Configuring IP ACLs - Cisco - Global Home Page...Cisco Nexus 3000 Series NX-OS Security...

Configuring IP ACLs

This chapter describes how to configure IP access control lists (ACLs) on Cisco NX-OS .

Unless otherwise specified, the term IP ACL refers to IPv4 ACLs.

The Cisco NX-OS release that is running on a managed may not support all documented features orsettings. For the latest feature information and caveats, see the documentation and release notes for yourplatform and software release.

Note

This chapter includes the following sections:

• Information About ACLs, page 1

• Licensing Requirements for IP ACLs, page 8

• Prerequisites for IP ACLs, page 9

• Guidelines and Limitations for IP ACLs, page 9

• Default Settings for IP ACLs, page 10

• Configuring IP ACLs, page 10

• Verifying IP ACL Configurations, page 27

• Monitoring and Clearing IP ACL Statistics, page 28

• Configuration Examples for IP ACLs, page 28

Information About ACLsAn ACL is an ordered set of rules that you can use to filter traffic. Each rule specifies a set of conditions thata packet must satisfy to match the rule. When the device determines that an ACL applies to a packet, it teststhe packet against the conditions of all rules. The first matching rule determines whether the packet is permittedor denied. If there is no match, the device applies the applicable implicit rule. The device continues processingpackets that are permitted and drops packets that are denied.

You can use ACLs to protect networks and specific hosts from unnecessary or unwanted traffic. For example,you could use ACLs to disallow HTTP traffic from a high-security network to the Internet. You could also

Cisco Nexus 3000 Series NX-OS Security Configuration Guide, Release 5.0(3)U2(2) OL-25780-01 1

use ACLs to allow HTTP traffic but only to specific sites, using the IP address of the site to identify it in anIP ACL.

ACL Types and ApplicationsThe device supports the following types of ACLs for security traffic filtering:

The device applies IPv4 ACLs only to IPv4 traffic.IPv4 ACLs

IP ACLs have the following types of applications:

Filters Layer 2 trafficPort ACL

Filters Layer 3 trafficRouter ACL

Filters VLAN trafficVLAN ACL

Filters virtual teletype (VTY) trafficVTY ACL

This table summarizes the applications for security ACLs.

Table 1: Security ACL Applications

Types of ACLs SupportedSupported InterfacesApplication

Port ACL•• Layer 2 interfaces IPv4 ACLs

• Layer 2 Ethernet port-channelinterfaces

When a port ACL is applied to atrunk port, the ACL filters trafficon all VLANs on the trunk port.

Router ACL•• VLAN interfaces IPv4 ACLs

• Physical Layer 3 interfaces

• Layer 3 Ethernetsubinterfaces

• Layer 3 Ethernet port-channelinterfaces

• Layer 3 Ethernet port-channelsubinterfaces

• Management interfaces

You must enable VLANinterfaces globally beforeyou can configure aVLAN interface.

Note

VLAN ACL•• IPv4 ACLsVLANs

Cisco Nexus 3000 Series NX-OS Security Configuration Guide, Release 5.0(3)U2(2)2 OL-25780-01

Configuring IP ACLsACL Types and Applications

Types of ACLs SupportedSupported InterfacesApplication

VTY ACL•• IPv4 ACLsVTYs

Order of ACL ApplicationWhen the device processes a packet, it determines the forwarding path of the packet. The path determineswhich ACLs that the device applies to the traffic. The device applies the ACLs in the following order:

1 Port ACL

2 Ingress VACL

3 Ingress router ACL

4 Ingress VTY ACL

5 Egress VTY ACL

6 Egress router ACL

7 Egress VACL

If the packet is bridged within the ingress VLAN, the device does not apply router ACLs.

The following figure shows the order in which the device applies ACLs.Figure 1: Order of ACL Application

The following figure shows where the device applies ACLs, depending upon the type of ACL. The red pathindicates a packet sent to a destination on a different interface than its source. The blue path indicates a packetthat is bridged within its VLAN.

The device applies only the applicable ACLs. For example, if the ingress port is a Layer 2 port and the trafficis on a VLAN that is a VLAN interface, a port ACL and a router ACL both can apply. In addition, if a VACLis applied to the VLAN, the device applies that ACL too.


Configuring IP ACLsOrder of ACL Application

Figure 2: ACLs and Packet Flow

About RulesRules are what you create, modify, and remove when you configure how an ACL filters network traffic. Rulesappear in the running configuration. When you apply an ACL to an interface or change a rule within an ACL


Configuring IP ACLsAbout Rules

that is already applied to an interface, the supervisor module creates ACL entries from the rules in the runningconfiguration and sends those ACL entries to the applicable I/O module. Depending upon how you configurethe ACL, there may be more ACL entries than rules, especially if you implement policy-based ACLs by usingobject groups when you configure rules.

