The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes how to configure IP access control lists (ACLs).
This chapter includes the following sections:
•Verifying IP ACL Configurations
•Displaying and Clearing IP ACL Statistics
•Example Configuration for IP ACLs
An ACL is an ordered set of rules for filtering traffic. When the device determines that an ACL applies to a packet, it tests the packet against the rules. The first matching rule determines whether the packet is permitted or denied. If there is no match, the device applies a default rule. The device processes packets that are permitted and drops packets that are denied. For more information, see the "Implicit Rules" section.
You can use ACLs to protect networks and specific hosts from unnecessary or unwanted traffic. For example, you could use ACLs to disallow HTTP traffic from a high-security network to the Internet. You could also use ACLs to allow HTTP traffic but only to specific sites, using the IP address of the site to identify it in an IP ACL.
This section includes the following topics:
When a port ACL is applied to a trunk port, the ACL filters traffic on all VLANs on the trunk port.
The following types of port ACLs are supported for filtering Layer 2 traffic:
•IP ACLs—The device applies IPv4 ACLs only to IP traffic.
•MAC ACLs—The device applies MAC ACLs only to non-IP traffic.
ACLs are applied in the following order:
1. Incoming Port ACL
2. Outgoing Port ACL
Rules are what you create, modify, and remove when you configure how an ACL filters network traffic. Rules appear in the running configuration. When you apply an ACL to an interface or change a rule within an ACL that is already applied to an interface, the supervisor module creates ACL entries from the rules in the running configuration and sends those ACL entries to the applicable I/O module.
You can create rules in ACLs in access-list configuration mode by using the permit or deny command. The device allows traffic that matches the criteria in a permit rule and blocks traffic that matches the criteria in a deny rule. You have many options for configuring the criteria that traffic must meet in order to match the rule.
This section describes some of the options that you can use when you configure a rule. For information about every option, see the applicable permit and deny commands in the Cisco Nexus 1000V Command Reference, Release 4.0(4)SV1(1).
This section includes the following topics:
In each rule, you specify the source and the destination of the traffic that matches the rule. You can specify both the source and destination as a specific host, a network or group of hosts, or any host. How you specify the source and destination depends on whether you are configuring IP or MAC ACLs. For information about specifying source and destination, see the applicable permit and deny commands in the Cisco Nexus 1000V Command Reference, Release 4.0(4)SV1(1).
IP and MAC ACLs let you to identify traffic by protocol. You can specify some protocols by name. For example, in an IP ACL, you can specify ICMP by name.
You can specify any protocol by number. In MAC ACLs, you can specify protocols by the Ethertype number of the protocol, which is a hexadecimal number. For example, you can use 0x0800 to specify IP traffic in a MAC ACL rule.
In IP ACLs, you can specify protocols by the integer that represents the Internet protocol number. For example, you can use 115 to specify Layer 2 Tunneling Protocol (L2TP) traffic.
For a list of the protocols that each type of ACL supports by name, see the applicable permit and deny commands in the Cisco Nexus 1000V Command Reference, Release 4.0(4)SV1(1).
IP and MAC ACLs have implicit rules, which means that although these rules do not appear in the running configuration, the device applies them to traffic when no other rules in an ACL match. When you configure the device to maintain per-rule statistics for an ACL, the device does not maintain statistics for implicit rules.
All IP ACLs include the following implicit rule that denies unmatched IP traffic:
deny ip any any
All MAC ACLs include the following implicit rule:
deny any any
This implicit rule ensures that unmatched traffic is denied, regardless of the protocol specified in the Layer 2 header of the traffic.
You can identify traffic by using additional options. These options differ by ACL type. The following list includes most but not all additional filtering options:
•IP ACLs support the following additional filtering options:
–Layer 4 protocol
–TCP and UDP ports
–ICMP types and codes
–IGMP types
–Precedence level
–Differentiated Services Code Point (DSCP) value
–TCP packets with the ACK, FIN, PSH, RST, SYN, or URG bit set
•MAC ACLs support the following additional filtering options:
–Layer 3 protocol
–VLAN ID
–Class of Service (CoS)
For information about all filtering options available in rules, see the applicable permit and deny commands in the Cisco Nexus 1000V Command Reference, Release 4.0(4)SV1(1).
The device supports sequence numbers for rules. Every rule that you enter receives a sequence number, either assigned by you or assigned automatically by the device. Sequence numbers simplify the following ACL tasks:
•Adding new rules between existing rules—By specifying the sequence number, you specify where in the ACL a new rule should be positioned. For example, if you need to insert a rule between rules numbered 100 and 110, you could assign a sequence number of 105 to the new rule.
•Removing a rule—Without using a sequence number, removing a rule requires that you enter the whole rule, as follows:
n1000v(config-acl)# no permit tcp 10.0.0.0/8 any
However, if the same rule had a sequence number of 101, removing the rule requires only the following command:
n1000v(config-acl)# no 101
•Moving a rule—With sequence numbers, if you need to move a rule to a different position within an ACL, you can add a second instance of the rule using the sequence number that positions it correctly, and then you can remove the original instance of the rule. This action allows you to move the rule without disrupting traffic.
