Line Card and ASR 9000 Enhanced Ethernet-TR Line Card.
You can specify only common ACL or only interface ACL or both common and interface ACL in this command.
The compress option is not supported for common ACLs.
Object-groups are not supported with common ACLs.
The interface-statistics and hardware-count options are not supported for ACLs on the A9K-SIP-700 line card.
Perform this task to configure the interface to accept a common ACL along with the interface specific ACL:
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
Step 1 |
configure |
|||
|
Step 2 |
interface type interface-path-id Example: |
This command configures an interface (in this case a TenGigabitEThernet interface) and enters the interface configuration mode. |
||
|
Step 3 |
{ ipv4 | ipv6 } access-group { common access-list-name { [ access-list-name ingress [ interface-statistics ] ] | ingress } | access-list-name { ingress | egress } [ interface-statistics ] } [ hardware-count ] Example: |
Configures the interface to accept a common ACL along with the interface specific ACL.
|
||
|
Step 4 |
commit |
You can configure an interface on Cisco ASR 9000 High Density 100GE Ethernet line cards (such as A9K-8x100G-LB-SE and A9K-8x100G-LB-TR) to accept up to five IPv4 and/or IPv6 ACLs. This feature extends the ACL chaining from two ACLs to a maximum of five ACLs on Cisco ASR 9000 High Density 100GE Ethernet line cards only.
The following restrictions apply while configuring multiple ACLs on Cisco ASR 9000 High Density 100GE Ethernet line cards:
Multi-level ACL is supported only in the ingress direction and for L3 interfaces only.
The multi-level ACL feature is not available for Ethernet Service (ES) ACLs.
ACLs with obj-groups are not supported.
Compression is not supported.
Access List Based Forwarding (ABF) enabled rules for ACLs are not supported.
An ACL already applied in per-ace mode cannot be applied elsewhere in interface-stats mode.
Accessing the ACL counters using SNMP query is not supported.
Perform this task to configure an interface on Cisco ASR 9000 High Density 100GE Ethernet line cards to accept up to five IPv4 and/or IPv6 ACLs:
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure |
|
|
Step 2 |
interface type interface-path-id Example: |
This command configures an interface (in this case a GigabitEthernet interface) and enters the interface configuration mode. |
|
Step 3 |
[ ipv4 | ipv6 ] access-group common acl-c1 common acl-c2 acl-i2 acl-i4 acl-i5 ingress Example: |
Configures the interface to accept five ACLs in the inbound direction. There can be any combination of common and/or interface ACLs up to a total of five ACLs. In this command:
|
|
Step 4 |
commit |
The Access Control List (ACL) Scale enhancements feature enables you to define ACL rules as a set of several rules (super-set of ACEs (Access Control Entry)). This is achieved with object-groups of prefixes and ports, which are referred by ACE in the same way as single source address or destination address prefix and ports are referred.
Note |
The ACL Scale enhancements feature is not supported on first generation ASR 9000 Ethernet Line Card. |
With the support of object-groups, configuring ACE in the existing way in which one ACE entry uses object groups, while another ACE entry does not use object groups is supported.
Note |
From Release 4.3.1, object group is only supported on ASR 9000 Enhanced Ethernet Line Card. |
ipv4 access-list acl1
10 permit tcp net-group group1 host 10.10.10.1 eq 2200
20 permit tcp 10.10.10.3/32 host 1.1.1.2 eq 2000
!
It is possible that a user configures a host or prefix in an ACE entry, where the same host or prefix is added to an existing source group, eliminating the need to configure a separate ACE entry. However, such an optimization is not automated. A user could intentionally configure a particular prefix in a separate ACE for the purpose of separate counter or accounting for that prefix.
The object-groups can be configured along with ABF while defining an ACEs (Access Control Entry).
Perform this task to configure a network object group and to enter the network object group configuration mode.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure |
|
|
Step 2 |
object-group network { ipv4 | ipv6 } object-group-name Example: |
Configures a network object group and enters the network object group configuration mode. |
|
Step 3 |
description description Example: |
Describes the object group. |
|
Step 4 |
host address Example: |
Configures the host IPv4 address for the object group. |
|
Step 5 |
address { mask | prefix } Example: |
Configures the host address mask or prefix. |
|
Step 6 |
range address address Example: |
Configures the range of host IPv4 address for the object group. |
|
Step 7 |
object-group name Example: |
Specifies the name of the nested object group. |
|
Step 8 |
commit |
Perform this task to configure a port object group and to enter the port object group configuration mode.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure |
|
|
Step 2 |
object-group port object-group-name Example: |
Configures a port object group and enters the port object group configuration mode. |
|
Step 3 |
description description Example: |
Configures the description for the object group. |
|
Step 4 |
{ eq | lt | gt }{ protocol | number } Example: |
Matches packets on ports equal to, less than, or greater than the specified port number or protocol. |
|
Step 5 |
range range range Example: |
Configures the range of host ports for the object group. |
|
Step 6 |
object-group name Example: |
Specifies the name of the nested object group. |
|
Step 7 |
commit |
You must be aware of the following information that apply to object-group ACLs:
You can configure ACLs that contain both conventional and object-group ACEs.