You can create rules in access-list configuration mode by using the permit or deny command. The deviceallows traffic that matches the criteria in a permit rule and blocks traffic that matches the criteria in a denyrule. You have many options for configuring the criteria that traffic must meet in order to match the rule.

This section describes some of the options that you can use when you configure a rule. For information aboutevery option, see the applicable permit and deny commands in the Cisco Nexus 7000 Series NX-OS SecurityCommand Reference.

ProtocolsIPv4 ACLs allow you to identify traffic by protocol. For your convenience, you can specify some protocolsby name. For example, in an IPv4 ACL, you can specify ICMP by name.

You can specify any protocol by number.

In IPv4, you can specify protocols by the integer that represents the Internet protocol number. For example,you can use 115 to specify Layer 2 Tunneling Protocol (L2TP) traffic.

For a list of the protocols that each type of ACL supports by name, see the applicable permit and denycommands in the Cisco Nexus 3000 Series NX-OS Security Command Reference.

Source and DestinationIn each rule, you specify the source and the destination of the traffic that matches the rule. You can specifyboth the source and destination as a specific host, a network or group of hosts, or any host. How you specifythe source and destination depends on whether you are configuring IPv4 ACLs.

Implicit RulesIP and MAC ACLs have implicit rules, which means that although these rules do not appear in the runningconfiguration, the device applies them to traffic when no other rules in an ACL match. When you configurethe device to maintain per-rule statistics for an ACL, the device does not maintain statistics for implicit rules.

All IPv4 ACLs include the following implicit rule:deny ip any any

This implicit rule ensures that the device denies unmatched IP traffic.

This implicit rule ensures that the device denies the unmatched traffic, regardless of the protocol specified inthe Layer 2 header of the traffic.

Additional Filtering OptionsYou can identify traffic by using additional options. These options differ by ACL type. The following listincludes most but not all additional filtering options:

• IPv4 ACLs support the following additional filtering options:



◦ Layer 4 protocol

◦ Authentication Header Protocol

◦ Enhanced Interior Gateway Routing Protocol (EIGRP)

◦ Open Shortest Path First (OSPF)

◦ Payload Compression Protocol

◦ Protocol-independent multicast (PIM)

◦ TCP and UDP ports

◦ ICMP types and codes

◦ Precedence level

◦ Differentiated Services Code Point (DSCP) value

◦ TCP packets with the ACK, FIN, PSH, RST, SYN, or URG bit set

◦ Established TCP connections

◦ Packet length

Sequence NumbersThe device supports sequence numbers for rules. Every rule that you enter receives a sequence number, eitherassigned by you or assigned automatically by the device. Sequence numbers simplify the following ACLtasks:

By specifying the sequence number, you specify where in the ACL a new ruleshould be positioned. For example, if you need to insert a rule between rules

Adding new rulesbetween existing rules

numbered 100 and 110, you could assign a sequence number of 105 to the newrule.

Without using a sequence number, removing a rule requires that you enter the wholerule, as follows:switch(config-acl)# no permit tcp 10.0.0.0/8 any

Removing a rule

However, if the same rule had a sequence number of 101, removing the rule requiresonly the following command:switch(config-acl)# no 101

With sequence numbers, if you need to move a rule to a different position withinan ACL, you can add a second instance of the rule using the sequence number that

Moving a rule

positions it correctly, and then you can remove the original instance of the rule.This action allows you to move the rule without disrupting traffic.

If you enter a rule without a sequence number, the device adds the rule to the end of the ACL and assigns asequence number that is 10 greater than the sequence number of the preceding rule to the rule. For example,if the last rule in an ACL has a sequence number of 225 and you add a rule without a sequence number, thedevice assigns the sequence number 235 to the new rule.



In addition, Cisco NX-OS allows you to reassign sequence numbers to rules in an ACL. Resequencing isuseful when an ACL has rules numbered contiguously, such as 100 and 101, and you need to insert one ormore rules between those rules.

Logical Operators and Logical Operation UnitsIP ACL rules for TCP and UDP traffic can use logical operators to filter traffic based on port numbers. Thedevice stores operator-operand couples in registers called logical operator units (LOUs).

The LOU usage for each type of operator is as follows:

Is never stored in an LOUeq

Uses 1 LOUgt

Uses 1 LOUlt

Uses 1 LOUneq

Uses 1 LOUrange

Statistics and ACLsThe device can maintain global statistics for each rule that you configure in IPv4, IPv6, and MAC ACLs. Ifan ACL is applied to multiple interfaces, the maintained rule statistics are the sum of packet matches (hits)on all the interfaces on which that ACL is applied.

