Using
Adding or removing an ACL assignment on an interface
Filtering routed IPv4 traffic
For a given VLAN interface on a switch configured for routing, you can assign an ACL as an RACL to filter inbound IPv4 traffic and another ACL as a RACL to filter outbound IPv4 traffic. You can also assign one ACL for both inbound and outbound RACLs, and for assignment to multiple VLANs. For limits and operating rules, see IPv4 ACL configuration and operating rules.
Syntax
[no] vlan <vid> ip access-group
<identifier>
<in
out>
where: <identifier> =either a ACL name or an ACL ID number.
Assigns an ACL to a VLAN as an RACL to filter routed IPv4 traffic entering or leaving the switch on that VLAN. You can use either the global configuration level or the VLAN context level to assign or remove an RACL.
Note: The switch allows you to assign a nonexistent ACL name or number to a VLAN. In this case, if you subsequently configure an ACL with that name or number, it automatically becomes active on the assigned VLAN. Also, if you delete an assigned ACL from the switch without subsequently using the "no" form of this command to remove the assignment to a VLAN, the ACL assignment remains and automatically activates any new ACL you create with the same identifier (name or number).
Filtering IPv4 traffic inbound on a VLAN
For a given VLAN interface, you can assign an ACL as a VACL to filter any IPv4 traffic entering the switch on that VLAN. You can also use the same ACL for assignment to multiple VLANs. For limits and operating rules, see IPv4 ACL configuration and operating rules.
Syntax
[no] vlan <vid> ip access-group <identifier> vlan
where: <identifier> =either a ACL name or an ACL ID number.
Assigns an ACL as a VACL to a VLAN to filter any IPv4 traffic entering the switch on that VLAN. You can use either the global configuration level or the VLAN context level to assign or remove a VACL.
NOTE: The switch allows for assigning a nonexistent ACL name or number to a VLAN. In this case, if you subsequently configure an ACL with that name or number, it automatically becomes active on the assigned VLAN. Also, if deleting an assigned ACL from the switch without subsequently using the "no" form of this command to remove its assignment to a VLAN, the ACL assignment remains and automatically activates any new ACL created with the same identifier (name or number).
Methods for enabling and disabling VACLs
Filtering inbound IPv4 traffic per port
For a given port, port list, or static port trunk, you can assign an ACL as a static port ACL to filter any IPv4 traffic entering the switch on that interface. You can also use the same ACL for assignment to multiple interfaces. For limits and operating rules, see IPv4 ACL configuration and operating rules.
Syntax
[no] interface
<port-list
|Trkx>
ip access-group <
identifier
> in
where: <identifier> =either a ACL name or an ACL ID number.
Assigns an ACL as a static port ACL to a port, port list, or static trunk to filter any IPv4 traffic entering the switch on that interface. You can use either the global configuration level or the interface context level to assign or remove a static port ACL.
NOTE: The switch allows you to assign a nonexistent ACL name or number to an interface. In this case, if you subsequently configure an ACL with that name or number, it automatically becomes active on the assigned interface. Also, if you delete an assigned ACL from the switch without subsequently using the "no" form of this command to remove the assignment to an interface, the ACL assignment remains and automatically activates any new ACL you create with the same identifier (name or number).
Methods for enabling and disabling ACLs
Classifier-based rate-limiting with RL-PACLs
NOTE: Beginning with software release K.14.01 this feature has been deprecated in favor of a classifier-based rate-limiting feature that does not use ACLs. If it is already configured in a switch running software version K.13.xx, then downloading and booting from release K.14.01 or greater automatically modifies the deprecated configuration to conform to the classifier-based rate-limiting supported in release K.14.01 or greater. For more information on this topic, see "Classifier-Based Software Configuration" in the advanced traffic management guide for your switch. | |
Creating ACLs
Use either the switch CLI or an offline text editor to create an ACL. The CLI method is recommended for creating short ACLs.
Using the CLI to create an ACL
Inserting or adding an ACE to an ACL
These rules apply to all IPv4 ACEs you create or edit using the CLI:
Named IPv4 ACLs:
Add an ACE to the end of a named ACE by using the
ip access-list
command to enter the Named ACL (nacl
) context and entering the ACE without the sequence number.