You can modify the objects in an object group dynamically without redefining the object group or the ACE that references the object group.
You can configure an object-group ACL multiple times with a source group, or a destination group, or both source and destination groups.
The command show access-lists access-list-name hardware ingress detail location location displays compressed output for source and destination IP addresses when the detail keyword is used while attaching ACLs to interfaces.
Configuring object-group ACLs involves the following restrictions:
Compression level 0 is the default compression mode for object-group ACLs.
Object-group ACLs can only be configured on an interface. They cannot be used or referenced by applications like SSH, SNMP, NTP.
Compression is not supported on L2 interfaces.
To delete an object-group, you must first delete it from all ACLs.
Compression requires only internal TCAM lookups for both compression mode 0 and compression mode 3.
When object-groups ACLs are edited, it leads to a full replacement of the old ACL with the edited ACL. Therefore, the TCAM should have enough space to support the old ACL and the edited ACL until the edited ACL configuration is committed and the old ACL is deleted.
Compression is supported on Cisco ASR 9000 4th Generation QSFP28 based dense 100GE line cards. You can configure only one compression mode per protocol on a line card.
Compression is supported only on IPv4 and IPv6 protocols.
You cannot configure object-group ACLs along with QoS policies.
Object-group ACLs are not supported in any policy based configuration.
Perform this task to configure ACL with object groups.
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
Step 1 |
configure |
|||
|
Step 2 |
{ ipv4 | ipv6 } access-list name Example: |
Configures the specified access list, and enters IPv4 or IPv6 access list configuration mode. |
||
|
Step 3 |
[ sequence-number ] permit protocol net-group source-net-object-group-name port-group source-port-object-group-name net-group destination-net-object-group-name port-group destination-port-object-group-name [precedence precedence] [[default] nexthop1 [ vrf vrf-name ][ipv4 ipv4-address1] nexthop2[ vrf vrf-name ][ipv4 ipv4-address2] nexthop3[ vrf vrf-name ][ipv4 ipv4-address3]] [dscp range dscp dscp] [fragments] [packet-length operator packet-length value] [log | log-input] [[track track-name] [ttl ttl [value1 ... value2]] Example: |
|
||
|
Step 4 |
exit Example: |
Returns to global configuration mode. |
||
|
Step 5 |
interface type interface-path-id Example: |
Configures an interface and enters interface configuration mode.
|
||
|
Step 6 |
ipv4 access-group access-list-name {ingress | egress } compress level level [hardware-count] [interface-statistics] Example: |
|
||
|
Step 7 |
commit |
Atomic ACL updates involve the insertion, modification, or removal of Access List Entries (ACEs) on an interface that is in operation. Such atomic updates consume up to 50% of TCAM resources. There can be an instance where multiple modifications are required and the available resources are not sufficient. The solution to this problem is to disable atomic ACL updates such that the old ACEs are deleted before the new ACEs are added.
Note |
When you configure the atomic-disable statement in an ACL, any ACE modification detaches the ACL, until the modification is complete. In addition to this, the ACL rules are not applied during the modification process. Hence, it is recommended to configure to either permit or deny all traffic until the modification is complete. |
To disable atomic updates on the hardware, by permitting all packets, use the following configuration.
RP/0/RSP0/CPU0:router# hardware access-list atomic-disable
On disabling atomic ACL updates on the hardware, use the steps in this section to modify ACLs.
Use the following steps to add an ACE.
Locate the ACL you want to modify.
RP/0/RSP0/CPU0:router(config)# do show access-lists
...
!
ipv4 access-list list1
10 permit ipv4 10.1.1.0/24 any
20 permit ipv4 20.1.1.0/24 any
!
Add the ACE to the ACL.
RP/0/RSP0/CPU0:router(config)# ipv4 access-list list1
RP/0/RSP0/CPU0:router(config-ipv4-acl)# 30 permit ipv4 30.1.1.0/24 any
RP/0/RSP0/CPU0:router(config-ipv4-acl)# commit
Verify if your ACE was added successfully.
RP/0/RSP0/CPU0:router(config)# do show access-lists
...
!
ipv4 access-list list1
10 permit ipv4 10.1.1.0/24 any
20 permit ipv4 20.1.1.0/24 any
30 permit ipv4 30.1.1.0/24 any
!
You have successfully added an ACE.
Use the steps in this section to delete an ACE.