The device does not support interface-level ACL statistics.Note

For each ACL that you configure, you can specify whether the device maintains statistics for that ACL, whichallows you to turn ACL statistics on or off as needed to monitor traffic filtered by an ACL or to helptroubleshoot the configuration of an ACL.

The device does not maintain statistics for implicit rules in an ACL. For example, the device does not maintaina count of packets that match the implicit deny ip any any rule at the end of all IPv4 ACLs. If you want tomaintain statistics for implicit rules, you must explicitly configure the ACL with rules that are identical to theimplicit rules.

VTY SupportCisco NX-OS does not support applying an ACL directly to a VTY line; however, you can use control planepolicing (CoPP) to filter VTY traffic. To do so, you must define two ACLs for use with filtering VTY traffic:one ACL that permits traffic that you want to allow and another ACL that permits traffic that you want todrop. Then you can configure CoPP to transmit the packets that are permitted by the ACL that matchesdesirable traffic and to drop the packets that are permitted by the ACL that matches undesirable traffic.

In the following example, the ACL copp-system-acl-allow explicitly allows Telnet, SSH, SNMP, NTP,RADIUS, and TACACS+ traffic that is inbound from the 10.30.30.0/24 network and allows any trafficoutbound from the device to the 10.30.30.0/24 network. The copp-system-acl-deny explicitly allows all traffic.


Configuring IP ACLsStatistics and ACLs

The policing policies are configured to transmit the traffic permitted by the copp-system-acl-allow ACL andto drop the traffic permitted by the copp-system-acl-deny ACL.ip access-list copp-system-acl-allow10 remark ### ALLOW TELNET from 10.30.30.0/2420 permit tcp 10.30.30.0/24 any eq telnet30 permit tcp 10.30.30.0/24 any eq 10740 remark ### ALLOW SSH from 10.30.30.0/2450 permit tcp 10.30.30.0/24 any eq 2260 remark ### ALLOW SNMP from 10.30.30.0/2470 permit udp 10.30.30.0/24 any eq snmp80 remark ### ALLOW TACACS from 10.30.30.0/2490 permit tcp 10.30.30.0/24 any eq tacacs100 remark ### ALLOW RADIUS from 10.30.30.0/24110 permit udp 10.30.30.0/24 any eq 1812120 permit udp 10.30.30.0/24 any eq 1813130 permit udp 10.30.30.0/24 any eq 1645140 permit udp 10.30.30.0/24 any eq 1646150 permit udp 10.30.30.0/24 eq 1812 any160 permit udp 10.30.30.0/24 eq 1813 any170 permit udp 10.30.30.0/24 eq 1645 any180 permit udp 10.30.30.0/24 eq 1646 any190 remark ### ALLOW NTP from 10.30.30.0/24200 permit udp 10.30.30.0/24 any eq ntp210 remark ### ALLOW ALL OUTBOUND traffic TO 10.30.30.0/24220 permit ip any 10.30.30.0/24statistics # keep statistics on matches

ip access-list copp-system-acl-deny10 remark ### this is a catch-all to match any other traffic20 permit ip any anystatistics # keep statistics on matches

class-map type control-plane match-any copp-system-class-management-allowmatch access-group name copp-system-acl-allow

class-map type control-plane match-any copp-system-class-management-denymatch access-group name copp-system-acl-deny

policy-map type control-plane copp-system-policyclass copp-system-class-management-allow

police cir 60000 kbps bc 250 ms conform transmit violate dropclass copp-system-class-management-deny

police cir 60000 kbps bc 250 ms conform drop violate dropcontrol-planeservice-policy input copp-system-policy

Session Manager Support for IP ACLsSession Manager supports the configuration of IP and MAC ACLs. This feature allows you to verify ACLconfiguration and confirm that the resources required by the configuration are available prior to committingthem to the running configuration. For more information about Session Manager, see the .

Licensing Requirements for IP ACLsThe following table shows the licensing requirements for this feature:

License RequirementProduct

No license is required to use IP ACLs. However tosupport up to 128K ACL entries using an XL line

Cisco NX-OS

card, you must install the scalable services license.Any feature not included in a license package isbundled with the Cisco NX-OS system images and


Configuring IP ACLsSession Manager Support for IP ACLs

License RequirementProduct

is provided at no extra charge to you. For anexplanation of the Cisco NX-OS licensing scheme,see the Cisco NX-OS Licensing Guide.

Prerequisites for IP ACLsIP ACLs have the following prerequisites:

• You must be familiar with IP addressing and protocols to configure IP ACLs.

• You must be familiar with the interface types that you want to configure with ACLs.