For example, if you wanted to add a "permit" ACL at the end of a list named "List-1" to allow traffic from the device at 10.10.10.100:
switch(config)# ip access-list standard List-1
switch(config-std-nacl)# permit host 10.10.10.100
Insert an ACE anywhere in a named ACL by specifying a sequence number. For example, if you wanted to insert a new ACE as line 15 between lines 10 and 20 in an existing ACL named "List-2" to deny IPv4 traffic from the device at 10.10.10.77:
switch(config)# ip access-list standard List-2
switch(config-std-nacl)# 15 deny host 10.10.10.77
Numbered IPv4 ACLs
Add an ACE to the end of a numbered ACL by using the access-list
<1 - 99
| [100 - 199>
]command.
For example, if you wanted to add a "permit" ACE at the end of a list identified with the number "11" to allow IPv4 traffic from the device at 10.10.10.100:
switch(config)# access-list 11 permit host 10.10.10.100
To insert an ACE anywhere in a numbered ACL, use the same process as described above for inserting an ACE anywhere in a named ACL. For example, to insert an ACE denying IPv4 traffic from the host at 10.10.10.77 as line 52 in an existing ACL identified (named) with the number 11:
switch(config)# ip access-list standard 99
switch(config-std-nacl)# 52 deny host 10.10.10.77
Duplicate ACEs are not allowed in the same ACL. Attempting to enter a duplicate ACE displays the
Duplicate access control entry
message.
NOTE: After a numbered ACL has been created (using access-list 1-99 | 100-199), it can be managed as either a named or numbered ACL. | |
Deleting an ACE
Deleting an ACE: Enter the ACL context and delete
the sequence number for the unwanted ACE. (To view the sequence numbers
of the ACEs in a list, use show access-list <acl-name-str>
config
.)
Duplicating an ACE
Duplicate ACEs are not allowed in the same ACL.
Attempting to enter a duplicate ACE displays the Duplicate
access control entry
message.
Creating or editing an ACL offline
The section titled Editing an existing ACL describes how to use the CLI to edit an ACL, and is most applicable in cases where the ACL is short or there is only a minor editing task to perform. The offline method provides an alternative to using the CLI for creating or extensively editing a large ACL. This section describes how to:
move an existing ACL to a TFTP server
use a text (.txt) file format to create a new ACL or edit an existing ACL offline
use TFTP to load an offline ACL into the switch’s running-config
For longer ACLs that may be difficult or time-consuming to accurately create or edit in the CLI, you can use the offline method described in this section.
NOTE: Beginning with software release K_12_XX or later, | |
Begin by doing one of the following:
To edit one or more existing ACLs, use
copy
command—outputtftp
to copy the current version of the ACL configuration to a file in your TFTP server. For example, to copy the ACL configuration to a file named acl-02.txt in the TFTP directory on a server at 10.28.227.2:To create a new ACL, just open a text (.txt) file in the appropriate directory on a TFTP server accessible to the switch.
Use a text editor to create or edit the ACLs in the
*.txt
ASCII file format.If you are replacing an ACL on the switch with a new ACL that uses the same number or name syntax, begin the command file with a
no ip access-list
command to remove the earlier version of the ACL from the switch running-config file. Otherwise, the switch appends the new ACEs in the ACL you download to the existing ACL.For example, if you planned to use the
copy
command to replace ACL "List-120", place this command at the beginning of the edited file:Use
copy tftp command-file
to download the file as a list of commands to the switch.
Example
Suppose you want to create an extended ACL for an RACL application to fulfill the following requirements (Assume a subnet mask of 255.255.255.0 and a TFTP server at 10.10.10.1.):
ID: "LIST-20-IN"
Deny Telnet access to a server at 10.10.10.100 on VLAN 10 from these three addresses on VLAN 20 with ACL logging:
10.10.20.17
10.10.20.23
10.10.20.40
Allow any access to the server from all other addresses on VLAN 20:
Permit internet access to these two address on VLAN 20, but deny access to all other addresses on VLAN 20 (without ACL logging).
10.10.20.98
10.10.20.21
Deny all other IPv4 traffic from VLAN 20 to VLAN 10.
Deny all IPv4 traffic from VLAN 30 (10.10.30.0) to the server at 10.10.10.100 on VLAN 10 (without ACL logging), but allow any other IPv4 traffic from VLAN 30 to VLAN 10.