Locate the ACL containing the ACE that you want deleted.
RP/0/RSP0/CPU0:router(config)# do show access-lists
...
!
ipv4 access-list list1
10 permit ipv4 10.1.1.0/24 any
20 permit ipv4 20.1.1.0/24 any
30 permit ipv4 30.1.1.0/24 any
!
Delete the ACE.
RP/0/RSP0/CPU0:router(config)# ipv4 access-list list1
RP/0/RSP0/CPU0:router(config-ipv4-acl)# no 30
RP/0/RSP0/CPU0:router(config-ipv4-acl)# commit
Verify if the ACE has been removed from the ACL.
RP/0/RSP0/CPU0:router(config-ipv4-acl)# do show access-lists
...
ipv4 access-list list1
10 permit ipv4 10.1.1.0 0.0.0.255 any
20 permit ipv4 20.1.1.0 0.0.0.255 any
You have successfully deleted an ACE.
Use the steps in this section to replace an ACE.
Locate the ACL you want to modify.
RP/0/RSP0/CPU0:router(config-ipv4-acl)#do show access-lists
...
ipv4 access-list list1
10 permit ipv4 10.1.1.0 0.0.0.255 any
20 permit ipv4 20.1.1.0 0.0.0.255 anyConfigure the new ACE to replace the existing ACE.
RP/0/RSP0/CPU0:router(config)# ipv4 access-list list1
RP/0/RSP0/CPU0:router(config-ipv4-acl)# 10 permit ipv4 11.1.1.0/24 any
RP/0/RSP0/CPU0:router(config-ipv4-acl)# commitVerify if the ACE replacement is successful.
RP/0/RSP0/CPU0:router(config)# do show access-lists
...
ipv4 access-list list1
10 permit ipv4 11.1.1.0 0.0.0.255 any
20 permit ipv4 20.1.1.0 0.0.0.255 anyYou have successfully replaced an ACE.
Use the following steps to delete an ACE and add a new ACE.
Locate the ACL you want to modify.
RP/0/RSP0/CPU0:router(config)# do show access-lists
...
ipv4 access-list list1
10 permit ipv4 11.1.1.0 0.0.0.255 any
20 permit ipv4 20.1.1.0 0.0.0.255 anyDelete the required ACE, and add the new ACE.
RP/0/RSP0/CPU0:router(config)# ipv4 access-list list1
RP/0/RSP0/CPU0:router(config-ipv4-acl)# no 20
RP/0/RSP0/CPU0:router(config-ipv4-acl)# permit ipv4 12.1.1.0/24 any
RP/0/RSP0/CPU0:router(config-ipv4-acl)# commitVerify if the modification is successful.
RP/0/RSP0/CPU0:router(config)# do show access-lists
...
ipv4 access-list list1
10 permit ipv4 11.1.1.0 0.0.0.255 any
20 permit ipv4 12.1.1.0 0.0.0.255 anyYou have successfully deleted an ACE, and added a new ACE.
Similarly, you can combine the addition, removal, and replacement of ACEs.
You can configure ACL counters and access the counters using SNMP query. This section explains how to configure ACL counters for SNMP query.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure |
|
|
Step 2 |
{ipv4 | ipv6} access-list name Example:or |
Enters either IPv4 or IPv6 access list configuration mode and configures the named access list. |
|
Step 3 |
Do one of the following:
Example:or |
Specifies one or more conditions allowed or denied in IPv4 access list acl_1 or IPv6 access list acl_2. The counter counter-name keyword enables ACL counters which you can access using SNMP query. |
|
Step 4 |
Repeat Step 3 as necessary, adding statements by sequence number where you planned. Use the no sequence-number command to delete an entry. |
Allows you to revise an access list. |
|
Step 5 |
commit |
|
|
Step 6 |
show access-lists {ipv4 | ipv6} [access-list-name] Example: |
(Optional) Displays the contents of current IPv4 or IPv6 access lists. |
This section provides the following configuration examples:
The following example shows access-list resequencing. The starting value in the resequenced access list is 10, and increment value is 20. The subsequent entries are ordered based on the increment values that users provide, and the range is from 1 to 2147483646.