Guidelines and Limitations for IP ACLsIP ACLs have the following configuration guidelines and limitations:

• We recommend that you perform ACL configuration using the Session Manager. This feature allowsyou to verify ACL configuration and confirm that the resources required by the configuration are availableprior to committing them to the running configuration. This is especially useful for ACLs that includemore than about 1000 rules.

• In most cases, ACL processing for IP packets occurs on the I/O modules, which use hardware thataccelerates ACL processing. In some circumstances, processing occurs on the supervisor module, whichcan result in slower ACL processing, especially during processing that involves an ACL with a largenumber of rules. Management interface traffic is always processed on the supervisor module. If IPpackets in any of the following categories are exiting a Layer 3 interface, they are sent to the supervisormodule for processing:

◦ Packets that fail the Layer 3 maximum transmission unit check and therefore require fragmenting.

◦ IPv4 packets that have IP options (additional IP packet header fields following the destinationaddress field).

Rate limiters prevent redirected packets from overwhelming the supervisor module.

Prior to Cisco NX-OS Release 4.2(3), ACL logging does not support ACL processingthat occurs on the supervisor module.

Note

• When you apply an ACL that uses time ranges, the device updates the ACL entries on the affected I/Omodules whenever a time range referenced in an ACL entry starts or ends. Updates that are initiated bytime ranges occur on a best-effort priority. If the device is especially busy when a time range causes anupdate, the device may delay the update by up to a few seconds.

• To apply an IP ACL to a VLAN interface, you must have enabled VLAN interfaces globally.

• The maximum number of supported IP ACL entries is 64K for devices without an XL line card and128K for devices with an XL line card.


Configuring IP ACLsPrerequisites for IP ACLs

• If you try to apply too many ACL entries to a non-XL line card, the configuration is rejected.

• Each forwarding engine on an F1 Series module supports 1K ingress ACL entries, with 984 entriesavailable for user configuration. The total number of IP ACL entries for the F1 Series modules is from1K to 16K, depending on which forwarding engines the policies are applied.

• F1 Series modules do not support router ACLs.

• F1 Series modules do not support ACL logging.

• F1 Series modules do not support bank chaining.

• Each port ACL can support up to four different Layer 4 operations for F1 Series modules.

• Each of the 16 forwarding engines in an F1 Series module supports up to 250 IPv6 addresses acrossmultiple ACLs.

• The VTYACL feature restricts all traffic for all VTY lines. You cannot specify different traffic restrictionsfor different VTY lines.

• Any router ACL can be configured as a VTY ACL.

• ACL policies are not supported on the Fabric Extender fabric port channel.

Default Settings for IP ACLsThis table lists the default settings for IP ACL parameters.

Table 2: Default IP ACL Parameters

DefaultParameters

No IP ACLs exist by defaultIP ACLs

Implicit rules apply to all ACLsACL rules

No object groups exist by defaultObject groups

No time ranges exist by defaultTime ranges

Configuring IP ACLs

Creating an IP ACLYou can create an IPv4 ACL ACL on the device and add rules to it.

Before You Begin

We recommend that you perform ACL configuration using the Session Manager. This feature allows you toverify ACL configuration and confirm that the resources required by the configuration are available prior to


Configuring IP ACLsDefault Settings for IP ACLs

committing them to the running configuration. This is especially useful for ACLs that includemore than about1000 rules.

SUMMARY STEPS

1. configure terminal2. Enter one of the following commands:

• ip access-list name

3. (Optional) fragments {permit-all | deny-all}4. [sequence-number] {permit | deny} protocol source destination5. (Optional) statistics per-entry6. (Optional) Enter one of the following commands:

• show ip access-lists name

7. (Optional) copy running-config startup-config

DETAILED STEPS

PurposeCommand or Action

Enters global configuration mode.configure terminal

Example:switch# configure terminalswitch(config)#

Step 1

Creates the IP ACL and enters IP ACL configuration mode.The name argument can be up to 64 characters.

Enter one of the following commands:Step 2


Example:switch(config)# ip access-list acl-01switch(config-acl)#

(Optional)Optimizes fragment handling for noninitial fragments. Whena device applies to traffic an ACL that contains the fragments

fragments {permit-all | deny-all}

Example:switch(config-acl)# fragments permit-all

Step 3

command, the fragments command only matches noninitialfragments that do not match any explicit permit or denycommands in the ACL.

Creates a rule in the IP ACL. You can create many rules. Thesequence-number argument can be a whole number between1 and 4294967295.

[sequence-number] {permit | deny} protocol sourcedestination

Example:switch(config-acl)# permit ip 192.168.2.0/24any

Step 4

The permit and deny commands support many ways ofidentifying traffic.


