ACL and ABF Commands

This module describes the Cisco IOS XR software commands used to configure the ACL and ABF commands for Broadband Network Gateway (BNG) on the Cisco ASR 9000 Series Router. For details regarding the related configurations, refer to the Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide.

To use commands of this module, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using any command, contact your AAA administrator for assistance.

ipv4 access-group (BNG)

To control access to an interface, use the ipv4 access-group command in an appropriate configuration mode. To remove the specified access group, use the no form of this command.

ipv4 access-group access-list-name {common acl-p { [acl1 ingress [hardware-count] [interface-statistics]] | ingress} | acl1 {ingress | egress} [hardware-count] [interface-statistics]}

Syntax Description


`access-list-name`	The name of the ipv4 access list as specified by the ipv4 access-list command.
common	The name of the common ACL. Common ACL is only supported on the ingress direction.
ingress	Filters on inbound packets.
egress	Filters on outbound packets.
hardware-count	(Optional) Specifies to access a group's hardware counters.
interface-statistics	(Optional) Specifies per-interface statistics in the hardware. Not available for common ACL.

Command Default

The interface does not have an IPv4 access list applied to it.

Command Modes

Global Configuration mode

Command History


Release	Modification
Release 4.1.1	This command was introduced.
Release 4.2.0	This command was supported in the dynamic template configuration mode for BNG.

Usage Guidelines

Use the ipv4 access-group command to control access to an interface. To remove the specified access group, use the no form of the command. Use the access-list-name argument to specify a particular IPv4 access list. Use the ingress keyword to filter on inbound packets or the egress keyword to filter on outbound packets. Use the hardware-count argument to enable hardware counters for the access group.

Permitted packets are counted only when hardware counters are enabled using the hardware-count argument. Denied packets are counted whether hardware counters are enabled or not.

To enter the dynamic template configuration mode, run dynamic-template command in the Global Configuration mode(applicable only for BNG).

Note

Under the dynamic template configuration mode, only the egress and ingress keywords are displayed.

Note

For packet filtering applications using the ipv4/ipv6 access-group command, packet counters are maintained in hardware for each direction. If an access group is used on multiple interfaces in the same direction, then packets are counted for each interface that has the hardware-count argument enabled.

If the access list permits the addresses, the software continues to process the packet. If the access list denies the address, the software discards the packet and returns an Internet Control Message Protocol (ICMP) host unreachable message.

If the specified access list does not exist, all packets are passed.

By default, the unique or per-interface ACL statistics are disabled.

Task ID


Task ID	Operation
acl	read, write
network	read, write
config-services	read, write

Examples

This is an example of the show access-lists command:



RP/0/RSP0/CPU0:router# show access-lists

ipv4 access-list acl-common

 10 permit ipv4 host 205.205.205.1 host 200.175.175.1 log-input

 15 deny ipv4 any host 200.175.175.1

 20 permit ipv4 host 205.205.205.1 host 201.175.175.1 log-input

 25 deny ipv4 any host 201.175.175.1

 30 permit ipv4 host 205.205.205.1 host 202.175.175.1 log-input

 35 deny ipv4 any host 202.175.175.1

ipv4 access-list acl-unique1

 10 permit ipv4 host 205.205.205.1 host 203.175.175.1 log-input

 15 deny ipv4 any host 203.175.175.1

 20 permit ipv4 any any

ipv4 access-list ssm-acl

 10 permit ipv4 232.0.0.0 0.255.255.255 any log

This is an example of a configured IPv4 ACL in the interface configuration mode:


RP/0/RSP0/CPU0:router(config-if)#ipv4 access-group common acl-common acl-unique1 ingress

This is an example of a configured IPv4 ACL in the dynamic template configuration mode:


RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# dynamic-template type ppp p1
RP/0/RSP0/CPU0:router(config-dynamic-template-type)# ipv4 access-group a1 egress

ipv4 access-list(BNG)

To define an IPv4 access list by name, use the ipv4 access-list command in Global Configuration mode. To remove all entries in an IPv4 access list, use the no form of this command.

ipv4 access-list name

Syntax Description


name	Name of the access list. Names cannot contain a space or quotation marks.

Command Default

No IPv4 access list is defined.