When an entry with no sequence number is entered, by default it has a sequence number of 10 more than the last entry in the access list.
ipv4 access-list acl_1
10 permit ip host 10.3.3.3 host 172.16.5.34
20 permit icmp any any
30 permit tcp any host 10.3.3.3
40 permit ip host 10.4.4.4 any
60 permit ip host 172.16.2.2 host 10.3.3.12
70 permit ip host 10.3.3.3 any log
80 permit tcp host 10.3.3.3 host 10.1.2.2
100 permit ip any any
configure
ipv4 access-list acl_1
end
resequence ipv4 access-list acl_1 10 20
show access-lists ipv4 acl_1
10 permit ip host 10.3.3.3 host 172.16.5.34
30 permit icmp any any
50 permit tcp any host 10.3.3.3
70 permit ip host 10.4.4.4 any
90 permit ip host 172.16.2.2 host 10.3.3.12
110 permit ip host 10.3.3.3 any log
130 permit tcp host 10.3.3.3 host 10.1.2.2
150 permit ip any any
ipv4 access-list acl_1
10 permit ip host 10.3.3.3 host 172.16.5.34
20 permit icmp any any
30 permit tcp any host 10.3.3.3
40 permit ip host 10.4.4.4 any
60 permit ip host 172.16.2.2 host 10.3.3.12
70 permit ip host 10.3.3.3 any log
80 permit tcp host 10.3.3.3 host 10.1.2.2
100 permit ip any any
configure
ipv6 access-list acl_1
end
resequence ipv6 access-list acl_1 10 20
ipv4 access-list acl_1
10 permit ip host 10.3.3.3 host 172.16.5.34
30 permit icmp any any
50 permit tcp any host 10.3.3.3
70 permit ip host 10.4.4.4 any
90 Dynamic test permit ip any any
110 permit ip host 172.16.2.2 host 10.3.3.12
130 permit ip host 10.3.3.3 any log
150 permit tcp host 10.3.3.3 host 10.1.2.2
170 permit ip host 10.3.3.3 any
190 permit ip any any
In the following example, an new entry is added to IPv4 access list acl_5.
ipv4 access-list acl_5
2 permit ipv4 host 10.4.4.2 any
5 permit ipv4 host 10.0.0.44 any
10 permit ipv4 host 10.0.0.1 any
20 permit ipv4 host 10.0.0.2 any
configure
ipv4 access-list acl_5
15 permit 10.5.5.5 0.0.0.255
end
ipv4 access-list acl_5
2 permit ipv4 host 10.4.4.2 any
5 permit ipv4 host 10.0.0.44 any
10 permit ipv4 host 10.0.0.1 any
15 permit ipv4 10.5.5.5 0.0.0.255 any
20 permit ipv4 host 10.0.0.2 any
The following example shows how an entry with no specified sequence number is added to the end of an access list. When an entry is added without a sequence number, it is automatically given a sequence number that puts it at the end of the access list. Because the default increment is 10, the entry will have a sequence number 10 higher than the last entry in the existing access list.
configure
ipv4 access-list acl_10
permit 10 .1.1.1 0.0.0.255
permit 10 .2.2.2 0.0.0.255
permit 10 .3.3.3 0.0.0.255
end
ipv4 access-list acl_10
10 permit ip 10 .1.1.0 0.0.0.255 any
20 permit ip 10 .2.2.0 0.0.0.255 any
30 permit ip 10 .3.3.0 0.0.0.255 any
configure
ipv4 access-list acl_10
permit 10 .4.4.4 0.0.0.255
end
ipv4 access-list acl_10
10 permit ip 10 .1.1.0 0.0.0.255 any
20 permit ip 10 .2.2.0 0.0.0.255 any
30 permit ip 10 .3.3.0 0.0.0.255 any
40 permit ip 10 .4.4.0 0.0.0.255 any
Atomic ACL updates involve the insertion, modification, or removal of Access List Entries (ACEs) on an interface that is in operation. Such atomic updates consume up to 50% of TCAM resources. There can be an instance where multiple modifications are required and the available resources are not sufficient. The solution to this problem is to disable atomic ACL updates such that the old ACEs are deleted before the new ACEs are added.
Note |
When you configure the atomic-disable statement in an ACL, any ACE modification detaches the ACL, until the modification is complete. In addition to this, the ACL rules are not applied during the modification process. Hence, it is recommended to configure to either permit or deny all traffic until the modification is complete. |
To disable atomic updates on the hardware, by permitting all packets, use the following configuration.
RP/0/RSP0/CPU0:router# hardware access-list atomic-disable
On disabling atomic ACL updates on the hardware, use the steps in this section to modify ACLs.
Use the following steps to add an ACE.
Locate the ACL you want to modify.
RP/0/RSP0/CPU0:router(config)# do show access-lists
...
!
ipv4 access-list list1
10 permit ipv4 10.1.1.0/24 any
20 permit ipv4 20.1.1.0/24 any
!
Add the ACE to the ACL.
RP/0/RSP0/CPU0:router(config)# ipv4 access-list list1
RP/0/RSP0/CPU0:router(config-ipv4-acl)# 30 permit ipv4 30.1.1.0/24 any
RP/0/RSP0/CPU0:router(config-ipv4-acl)# commit
Verify if your ACE was added successfully.
RP/0/RSP0/CPU0:router(config)# do show access-lists
...