Configuring IP ACLsCreating an IP ACL


(Optional)Specifies that the device maintains global statistics for packetsthat match the rules in the ACL.

statistics per-entry

Example:switch(config-acl)# statistics per-entry

Step 5

(Optional)Displays the IP ACL configuration.



Example:switch(config-acl)# show ip access-listsacl-01

(Optional)Copies the running configuration to the startup configuration.

copy running-config startup-config

Example:switch(config-acl)# copy running-configstartup-config

Step 7

Changing an IP ACLYou can add and remove rules in an existing IPv4 ACL. You cannot change existing rules. Instead, to changea rule, you can remove it and recreate it with the desired changes.

If you need to add more rules between existing rules than the current sequence numbering allows, you canuse the resequence command to reassign sequence numbers.

Before You Begin

We recommend that you perform ACL configuration using the Session Manager. This feature allows you toverify ACL configuration and confirm that the resources required by the configuration are available prior tocommitting them to the running configuration. This is especially useful for ACLs that includemore than about1000 rules.


Configuring IP ACLsChanging an IP ACL

SUMMARY STEPS



3. (Optional) [sequence-number] {permit | deny} protocol source destination4. (Optional) [no] fragments {permit-all | deny-all}5. (Optional) no {sequence-number | {permit | deny} protocol source destination}6. (Optional) [no] statistics per-entry7. (Optional) Enter one of the following commands:



DETAILED STEPS




Step 1

Enters IP ACL configuration mode for the ACL that you specifyby name.



Example:switch(config)# ip access-list acl-01switch(config-acl)#

(Optional)Creates a rule in the IP ACL. Using a sequence number allowsyou to specify a position for the rule in the ACL. Without a

[sequence-number] {permit | deny} protocol sourcedestination

Example:switch(config-acl)# 100 permit ip192.168.2.0/24 any

Step 3

sequence number, the rule is added to the end of the rules. Thesequence-number argument can be a whole number between 1and 4294967295.

The permit and deny commands support manyways of identifyingtraffic.

(Optional)Optimizes fragment handling for noninitial fragments. When adevice applies to traffic an ACL that contains the fragments

[no] fragments {permit-all | deny-all}

Example:switch(config-acl)# fragments permit-all

Step 4

command, the fragments command only matches noninitialfragments that do not match any explicit permit or denycommands in the ACL.


Configuring IP ACLsChanging an IP ACL


The no option removes fragment-handling optimization.

(Optional)Removes the rule that you specified from the IP ACL.

no {sequence-number | {permit | deny} protocolsource destination}

Step 5

Example:switch(config-acl)# no 80

The permit and deny commands support manyways of identifyingtraffic.

(Optional)Specifies that the device maintains global statistics for packetsthat match the rules in the ACL.

[no] statistics per-entry

Example:switch(config-acl)# statistics per-entry

Step 6

The no option stops the device from maintaining global statisticsfor the ACL.




Example:switch(config-acl)# show ip access-listsacl-01



Example:switch(config-acl)# copy running-configstartup-config

Step 8

Creating a VTY ACLYou can configure a VTY ACL to control access to all IPv4 or IPv6 traffic over all VTY lines in the ingressor egress direction.

Before You Begin

Set identical restrictions on all the virtual terminal lines because a user can connect to any of them.

Ensure that you are in the correct VDC (or use the switchto vdc command).

We recommend that you perform ACL configuration using the Session Manager. This feature allows you toverify ACL configuration and confirm that the resources required by the configuration are available prior tocommitting them to the running configuration, which is especially useful for ACLs that include more thanabout 1000 rules. For more information about Session Manager, see the .


Configuring IP ACLsCreating a VTY ACL

SUMMARY STEPS

1. configure terminal2. {ip | ipv6} access-list name3. {permit | deny} protocol source destination [log] [time-range time]4. exit5. line vty6. {ip | ipv6} access-class name {in | out}7. (Optional) show {ip | ipv6} access-lists8. (Optional) copy running-config startup-config

DETAILED STEPS




Step 1

Creates an ACL and enters IP access list configurationmode for that ACL. The maximum length for the nameargument is 64 characters.

{ip | ipv6} access-list name

Example:switch(config)# ip access-list vtyacl

Step 2

Creates an ACL rule that permits TCP traffic from and tothe specified sources.

{permit | deny} protocol source destination [log][time-range time]

Example:switch(config-ip-acl)# permit tcp any any

Step 3

Exits IP access list configuration mode.exit

Example:switch(config-ip-acl)# exitswitch(config)#

Step 4

Specifies the virtual terminal and enters line configurationmode.

line vty

Example:switch(config)# line vtyswitch(config-line)#

Step 5

Restricts incoming or outgoing connections to and from allVTY lines using the specified ACL. The maximum lengthfor the name argument is 64 characters.