If you enter a rule without a sequence number, the device adds the rule to the end of the ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule to the rule. For example, if the last rule in an ACL has a sequence number of 225 and you add a rule without a sequence number, the device assigns the sequence number 235 to the new rule.
In addition, you can reassign sequence numbers to rules in an ACL. Resequencing is useful when an ACL has rules numbered contiguously, such as 100 and 101, and you need to insert one or more rules between those rules.
The device can maintain global statistics for each rule that you configure in IPv4 and MAC ACLs. If an ACL is applied to multiple interfaces, the maintained rule statistics are the sum of packet matches (hits) on all the interfaces on which that ACL is applied.
Note The device does not support interface-level ACL statistics.
For each ACL that you configure, you can specify whether the device maintains statistics for that ACL, which allows you to turn ACL statistics on or off as needed to monitor traffic filtered by an ACL or to help troubleshoot the configuration of an ACL.
The device does not maintain statistics for implicit rules in an ACL. For example, the device does not maintain a count of packets that match the implicit deny ip any any rule at the end of all IPv4 ACLs. If you want to maintain statistics for implicit rules, you must explicitly configure the ACL with rules that are identical to the implicit rules. For more information, see the "Implicit Rules" section.
IP ACLs have the following prerequisites:
•You must be familiar with IP addressing and protocols to configure IP ACLs.
•You must be familiar with the interface types that you want to configure with ACLs.
IP ACLs have the following configuration guidelines and limitations:
•In most cases, ACL processing for IP packets are processed on the I/O modules. Management interface traffic is always processed on the supervisor module, which is slower.
This section includes the following topics:
•Changing Sequence Numbers in an IP ACL
•Applying an IP ACL as a Port ACL
You can create an IPv4 ACL on the device and add rules to it.
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
1. config t
2. ip access-list name
3. [sequence-number] {permit | deny} protocol source destination
4. statistics per-entry
5. show ip access-lists name
6. copy running-config startup-config
You can add and remove rules in an existing IPv4 ACL. You cannot change existing rules. Instead, to change a rule, you can remove it and recreate it with the desired changes.
If you need to add more rules between existing rules than the current sequence numbering allows, you can use the resequence command to reassign sequence numbers. For more information, see the "Changing Sequence Numbers in an IP ACL" section.
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
1. config t
2. ip access-list name
3. [sequence-number] {permit | deny} protocol source destination
4. no {sequence-number | {permit | deny} protocol source destination}
5. [no] statistics per-entry
6. show ip access-list name
7. copy running-config startup-config
You can remove an IP ACL from the device.
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
•Make sure that you know whether the ACL is applied to an interface.
•Removing an ACL does not affect the configuration of the interfaces where applied. Instead, the device considers the removed ACL to be empty.
1. config t
2. no ip access-list name
3. show ip access-list name summary
4. copy running-config startup-config
You can change all the sequence numbers assigned to the rules in an IP ACL.
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
1. config t
2. resequence ip access-list name starting-sequence-number increment
3. show ip access-lists name
4. copy running-config startup-config
Use this procedure to configure a port ACL by applying an IPv4 or ACL to a Layer 2 interface physical port.
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
•You can apply one port ACL to an interface.
•Make sure that the ACL you want to apply exists and that it is configured to filter traffic in the manner that you need for this application. For more information, see the "Creating an IP ACL" section or the "Changing an IP ACL" section.
•An IP ACL can also be configured in a port profile. For more information, see the Cisco Nexus 1000V Port Profile Configuration Guide, Release 4.0(4)SV1(1).
1. config t
2. interface vethernet port
3. ip port access-group access-list [in | out]
4. show running-config aclmgr
5. copy running-config startup-config
To display IP ACL configuration information, use the following commands:
For detailed information about the fields in the output from these commands, see the Cisco Nexus 1000V Command Reference, Release 4.0(4)SV1(1).
To display or clear IP ACL statistics, use one of the following commands:
For detailed information about these commands, see the Cisco Nexus 1000V Command Reference, Release 4.0(4)SV1(1).
The following example shows how to create an IPv4 ACL named acl-01 and apply it as a port ACL to vEthernet interface 40:
ip access-list acl-01
permit ip 192.168.2.0/24 any
interface vethernet 40
ip port access-group acl-01 in
Table 8-1 lists the default settings for IP ACL parameters.
|
|
---|---|
IP ACLs |
No IP ACLs exist by default |
ACL rules |
Implicit rules apply to all ACLs (see the "Implicit Rules" section) |
For additional information related to implementing IP ACLs, see the following sections:
|
|
---|---|
Concepts about MAC ACLs |
|
Port Profiles |
Cisco Nexus 1000V Port Profile Configuration Guide, Release 4.0(4)SV1(1) |
|
|
---|---|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
— |
This section provides the IP ACL release history.
|
|
|
---|---|---|
IP ACL |
4.0 |
This feature was introduced. |