!
ipv4 access-list list1
10 permit ipv4 10.1.1.0/24 any
20 permit ipv4 20.1.1.0/24 any
30 permit ipv4 30.1.1.0/24 any
!
You have successfully added an ACE.
Use the steps in this section to delete an ACE.
Locate the ACL containing the ACE that you want deleted.
RP/0/RSP0/CPU0:router(config)# do show access-lists
...
!
ipv4 access-list list1
10 permit ipv4 10.1.1.0/24 any
20 permit ipv4 20.1.1.0/24 any
30 permit ipv4 30.1.1.0/24 any
!
Delete the ACE.
RP/0/RSP0/CPU0:router(config)# ipv4 access-list list1
RP/0/RSP0/CPU0:router(config-ipv4-acl)# no 30
RP/0/RSP0/CPU0:router(config-ipv4-acl)# commit
Verify if the ACE has been removed from the ACL.
RP/0/RSP0/CPU0:router(config-ipv4-acl)# do show access-lists
...
ipv4 access-list list1
10 permit ipv4 10.1.1.0 0.0.0.255 any
20 permit ipv4 20.1.1.0 0.0.0.255 any
You have successfully deleted an ACE.
Use the steps in this section to replace an ACE.
Locate the ACL you want to modify.
RP/0/RSP0/CPU0:router(config-ipv4-acl)#do show access-lists
...
ipv4 access-list list1
10 permit ipv4 10.1.1.0 0.0.0.255 any
20 permit ipv4 20.1.1.0 0.0.0.255 anyConfigure the new ACE to replace the existing ACE.
RP/0/RSP0/CPU0:router(config)# ipv4 access-list list1
RP/0/RSP0/CPU0:router(config-ipv4-acl)# 10 permit ipv4 11.1.1.0/24 any
RP/0/RSP0/CPU0:router(config-ipv4-acl)# commitVerify if the ACE replacement is successful.
RP/0/RSP0/CPU0:router(config)# do show access-lists
...
ipv4 access-list list1
10 permit ipv4 11.1.1.0 0.0.0.255 any
20 permit ipv4 20.1.1.0 0.0.0.255 anyYou have successfully replaced an ACE.
Use the following steps to delete an ACE and add a new ACE.
Locate the ACL you want to modify.
RP/0/RSP0/CPU0:router(config)# do show access-lists
...
ipv4 access-list list1
10 permit ipv4 11.1.1.0 0.0.0.255 any
20 permit ipv4 20.1.1.0 0.0.0.255 anyDelete the required ACE, and add the new ACE.
RP/0/RSP0/CPU0:router(config)# ipv4 access-list list1
RP/0/RSP0/CPU0:router(config-ipv4-acl)# no 20
RP/0/RSP0/CPU0:router(config-ipv4-acl)# permit ipv4 12.1.1.0/24 any
RP/0/RSP0/CPU0:router(config-ipv4-acl)# commitVerify if the modification is successful.
RP/0/RSP0/CPU0:router(config)# do show access-lists
...
ipv4 access-list list1
10 permit ipv4 11.1.1.0 0.0.0.255 any
20 permit ipv4 12.1.1.0 0.0.0.255 anyYou have successfully deleted an ACE, and added a new ACE.
Similarly, you can combine the addition, removal, and replacement of ACEs.
ASR 9000 Enhanced Ethernet LC:
Support on L2 and L3 interface and sub-interface
Support on bundle L2 and L3 interface and sub-interface
Support for both ingress and egress directions
ICMP code and type for IPv4/IPv6
ASR 9000 Ethernet LC:
Support on only L3 interface and sub-interface
Support on L3 bundle interface and sub-interface
Support for both ingress and egress directions
ICMP code and type for IPv4/IPv6
IPv6-supported match fields:
IPv6 Source Address
IPv6 Destination Address
IPv6 Protocol
Time to live (TTL) or hop limit
Source Port
Destination Port
TCP Flags
IPv6 Flags (Routing Header(RH), Authentication Header(AH) and Destination Option Header(DH))
Class map with IPv6 ACL that also supports:
IPv4 ACL
Discard class
QoS Group
Outer CoS
Inner CoS
Outer VLAN (ASR 9000 Enhanced Ethernet LC only)
Inner VLAN (ASR 9000 Enhanced Ethernet LC only)
match-not option
type of service (TOS) support
Policy-map with IPv6 ACL supports:
hierarchical class-map
This example shows how to configure IPv6 ACL QoS with IPv4 ACL and other fields :
ipv6 access-list aclv6
10 permit ipv6 1111:6666::2/64 1111:7777::2/64 authen
30 permit tcp host 1111:4444::2 eq 100 host 1111:5555::2 ttl eq 10
!
ipv4 access-list aclv4
10 permit ipv4 host 10.6.10.2 host 10.7.10.2
!