Deny all other inbound IPv4 traffic to VLAN 20. (Hint: The Implicit Deny can achieve this objective.)
Create a
.txt
file with the content shown in the following figure.After copying the above .txt file to a TFTP server the switch can access, execute the following command:
copy tftp command-file 10.10.10.1 LIST-20-IN.txt pc
In this example, the CLI shows the following output to indicate that the ACL was successfully downloaded to the switch:
NOTE: If a transport error occurs, the switch does not execute the command and the ACL is not configured.
In this example, the command to assign the ACL to a VLAN was included in the .txt command file. If this is not done in your applications, the next step is to manually assign the new ACL to the intended VLAN.
vlan <vid> ip access-group <identifier> in
Use the
show run
orshow access-list config
command to inspect the switch configuration to ensure that the ACL was properly downloaded.If the configuration appears satisfactory, save it to the startup-config file:
switch(config)# write memory
Deleting an ACL
Syntax
no ip access-list standard
<name-str
1-99>
no ip access-list extended
name-str
|100-199
no access-list
1-99
|100-199
Removes the specified ACL from the switch running-config file.
NOTE: If an ACL name is assigned to an interface before the ACL itself has actually been created, then the switch creates an "empty" version of the ACL in the running configuration and assigns the empty ACL to the interface. Subsequently populating the empty ACL with explicit ACEs causes the switch to automatically activate the ACEs as they are created and to implement the implicit deny at the end of the ACL.
Deleting an ACL from the running configuration while the ACL is currently assigned on an interface results in an "empty" version of the ACL in the running configuration and on the interface. Subsequently removing the ACL from the interface also removes the empty ACL from the running configuration.
If you need to remove an ACL identifier assignment on an interface, see Adding or removing an ACL assignment on an interface
Inserting an ACE in an existing ACL
This action uses a sequence number to specify where to insert a new ACE into an existing sequence of ACLs.
Syntax
ip access-list
<standard
|extended>
<name-str
|1 - 99
|100 - 199>
<1-2147483647>
permit
|deny
<standard-acl-ip-criteria>
[log
]
<1-2147483647>
permit
|deny
<extented-acl-ip-criteria>
[option
]The first command enters the "Named-ACL" context for the specified ACL. The remaining two commands insert a new ACE in a standard or extended ACL, respectively.
Entering an ACE that would result in an out-of-range sequence number is not allowed. Use the resequence command to free up ACE numbering availability in the ACL. See Resequencing the ACEs in an ACL.
To insert a new ACE between existing ACEs in a list:
Use
ip access-list
to enter the "Named-ACL" (nacl
) context of the ACE. This applies regardless of whether the ACE was originally created as a numbered ACL or a named ACL.Begin the ACE command with a sequence number that identifies the position you want the ACE to occupy. (The sequence number range is 1-2147483647).
Complete the ACE with the command syntax appropriate for thetype of ACL you are editing.
For example, inserting a new ACE between the ACEs numbered 10 and 20 requires a sequence number in the range of 11-19 for the new ACE.
In the following example, the first two ACEs entered become lines 10 and 20 in the list. The third ACE entered is configured with a sequence number of 15 and is inserted between lines 10 and 20.
Deleting an ACE from an existing ACL
This action uses ACL sequence numbers to delete ACEs from an ACL.
Syntax
ip access-list extended
standard
|extended
name-str
|100-199
no <seq-#>
The first command enters the "Named-ACL" context for the specified ACL. The
no
command deletes the ACE corresponding to the sequence number entered.Range: 1 - 2147483647
To find the sequence number of the ACE you want to delete, use show run or show access-list
1-99
|100-199
to view the ACL.
Use
ip access-list
to enter the "Named-ACL" (nacl
) context of the ACE. This applies regardless of whether the ACE was originally created as a numbered ACL or a named ACL.In the "Named-ACL" context, type
no
and enter the sequence number of the ACE you want to delete.
Resequencing the ACEs in an ACL
This action reconfigures the starting sequence number for ACEs in an ACL, and resets the numeric interval between sequence numbers for ACEs configured in the ACL.