Command Modes

Global Configuration mode

Command History


Release	Modification
Release 3.7.2	This command was introduced.

Usage Guidelines

Use the ipv4 access-list command to configure an IPv4 access list. This command places the router in access list configuration mode, in which the denied or permitted access conditions must be defined with the deny or permit command.

Use the resequence access-list ipv4 command if you want to add a permit , deny , or remark statement between consecutive entries in an existing IPv4 access list. Specify the first entry number (the base ) and the increment by which to separate the entry numbers of the statements. The software renumbers the existing statements, thereby making room to add new statements with the unused entry numbers.

Use the ipv4 access-group command to apply the access list to an interface.

Task ID


Task ID	Operations
acl	read, write

Examples

The following example shows how to define a standard access list named Internetfilter:


Router(config)# ipv4 access-list Internetfilter
Router(config-if)# 10 permit 192.168.34.0 0.0.0.255
Router(config-if)# 20 permit 172.16.0.0 0.0.255.255
Router(config-if)# 30 permit 10.0.0.0 0.255.255.255
Router(config-if)# 39 remark Block BGP traffic from 172.16 net.
Router(config-if)# 40 deny tcp host 172.16.0.0 eq bgp host 192.168.202.203 range 1300 1400

Related Commands


Command	Description
ipv4 access-group (BNG)	Filters incoming or outgoing IPv4 traffic on an interface.
show access-lists ipv4	Displays the contents of all current IPv4 access lists.

ipv6 access-group(BNG)

To control access to an interface, use the ipv6 access-group command in interface configuration mode. To remove the specified access group, use the no form of this command.

ipv6 access-group access-list-name {ingress | egress} [interface-statistics]

Syntax Description


access-list-name	Name of an IPv6 access list as specified by an ipv6 access-list command.
ingress	Filters on inbound packets.
egress	Filters on outbound packets.
interface-statistics	(Optional) Specifies per-interface statistics in the hardware.

Command Default

The interface does not have an IPv6 access list applied to it.

Command Modes

Interface configuration

Command History


Release	Modification
Release 3.7.2	This command was introduced.

Usage Guidelines

The ipv6 access-group command is similar to the ipv4 access-group command, except that it is IPv6-specific.

Use the ipv6 access-group command to control access to an interface. To remove the specified access group, use the no form of the command. Use the access-list-name to specify a particular IPv6 access list. Use the ingress keyword to filter on inbound packets or the egress keyword to filter on outbound packets.

Note

For packet filtering applications using the ipv6 access-group command, packet counters are maintained in hardware for each direction. If an access group is used on multiple interfaces in the same direction, then packets are counted for each interface.

If the access list permits the addresses, the software continues to process the packet. If the access list denies the address, the software discards the packet and returns a rate-limited Internet Control Message Protocol (ICMP) host unreachable message.

If the specified access list does not exist, all packets are passed.

By default, the unique or per-interface ACL statistics are disabled.

Task ID


Task ID	Operations
acl	read, write
ipv6	read, write

Examples

The following example shows how to apply filters on packets inbound and outbound from GigabitEthernet interface 0/2/0/2:


RP/0/RSP0

/CPU0:router(config)# interface gigabitethernet 0/2/0/2
RP/0/RSP0

/CPU0:router(config-if)# ipv6 access-group p-in-filter ingress
RP/0/RSP0

/CPU0:router(config-if)# ipv6 access-group p-out-filter egress

The following example shows how to apply per-interface statistics in the hardware:


RP/0/RSP0

/CPU0:router(config)# interface gigabitethernet 0/2/0/2
RP/0/RSP0

/CPU0:router(config-if)# ipv6 access-group p-in-filter ingress interface-statistics

Related Commands


Command	Description
ipv6 access-list(BNG)	Defines an IPv6 access list and enters IPv6 access list configuration mode.
show ipv6 interface	Displays the usability status of interfaces configured for IPv6.

ipv6 access-list(BNG)

To define an IPv6 access list and to place the router in IPv6 access list configuration mode, use the ipv6 access-list command in Global Configuration mode. To remove the access list, use the no form of this command.

ipv6 access-list name

Syntax Description


name	Name of the IPv6 access list. Names cannot contain a space or quotation mark, or begin with a numeric.