class-map match-any c.aclv6
match access-group ipv6 aclv6
match access-group ipv4 aclv4
match cos 1
end-class-map
!
policy-map p.aclv6
class c.aclv6
set precedence 3
!
class class-default
!
end-policy-map
!
show qos-ea km policy p.aclv6 vmr interface tenGigE 0/1/0/6.10 hw
================================================================================
B : type & id E : ether type VO : vlan outer VI : vlan inner
Q : tos/exp/group X : Reserved DC : discard class Fl : flags
F2: L2 flags F4: L4 flags SP/DP: L4 ports
T : IP TTL D : DFS class# L : leaf class#
Pl: Protocol G : QoS Grp M : V6 hdr ext. C : VMR count
--------------------------------------------------------------------------------
policy name p.aclv6 and km format type 4
Total Egress TCAM entries: 5
|B F2 VO VI Q G DC T F4 Pl SP DP M IPv4/6 SA IPv4/6 DA
================================================================================
V|3019 00 0000 0000 00 00 00 00 00 00 0000 0000 80 11116666:00000000:00000000:00000000 11117777:00000000:00000000:00000000
M|0000 FF FFFF FFFF FF FF FF FF FF FF FFFF FFFF 7F 00000000:00000000:FFFFFFFF:FFFFFFFF 00000000:00000000:FFFFFFFF:FFFFFFFF
R| C=0 03080200 000000A6 F06000FF 0000FF00 0002FF00 00FF0000 FF000000 00000000
V|3019 00 0000 0000 00 00 00 0A 01 00 0064 0000 00 11114444:00000000:00000000:00000002 11115555:00000000:00000000:00000002
M|0000 FF FFFF FFFF FF FF FF 00 FE FF 0000 FFFF FF 00000000:00000000:00000000:00000000 00000000:00000000:00000000:00000000
R| C=1 03080200 000000A6 F06000FF 0000FF00 0002FF00 00FF0000 FF000000 00000000
V|3018 00 0000 0000 00 00 00 00 00 00 0000 0000 00 0A060A02 -------- -------- -------- 0A070A02 -------- -------- --------
M|0000 FF FFFF FFFF FF FF FF FF FF FF FFFF FFFF FF 00000000 -------- -------- -------- 00000000 -------- -------- --------
R| C=2 03080200 000000A6 F06000FF 0000FF00 0002FF00 00FF0000 FF000000 00000000
V|3018 00 2000 0000 00 00 00 00 00 00 0000 0000 00 00000000:00000000:00000000:00000000 00000000:00000000:00000000:00000000
M|0003 FF 1FFF FFFF FF FF FF FF FF FF FFFF FFFF FF FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF
R| C=3 03080200 000000A6 F06000FF 0000FF00 0002FF00 00FF0000 FF000000 00000000
V|3018 00 0000 0000 00 00 00 00 00 00 0000 0000 00 00000000:00000000:00000000:00000000 00000000:00000000:00000000:00000000
M|0003 FF FFFF FFFF FF FF FF FF FF FF FFFF FFFF FF FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF
R| C=4 03000200 00010002 FF0000FF 0000FF00 0002FF00 00FF0000 FF000000 00000000
This example shows how to configure hierarchical policy map:
ipv6 access-list aclv6.p
10 permit ipv6 1111:1111::/8 2222:2222::/8
ipv6 access-list aclv6.c
10 permit ipv6 host 1111:1111::2 host 2222:2222::3
class-map match-any c.aclv6.c
match not access-group ipv6 aclv6.c
end-class-map
!
class-map match-any c.aclv6.p
match access-group ipv6 aclv6.p
end-class-map
!
policy-map child
class c.aclv6.c
set precedence 7
!