Syntax
ip access-list resequence
<name-str
|1 – 99
|100 – 199>
<starting-seq-#> <interval>
Resets the sequence numbers for all ACEs in the ACL.
<starting– seq-#>
Specifies the sequence number for the first ACE in the list. (Default: 10; Range: 1 – 2147483647)
<interval>
Specifies the interval between sequence numbers for the ACEs in the list. (Default: 10; Range: 1 - 2147483647)
To view the current sequence numbering in an ACE, use either command:
show run
show access-list <name-str
1 - 99 100-199>Use the command syntax (above) to change the sequence numbering.
This example resequences the "My-List" ACL at the bottom of figure so that the list begins with line 100 and uses a sequence interval of 100.
Viewing and resequencing an ACL
Attaching a remark to an ACE
A remark is numbered in the same way as an ACE, and uses the same sequence number as the ACE to which it refers. This operation requires that the remark for a given ACE be entered prior to entering the ACE itself.
Syntax
access-list
<1 - 99
|100 - 199> remark
<remark-str>
This syntax appends a remark to the end of a numbered ACL and automatically assigns a sequence number to the remark. The next command entry should be the ACE to which the remark belongs. (The new ACE is automatically numbered with the same sequence number as that used for the preceding remark.)
Syntax
ip access-list
<standard
|extended>
<name-str
|1-99
|100-199>
[ seq-#]remark <remark-str>
no <seq-#> remark
This syntax applies to both named and numbered ACLs. Without an optional sequence number, the remark is appended to the end of the list and automatically assigned a sequence number. When entered with an optional sequence number, the remark is inserted in the list according to the numeric precedence of the sequence number. The
no
form of the command deletes the indicated remark, but does not affect the related ACE.
To associate a remark with a specific ACE, enter the remark first, and then enter the ACE.
Entering a remark without a sequence number and then entering an ACE without a sequence number results in the two entries being automatically paired with the same sequence number and appended to the end of the current ACL.
Entering a remark with a sequence number and then entering an ACE with the same sequence number results in the two entries being paired together and positioned in the list according to the sequence number they share.
NOTE: After a numbered ACL has been created (using access-list 1-99 | 100-199), it can be managed as either a named or numbered ACL. For example, in an existing ACL with a numeric identifier of "115", either of the following command sets adds an ACE denying IPv4 traffic from any source to a host at 10.10.10.100: switch(config)# access-list 115 deny ip host 10.10.10.100switch(config)# ip access-list extended 115switch(config-ext-nacl)# deny ip any 10.10.10.100 | |
Appending remarks and related ACEs to the end of an ACL
To include a remark for an ACE that is appended
to the end of the current ACL, enter the remark first, then enter
the related ACE. This results in the remark and the subsequent ACE
having the same sequence number. For example, to add remarks using
the "Named-ACL" (nacl
) context:
Appending a remark and its related ACE to the end of an ACL
You can also perform the operation illustrated in Appending a remark and its related ACE to the end of an ACL by using the numbered, access-list
<1-99
| 100-199
>
syntax shown at the beginning of this section.
See Operating notes for remarks, for more details.
Inserting remarks and related ACEs within an existing list
To insert an ACE with a remark within an ACL
by specifying a sequence number, insert the numbered remark first,
then, using the same sequence number, insert the ACE. This operation
applies only to ACLs accessed using the "Named-ACL" (nacl
)
context.
Inserting a remark for an ACE that already exists in an ACL
If a sequence number is already assigned to an ACE in a list, you cannot insert a remark by assigning it to the same number. (To configure a remark with the same number as a given ACE, the remark must be configured first.) To assign a remark to the same number as an existing ACE:
Delete the ACE.
Configure the remark with the number you want assigned to the pair.
Re-Enter the deleted ACE with the number used to enter the remark.
Removing a remark from an existing ACE
If you want to remove a remark, but want to retain the ACE, do the following:
Use the Named ACL context to enter the ACL.
Using
show run
orshow access-list <list-name> config
, note the sequence number and content of the ACE having a remark you want to remove.Delete the ACE.
Using the same sequence number, re-enter the ACE.
Enable ACL “Deny” or “Permit” Logging
ACL logging enables the switch to generate a message when IP traffic meets the criteria for a match with an ACE that results in an explicit “deny” or “permit” action. You can use ACL logging to help:
Test your network to ensure that your ACL configuration is detecting and denying or permitting the IPv4 traffic you do not want forwarded.