{ip | ipv6} access-class name {in | out}

Example:switch(config-line)# ip access-class vtyacl out

Step 6


Configuring IP ACLsCreating a VTY ACL


(Optional)Displays the configured ACLs, including any VTY ACLs.

show {ip | ipv6} access-lists

Example:switch# show ip access-lists

Step 7

(Optional)Copies the running configuration to the startupconfiguration.


Example:switch# copy running-config startup-config

Step 8

Changing Sequence Numbers in an IP ACLYou can change all the sequence numbers assigned to the rules in an IP ACL.

Before You Begin

We recommend that you perform ACL configuration using the Session Manager. This feature allows you toverify ACL configuration and confirm that the resources required by the configuration are available prior tocommitting them to the running configuration. This is especially useful for ACLs that includemore than about1000 rules.

SUMMARY STEPS

1. configure terminal2. (Optional) show ip access-lists name3. (Optional) copy running-config startup-config

DETAILED STEPS




Step 1


show ip access-lists name

Example:switch(config)# show ip access-lists acl-01

Step 2



Example:switch(config)# copy running-config startup-config

Step 3


Configuring IP ACLsChanging Sequence Numbers in an IP ACL

Removing an IP ACLYou can remove an IP ACL from the device.

Before You Begin

Ensure that you know whether the ACL is applied to an interface. The device allows you to remove ACLsthat are currently applied. Removing an ACL does not affect the configuration of interfaces where you haveapplied the ACL. Instead, the device considers the removed ACL to be empty. Use the show ip access-listscommand command with the summary keyword to find the interfaces that an IP ACL is configured on.

SUMMARY STEPS


• no ip access-list name

3. (Optional) Enter one of the following commands:

• show ip access-lists name summary


DETAILED STEPS




Step 1

Removes the IP ACL that you specified by name fromthe running configuration.


• no ip access-list name

Example:switch(config)# no ip access-list acl-01

(Optional)Displays the IP ACL configuration. If the ACL remainsapplied to an interface, the command lists theinterfaces.


• show ip access-lists name summary

Example:switch(config)# show ip access-lists acl-01 summary


Configuring IP ACLsRemoving an IP ACL




Example:switch(config)# copy running-config startup-config

Step 4

Applying an IP ACL as a Router ACLYou can apply an IPv4 ACL to any of the following types of interfaces:

• Physical Layer 3 interfaces and subinterfaces

• Layer 3 Ethernet port-channel interfaces and subinterfaces

• VLAN interfaces

• Tunnels

• Management interfaces

ACLs applied to these interface types are considered router ACLs.

Logical operation units (LOUs) are not available for router ACLs applied in the "out" direction. If an IPv4ACL is applied as a router ACL in the "out" direction, ACEs containing logical operators for TCP/UDPport numbers are expanded internally to multiple ACEs and may require more TCAM entries whencompared to the same ACL applied in the "in" direction.

Note

Before You Begin

Ensure that the ACL you want to apply exists and that it is configured to filter traffic in the manner that youneed for this application.


Configuring IP ACLsApplying an IP ACL as a Router ACL

SUMMARY STEPS


• interface ethernet slot/port[. number]

• interface port-channel channel-number[. number]

• interface tunnel tunnel-number

• interface vlan vlan-ID

• interface mgmt port

3. Enter one of the following commands:

• ip access-group access-list {in | out}

4. (Optional) show running-config aclmgr5. (Optional) copy running-config startup-config

DETAILED STEPS




Step 1

Enters configuration mode for the interface typethat you specified.


• interface ethernet slot/port[. number]

• interface port-channel channel-number[. number]

• interface tunnel tunnel-number

• interface vlan vlan-ID

• interface mgmt port

Example:switch(config)# interface tunnel 13switch(config-if)#

Applies an IPv4 ACL to the Layer 3 interface fortraffic flowing in the direction specified. You canapply one router ACL per direction.


• ip access-group access-list {in | out}

Example:switch(config-if)# ip access-group acl-120 out


Configuring IP ACLsApplying an IP ACL as a Router ACL


(Optional)Displays the ACL configuration.

show running-config aclmgr

Example:switch(config-if)# show running-config aclmgr

Step 4



Example:switch(config-if)# copy running-config startup-config

Step 5

Applying an IP ACL as a Port ACLYou can apply an IPv4 ACL to a Layer 2 interface, which can be a physical port or a port channel. ACLsapplied to these interface types are considered port ACLs.

Before You Begin

Ensure that the ACL you want to apply exists and that it is configured to filter traffic in the manner that youneed for this application.

If the interface is configured with themac packet-classify command, you cannot apply an IP port ACLto the interface until you remove themac packet-classify command from the interface configuration.