policy-map parent
class c.aclv6.p
service-policy child
set precedence 1
(config)#do show qos-ea km policy parent vmr interface tenGigE 0/1/0/6 hw
================================================================================
B : type & id E : ether type VO : vlan outer VI : vlan inner
Q : tos/exp/group X : Reserved DC : discard class Fl : flags
F2: L2 flags F4: L4 flags SP/DP: L4 ports
T : IP TTL D : DFS class# L : leaf class#
Pl: Protocol G : QoS Grp M : V6 hdr ext. C : VMR count
================================================================================
policy name parent and format type 4
Total Ingress TCAM entries: 3
|B F2 VO VI Q G DC T F4 Pl SP DP M IPv4/6 SA IPv4/6 DA
================================================================================
V|200D 00 0000 0000 00 00 00 00 00 00 0000 0000 00 11111111:00000000:00000000:00000002 22222222:00000000:00000000:00000003
M|0000 FF FFFF FFFF FF FF FF FF FF FF FFFF FFFF FF 00000000:00000000:00000000:00000000 00000000:00000000:00000000:00000000
R| C=0 11800200 00020000 29000000 80004100 00000000 00000000 00000000 00000000
V|200D 00 0000 0000 00 00 00 00 00 00 0000 0000 00 11000000:00000000:00000000:00000000 22000000:00000000:00000000:00000000
M|0000 FF FFFF FFFF FF FF FF FF FF FF FFFF FFFF FF 00FFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF 00FFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF
R| C=1 11800200 00010000 29000000 80004700 00000000 00000000 00000000 00000000
V|200C 00 0000 0000 00 00 00 00 00 00 0000 0000 00 00000000:00000000:00000000:00000000 00000000:00000000:00000000:00000000
M|0003 FF FFFF FFFF FF FF FF FF FF FF FFFF FFFF FF FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF
R| C=2 11000200 00030000 00000000 00000000 00000000 00000000 00000000 00000000
IPv4 and IPv6 ACLs are supported over BVI from Cisco ASR 9000 Second Generation Line Cards.
On the A9K-SIP-700 line cards and Cisco ASR 9000 First Generation Line Cards, ACLs on BVIs are not supported.
Note |
For Cisco ASR 9000 First Generation Line Cards, ACLs can be applied on the EFP level (IPv4 L3 ACL can be applied on an L2 interface). |
This example shows how to configure IPv4 ACL over a BVI interface:
ipv4 access-list bvi-acl
10 permit ipv4 any any ttl eq 70
20 deny ipv4 any any ttl eq 60
Perform this task to configure ABF (access-list based forwarding) v4/v6 over Integrated Routing and Bridging(IRB) or Bridge-Group Virtual Interface (BVI) interface:
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure |
|
|
Step 2 |
ipv4 access-list access-list-name Example: |
Enters the IPv4 access list configuration mode, and configures the named access list. |
|
Step 3 |
[ sequence-number ] permit protocol source source-wildcard destination destination-wildcard nexthop1 [ vrf vrf-name ][ ipv4 ipv4-address1 ] nexthop2 [ vrf vrf-name ] [ ipv4 ipv4-address2 ] nexthop3 [ vrf vrf-name ] [ ipv4 ipv4-address3 ] Example: |
Configures the permit conditions for an IPv4 access list. |
|
Step 4 |
exit Example: |
Returns to global configuration mode. |
|
Step 5 |
ipv6 access-list access-list-name Example: |
Enters the IPv6 access list configuration mode, and configures the named access list. |
|
Step 6 |
[ sequence-number ] permit protocol source source-wildcard destination destination-wildcard nexthop1 [ vrf vrf-name ][ ipv6 ipv6-address1 ] nexthop2 [ vrf vrf-name ] [ ipv6 ipv6-address2 ] nexthop3 [ vrf vrf-name ] [ ipv6 ipv6-address3 ] Example: |
Configures the permit conditions for an IPv6 access list. |
|
Step 7 |
exit Example: |
Returns to global configuration mode. |
|
Step 8 |
interface type interface-path-id Example: |
Configures an interface and enters interface configuration mode.
|
|
Step 9 |
{ ipv4 | ipv6} address address {network-mask | ipv6-prefix} Example: |
Configures the primary IPv4 address or IPv6 address for an interface.
This ipv6-prefix must be in the form documented in RFC 2373 where the address is specified between colons in hexadecimal using 16-bit values. |
|
Step 10 |
{ ipv4 | ipv6} access-group access-list-name {ingress | egress} Example: |
Controls access to an interface. The ipv6 access-group command is similar to the ipv4 access-group command, except that it is IPv6-specific. Use the access-list-name to specify a particular IPv6 access list. Use the ingress keyword to filter on inbound packets or the egress keyword to filter on outbound packets. |
|
Step 11 |
commit |
interface BVI18
ipv4 address 192.168.18.1 255.255.255.0
ipv4 access-group abfv4 ingress
!
l2vpn
bridge group bg18
bridge-domain bd18
interface GigabitEthernet0/0/1/18
!
routed interface BVI18
!
!
!
ipv4 access-list abfv4
10 permit ipv4 any any nexthop1 ipv4 192.168.1.20 nexthop2 ipv4 192.168.9.2 nexthop3 ipv4 192.168.10.2
!
This example shows how to configure ABFv6 over Integrated Routing and Bridging (IRB) or Bridge-Group Virtual Interface (BVI) interface:
interface BVI18
ipv4 address 192.168.18.1 255.255.255.0
ipv6 address 1801:1801::1/64
ipv4 access-group abfv4 ingress
ipv6 access-group abfv6 ingress
!
l2vpn
bridge group bg18
bridge-domain bd18
interface GigabitEthernet0/0/1/18
!
routed interface BVI18
!
!