Command Default

No IPv6 access list is defined.

Command Modes

Global Configuration mode

Command History


Release	Modification
Release 3.7.2	This command was introduced.

Usage Guidelines

The ipv6 access-list command is similar to the ipv4 access-list command, except that it is IPv6-specific.

The IPv6 access lists are used for traffic filtering based on source and destination addresses, IPv6 option headers, and optional, upper-layer protocol type information for finer granularity of control. IPv6 access lists are defined by using the ipv6 access-list command in global configuration mode and their permit and deny conditions are set by using the deny and permit commands in IPv6 access list configuration mode. Configuring the ipv6 access-list command places the router in IPv6 access list configuration mode—the router prompt changes to router (config-ipv6-acl)#. From IPv6 access list configuration mode, permit and deny conditions can be set for the defined IPv6 access list.

Note

No more than one IPv6 access list can be applied to an interface per direction.

Note

Every IPv6 access list has an implicit deny ipv6 any any statement as its last match condition. An IPv6 access list must contain at least one entry for the implicit deny ipv6 any any statement to take effect.

Note

IPv6 prefix lists, not access lists, should be used for filtering routing protocol prefixes.

Use the ipv6 access-group interface configuration command with the access-list-name argument to apply an IPv6 access list to an IPv6 interface.

Note

Every IPv6 ACL has implicit permit icmp any any nd-na , permit icmp any any nd-ns , and deny ipv6 any any statements as its last match conditions. (The former two match conditions allow for ICMPv6 neighbor discovery.) An IPv6 ACL must contain at least one entry for the implicit deny ipv6 any any statement to take effect. permit icmp any any nd-na permit icmp any any nd-ns deny ipv6 any any deny ipv6 any any

The IPv6 neighbor discovery process makes use of the IPv6 network layer service; therefore, by default, IPv6 ACLs implicitly allow IPv6 neighbor discovery packets to be sent and received on an interface. In IPv4, the Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery process, makes use of a separate data link layer protocol; therefore, by default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.

Task ID


Task ID	Operations
acl	read, write
ipv6	read, write

Examples

The following example shows how to configure the IPv6 access list named list2 and applies the ACL to outbound traffic on interface GigabitEthernet 0/2/0/2. Specifically, the first ACL entry keeps all packets from the network fec0:0:0:2::/64 (packets that have the site-local prefix fec0:0:0:2 as the first 64 bits of their source IPv6 address) from exiting out of interface GigabitEthernet 0/2/0/2. The second entry in the ACL permits all other traffic to exit out of interface GigabitEthernet 0/2/0/2. The second entry is necessary because an implicit deny all condition is at the end of each IPv6 ACL.


RP/0/RSP0

/CPU0:router(config)# ipv6 access-list list2
RP/0/RSP0

/CPU0:router(config-ipv6-acl)# 10 deny fec0:0:0:2::/64 any
RP/0/RSP0

/CPU0:router(config-ipv6-acl)# 20 permit any any

RP/0/RSP0

/CPU0:router# show ipv6 access-lists list2

ipv6 access-list list2
  10 deny ipv6 fec0:0:0:2::/64 any
  20 permit ipv6 any any

RP/0/RSP0

/CPU0:router(config)# interface gigabitethernet 0/2/0/2
RP/0/RSP0

/CPU0:router(config-if)# ipv6 access-group list2 out

Note

IPv6 is automatically configured as the protocol type in permit any any and deny any any statements that are translated from global configuration mode to IPv6 access list configuration mode.

Note

An IPv6 router does not forward to another network an IPv6 packet that has a link-local address as either its source or destination address (and the source interface for the packet is different from the destination interface for the packet).

Broadband Network Gateway Command Reference for Cisco ASR 9000 Series Routers

Bias-Free Language

Results

Chapter: ACL and ABF Commands

ACL and ABF Commands

ipv4 access-group (BNG)

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Task ID

Examples

ipv4 access-list(BNG)

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Task ID

Examples

Related Commands

ipv6 access-group(BNG)

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Task ID

Examples

Related Commands

ipv6 access-list(BNG)

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Task ID

Examples

Was this Document Helpful?

Contact Cisco