Receive notification when the switch detects attempts to forward IPv4 traffic you have designed your ACLs to reject (deny) or allow (permit.)
The switch sends ACL messages to and optionally to
the current console, Telnet, or SSH session. You can use logging
<>
to configure up to six server destinations.
Requirements for using ACL Logging
The switch configuration must include an ACL (1) assigned to a port, trunk, or static VLAN interface and (2) containing an ACE configured with the deny or permit action and the log option.
If the RACL application is used, then IPv4 routing must be enabled on the switch.
For ACL logging to a server:
For more information, see Enabling ACL logging on the switch.
ACL Logging Operation
When the switch detects a packet match with an ACE and the ACE includes either the deny or permit action, and the optional log parameter, an ACL log message is sent to the designated debug destination.
The first time a packet matches an ACE with deny or permit and log configured, the message is sent immediately to the destination and the switch starts a wait period of approximately five minutes. (The exact duration of the period depends on how the packets are internally routed.) At the end of the collection period, the switch sends a single-line summary of any additional “deny” or “permit” matches for that ACE (and any other “deny” or “permit” ACEs for which the switch detected a match).
If no further log messages are generated in the wait-period, the switch suspends the timer and resets itself to send a message as soon as a new “deny” or “permit” match occurs. If subsequent packets matching the already logged ACL entries are detected, then a new logged event is generated that summarizes the number of packets that matched each specific entry (with the time period). The data in the message includes the information illustrated in the following figure.
Enabling ACL logging on the switch
If you are using a Syslog server, use the logging <ip-addr> command to configure the Syslog server IPv4 address. Ensure that the switch can access any Syslog server you specify.
Use
logging facility syslog
to enable the logging for Syslog operation.Use the
debug
destination
command to configure one or more log destinations. Destination options includelogging
andsession
. For more information, see the management and configuration guide for your switch.Use
debug acl
ordebug all
to configure the debug operation to include ACL messages.Configure one or more ACLs with the
deny
action and thelog
option.
Example
Suppose you want to configure the following operation:
On VLAN 10 configure an extended ACL with an ACL-ID of "NO-TELNET" and use the RACL
in
option to deny Telnet traffic entering the switch from 10.10.10.3 to any routed destination. Note: This assignment does not filter Telnet traffic from 10.10.10.3 to destinations on VLAN 10 itself.Configure the switch to send an ACL log message to the current console session and to a Syslog server at 10.10.20.3 on VLAN 20 if the switch detects a packet match denying a Telnet attempt from 10.10.10.3.
This example assumes that IPv4 routing is already configured on the switch.
Monitoring static ACL performance
ACL statistics counters provide a means for monitoring ACL performance by using counters to display the current number of matches the switch has detected for each ACE in an ACL assigned to a switch interface. This can help in determining whether a particular traffic type is being filtered by the intended ACE in an assigned list, or if traffic from a particular device or network is being filtered as intended.
NOTE: This section describes the command for monitoring static ACL performance. To monitor RADIUS-assigned ACL performance, use either of the following commands:
| |
Syntax
<show
clear>statistics
Displays the current match (hit ) count per ACE for the specified IPv6 or IPv4 static ACL assignment on a specific interface.
show
Displays the current match (hit) count per ACE for the specified IPv6 or IPv4 static ACL assignment on a specific interface.
clear
Resets ACE hit counters to zero for the specified IPv6 or IPv4 static ACL assignment on a specific interface.
Total
This column lists the running total of the matches the switch has detected for the ACEs in an applied ACL since the ACL's counters were last reset to 0 (zero)
ACE counter operation
For a given ACE in an assigned ACL, the counter increments by 1 each time the switch detects a packet that matches the criteria in that ACE, and maintains a running total of the matches since the last counter reset. For example, in ACL line 10 below, there has been a total of 37 matches on the ACE since the last time the ACL’s counters were reset.
Total ( 37) 10 permit icmp ::/0 fe80::20:2/128 128
NOTE: This ACL monitoring feature does not include hits on the “implicit deny” that is included at the end of all ACLs. | |
Resetting ACE Hit counters to zero
Using the clear statistics command:
Removing an ACL from an interface zeros the ACL’s ACE counters for that interface only.