!
ipv4 access-list abfv4
10 permit ipv4 any any nexthop1 ipv4 192.168.1.20 nexthop2 ipv4 192.168.9.2 nexthop3 ipv4 192.168.10.2
!
ipv4 access-list ipv4-abf
10 permit ipv4 any any nexthop1 vrf 1 ipv4 45.45.45.2
!
ipv6 access-list ipv6-abf
10 permit ipv6 any any nexthop1 vrf 1 ipv6 2040::2
!
ipv6 access-list ipv6-vrf
10 permit ipv6 2001::1/64 any nexthop1 ipv6 2075::2
!
ipv6 access-list abfv6-bvi
10 permit ipv6 any any nexthop1 ipv6 5001:5001::2 nexthop2 ipv6 9001:9001::2 nexthop3 ipv6 1901:1901::2
!
ipv6 access-list ipv6-thor
10 permit ipv6 any any nexthop1 vrf 4 ipv6 2001::2
!
This section provides configuration examples of common ACL.
Interface Pos0/2/0/0
ipv4 access-group common C_acl ACL1 ingress
commit
replace Interface acl ACL1 by ACL2
Interface Pos0/2/0/0
ipv4 access-group common C_acl ACL2 ingress
commit
Interface Pos0/2/0/0
ipv4 access-group common C_acl1 ACL1 ingress
commit
change the common acl to C_acl2
Interface Pos0/2/0/0
no ipv4 access-group common C_acl1 ACL1 ingress
commit
Interface Pos0/2/0/0
ipv4 access-group common C_acl2 ACL1 ingress
commit
Note |
When reconfiguring common ACL, you must ensure that no other interface on the line card is attached to the common ACL. In other words, atomic replacement of common ACL is not possible. |
Note |
If both common ACL and interface ACL are attached to an interface and only one of the above is reconfigured on the interface, then the other will be removed automatically. |
Interface Pos0/2/0/0
ipv4 access-group common C_acl1 ACL1 ingress
commit
Interface Pos0/2/0/0
ipv4 access-group ACL1 ingress
commit
This removes the common acl.
Interface Pos0/2/0/0
ipv4 access-group common C_acl1 ACL1 ingress
commit
Interface Pos0/2/0/0
ipv4 access-group common C_acl1 ingress
commit
Interface Pos0/2/0/0
ipv4 access-group common C_acl1 ACL1 ingress
commit
Interface Pos0/2/0/0
no ipv4 access-group common acl acl ingress
Commit
The following example shows how to configure IPv4 ACL counters for SNMP query.
configure
ipv4 access-list CounterExample
permit any ?
counter Count matches on this entry
log Log matches against this entry
log-input Log matches against this entry, including input interface
permit any counter ?
WORD Name of counter
permit any counter TestCounter
show configuration
Building configuration...
!! IOS XR Configuration 0.0.0
ipv4 access-list CounterExample
10 permit ipv4 any any counter TestCounter
permit tcp any any counter TestCounter2
show configuration
Building configuration...
!! IOS XR Configuration 0.0.0
ipv4 access-list CounterExample
10 permit ipv4 any any counter TestCounter
20 permit tcp any any counter TestCounter2
commit
show access-lists ipv4 CounterExample
ipv4 access-list CounterExample
10 permit ipv4 any any counter TestCounter
20 permit tcp any any counter TestCounter2
The following example shows how to configure IPv6 ACL counters for SNMP query.
conf igure
ipv6 access-list V6CounterExample
permit tcp any any counter ?
WORD Name of counter
permit tcp any any counter TestCounter6
show configconfiguration
Building configuration...
!! IOS XR Configuration 0.0.0
ipv6 access-list V6CounterExample
10 permit tcp any any counter TestCounter6
commit
show access-lists ipv6 V6CounterExample
ipv6 access-list V6CounterExample
10 permit tcp any any counter TestCounter6
The following sections provide references related to implementing access lists and prefix lists.
|
Related Topic |
Document Title |
|---|---|
|
Access list commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples |
Access List Commands module in IP Addresses and Services Command Reference for Cisco ASR 9000 Series Routers |
|
Prefix list commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples |
Prefix List Commands module in IP Addresses and Services Command Reference for Cisco ASR 9000 Series Routers |
|
Terminal services commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples |
Terminal Services Commands module in System Management Command Reference for Cisco ASR 9000 Series Routers |
|
Standards |
Title |
|---|---|
|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
— |
|
MIBs |
MIBs Link |
|---|---|
| — |
To locate and download MIBs, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: https://mibs.cloudapps.cisco.com/ITDIT/MIBS/servlet/index |
|
RFCs |
Title |
|---|---|
|
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature. |
— |
|
Description |
Link |
|---|---|
|
The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content. |
Feedback