Note

SUMMARY STEPS


• interface ethernet slot/port

• interface port-channel channel-number

3. Enter one of the following commands:

• ip port access-group access-list in

4. (Optional) show running-config aclmgr5. (Optional) copy running-config startup-config


Configuring IP ACLsApplying an IP ACL as a Port ACL

DETAILED STEPS




Step 1

Enters configuration mode for the interface type thatyou specified.


• interface ethernet slot/port

• interface port-channel channel-number

Example:switch(config)# interface ethernet 2/3switch(config-if)#

Applies an IPv4 ACL to the interface or port channel.Only inbound filtering is supported with port ACLs.You can apply one port ACL to an interface.


• ip port access-group access-list in

Example:switch(config-if)# ip port access-groupacl-l2-marketing-group in

(Optional)Displays the ACL configuration.



Step 4



Example:switch(config-if)# copy running-config startup-config

Step 5

Applying an IP ACL as a VACLYou can apply an IP ACL as a VACL.

Enabling or Disabling ACL CaptureBeginning with Cisco NX-OS Release 5.2, you can enable or disable ACL capture in the default VDC.

Before You Begin

Ensure that you are in the default VDC.


Configuring IP ACLsApplying an IP ACL as a VACL

SUMMARY STEPS

1. configure terminal2. [no] hardware access-list capture3. (Optional) show hardware access-list status module slot4. (Optional) copy running-config startup-config

DETAILED STEPS




Step 1

Enables or disables ACL capture on all VDCs.[no] hardware access-list captureStep 2

Example:switch(config)# hardware access-list capture

When you enable ACL capture, a warningmessageappears to inform you that ACL logging is beingdisabled for all VDCs. When you disable ACLcapture, ACL logging is enabled.

Note

(Optional)Displays the ACL capture configuration.

show hardware access-list status module slot

Example:switch(config)# show hardware access-list statusmodule 2

Step 3



Example:switch(config)# copy running-configstartup-config

Step 4

Configuring an ACL Capture SessionBeginning with Cisco NX-OS Release 5.2, you can configure an ACL capture session.

Before You Begin



Configuring IP ACLsConfiguring an ACL Capture Session

SUMMARY STEPS

1. configure terminal2. monitor session session type acl-capture3. destination interface interface slot/port4. no shut5. exit6. (Optional) show ip access-lists capture session session7. (Optional) copy running-config startup-config

DETAILED STEPS




Step 1

Configures an ACL capture session. The range for the sessionargument is from 1 to 48.

monitor session session type acl-capture

Example:switch(config)# monitor session 2 typeacl-captureswitch(config-acl-capture)#

Step 2

Configures a destination for ACL capture packets.destination interface interface slot/portStep 3

Example:switch(config-acl-capture)# destinationinterface ethernet 2/2switch#

Only the physical interface can be used for thedestination. Port-channel interfaces and supervisorin-band ports are not supported.

Note

You can enter this command multiple times to addmultiple destinations.

Note

Brings the ACL capture session administratively up.no shutStep 4

Example:switch(config-acl-capture)# no shut

The session becomes operationally up only after themonitor confirms that the ACL capture has beenenabled in the default VDC.

Note

Updates the monitor configuration and exits the ACL captureconfiguration mode.

exit

Example:switch(config-acl-capture)# exitswitch(config)#

Step 5

(Optional)Displays the ACL capture session configuration.

show ip access-lists capture session session

Example:switch(config)# show ip access-lists capturesession 2

Step 6


Configuring IP ACLsConfiguring an ACL Capture Session




Example:switch# copy running-config startup-config

Step 7

Applying an ACL with Capture Session ACEs to an InterfaceYou can enable a capture session for an ACL's access control entries (ACEs) and then apply the ACL to aninterface.

Before You Begin


SUMMARY STEPS

1. configure terminal2. ip access-list name3. permit protocol source destination capture session session4. exit5. interface interface slot/port6. ip access-group name in7. no shut8. (Optional) show running-config aclmgr9. (Optional) copy running-config startup-config

DETAILED STEPS




Step 1

Creates an access list.ip access-list name

Example:switch(config)# ip access-list acl1switch(config-acl)#

Step 2

Enables a capture session for the ACL's ACEs. Therange for the session argument is from 1 to 16.

permit protocol source destination capture session session

Example:switch(config-acl)# permit tcp any any capturesession 2

Step 3


Configuring IP ACLsApplying an ACL with Capture Session ACEs to an Interface


Exits the access list configuration mode.exit

Example:switch(config-acl)# exitswitch(config)#

Step 4

Specifies a port and enters interface configurationmode.

interface interface slot/port


Step 5

Applies an ACL with capture session ACEs to theinterface.

ip access-group name in

Example:switch(config-if)# ip access-group acl1 in

Step 6

Brings the interface administratively up.no shut

Example:switch(config-if)# no shut

Step 7

(Optional)Displays the ACL configuration and the interfaces towhich ACLs are applied.