For a given ACL, either of the following actions clear the ACE counters to zero for all interfaces to which the ACL is assigned.
adding or removing a permit or deny ACE in the ACL
rebooting the switch
Resetting ACE hit counters to Zero
The following example uses the previously shown
counter activity to demonstrate using clear statistics
to
reset the counters to zero.
Using IPv6 counters with multiple interface assignments
Where the same IPv6 ACL is assigned to multiple interfaces, the switch maintains a separate instance of each ACE counter in the ACL. When there is a match with traffic on one of the ACL's assigned interfaces, only the affected ACE counters for that interface are incremented. Other instances of the same ACL applied to other interfaces are not affected.
NOTE: These examples of counters use small values to help illustrate counter operation. The counters in real-time network applications are generally much more active and show higher values. | |
For example, suppose that:
An ACL named "V6-01" is configured as shown in ACL "V6-01" and command for PACL assignment on port B2 to block Telnet access to a workstation at FE80::20:2, which is connected to a port belonging to VLAN 20.
The ACL is assigned as a PACL (port ACL) on port B2, which is also a member of VLAN 20:
Using the topology in Application to filter traffic inbound on port B2, a workstation at FE80::20:117 on port B2 attempting to ping and Telnet to the workstation at FE80::20:2 is filtered through the PACL instance of the "V6-01" ACL assigned to port B2, resulting in the following:
Ping and telnet from FE80::20:117 to FE80::20:2 filtered by the assignment of "V6-01" as a PACL on port B2
NOTE: IPv4 ACE counters assigned as RACLs operate differently than described above. For more information, see Using IPv4 counters with multiple interface assignments . | |
Where the same IPv4 ACL is assigned to multiple interfaces as a VLAN ACL (VACL) or port ACL (PACL), the switch maintains a separate instance of ACE counters for each interface assignment. Thus, when there is a match with traffic on one of the ACL's VACL- or PACL -assigned interfaces, only the ACE counter in the affected instance of the ACL is incremented. However, if an ACL has multiple assignments as an RACL, then a match with an ACE in any RACL instance of the ACL increments that same counter on all RACL-assigned instances of that ACL. (The ACE counters for VACL and PACL instances of an ACL are not affected by counter activity in RACL instances of the same ACL.)
For example, suppose that an IPv4 ACL named "Test-1" is configured to block Telnet access to a server at 10.10.20.12 on VLAN 20, and that the Test-1 ACL is assigned to VLANs as follows:
VLAN 20: VACL
VLAN 50: RACL
VLAN 70: RACL
In the above case:
Matches with ACEs 10 or 20 that originate on VLAN 20 increment only the counters for the instances of these two ACEs in the Test-1 VACL assignment on VLAN 20. The same counters in the instances of ACL Test-1 assigned to VLANs 50 and 70 are not be incremented.
Any Telnet requests to 10.10.20.12 that originate on VLANs 50 or 70 are filtered by instances of Test-1 assigned as RACLs, and increment the counters for ACE 10 on both RACL instances of the Test-1 ACL.
Using the network in Access Granted page, a device at 10.10.20.4 on VLAN 20 attempting to ping and Telnet to 10.10.20.12 is filtered through the VACL instance of the "Test-1" ACL on VLAN 20 and results in the following:
Ping and telnet from 10.10.20.4 to 10.10.20.2 filtered by the assignment of "Test-1" as a VACL on VLAN 20
However, using a device at 10.10.30.11 on VLAN 50 for attempts to ping and Telnet to 10.10.20.12 requires routing, and filters the attempts through the RACL instance of the "Test-1" ACL on VLAN 50.
Ping and telnet from 10.10.30.11 to 10.10.20.2 filtered by the assignment of "Test-1" as a RACL on VLAN 30
This action has an identical effect on the counters in all RACL instances of the "Test-1" ACL configured and assigned to interfaces on the same switch. In this example, it means that the RACL assignments of "Test-1" on VLANs 50 and 70 are incremented by the above action occurring on VLAN 50.
Note that the ACE counters for the VACL assignment of the "Test-1" ACL on VLAN 20 are not affected by ACE hits on the RACL assignments of the same ACL.