Step 8



Example:switch(config-if)# copy running-configstartup-config

Step 9

Applying a Whole ACL Capture Session to an InterfaceYou can enable a capture session for the whole ACL and then apply the ACL to an interface.

Before You Begin



Configuring IP ACLsApplying a Whole ACL Capture Session to an Interface

SUMMARY STEPS

1. configure terminal2. ip access-list name3. capture session session4. exit5. interface interface slot/port6. ip access-group name in7. no shut8. (Optional) show running-config aclmgr9. (Optional) copy running-config startup-config

DETAILED STEPS




Step 1

Creates an access list.ip access-list name

Example:switch(config)# ip access-list acl1switch(config-acl)#

Step 2

Enables a capture session for the whole ACL. Therange for the session argument is from 1 to 16.

capture session session

Example:switch(config-acl)# capture session 2

Step 3

Exits the access list configuration mode.exit

Example:switch(config-acl)# exitswitch(config)#

Step 4

Specifies a port and enters interface configurationmode.

interface interface slot/port


Step 5

Applies an ACLwith the capture session configurationto the interface.

ip access-group name in

Example:switch(config-if)# ip access-group acl1 in

Step 6


Configuring IP ACLsApplying a Whole ACL Capture Session to an Interface


Brings the interface administratively up.no shut

Example:switch(config-if)# no shut

Step 7

(Optional)Displays the ACL configuration and the interfaces towhich ACLs are applied.



Step 8



Example:switch(config-if)# copy running-configstartup-config

Step 9

Verifying IP ACL ConfigurationsTo display IP ACL configuration information, perform one of the following tasks.

PurposeCommand

Displays the ACL runningconfiguration, including the IP

show running-config aclmgr [all]

ACL configuration and theinterfaces to which IP ACLs areapplied.

Beginning with CiscoNX-OS Release 5.2, thiscommand displays theuser-configured ACLs inthe running configuration.The all option displaysboth the default(CoPP-configured) anduser-configured ACLs inthe running configuration.

Note

Displays the ACL startupconfiguration.

show startup-config aclmgr [all]


Configuring IP ACLsVerifying IP ACL Configurations

PurposeCommand

Beginning with CiscoNX-OS Release 5.2, thiscommand displays theuser-configured ACLs inthe startup configuration.The all option displaysboth the default(CoPP-configured) anduser-configured ACLs inthe startup configuration.

Note

Monitoring and Clearing IP ACL StatisticsTo monitor or clear IP ACL statistics, use one of the commands in this table.

PurposeCommand

Displays IPv4 ACL configuration. If the IPv4 ACLincludes the statistics per-entry command, then the

show ip access-lists

show ip access-lists command output includes thenumber of packets that have matched each rule.

Clears statistics for all IPv4 ACLs or for a specificIPv4 ACL.

clear ip access-list counters

Configuration Examples for IP ACLsThe following example shows how to create an IPv4 ACL named acl-01 and apply it as a port ACL to Ethernetinterface 2/1, which is a Layer 2 interface:ip access-list acl-01permit ip 192.168.2.0/24 any

interface ethernet 2/1ip port access-group acl-01 in

The following example shows how to create an IPv6 ACL named acl-120 and apply it as a router ACL toEthernet interface 2/3, which is a Layer 3 interface:ipv6 access-list acl-120permit tcp 2001:0db8:85a3::/48 2001:0db8:be03:2112::/64permit udp 2001:0db8:85a3::/48 2001:0db8:be03:2112::/64permit tcp 2001:0db8:69f2::/48 2001:0db8:be03:2112::/64permit udp 2001:0db8:69f2::/48 2001:0db8:be03:2112::/64

interface ethernet 2/3ipv6 traffic-filter acl-120 in

The following example shows how to create a VTY ACL named single-source and apply it on input IP trafficover the VTY line. This ACL allows all TCP traffic through and drops all other IP traffic:ip access-list single-sourcepermit tcp 192.168.7.5/24 any


Configuring IP ACLsMonitoring and Clearing IP ACL Statistics

exitline vtyip access-class single-source inshow ip access-lists


Configuring IP ACLsConfiguration Examples for IP ACLs


Configuring IP ACLsConfiguration Examples for IP ACLs

Configuring IP ACLs - Cisco - Global Home Page...Cisco Nexus 3000 Series NX-OS Security...

Documents

Transcript of Configuring IP ACLs - Cisco - Global Home Page...Cisco Nexus 3000 Series NX-OS Security...