Configuring ACL
Summary: Networking › Switching › Edge › Synapse
Overview of ACL
The ACL Implement packet filtering by configuring matching rules and processing operations for packets. The ACL can effectively prevent illegal users from accessing the network, and can also control traffic and save network resources. Packet matching rules defined by ACL can also be referenced by other functions that need to differentiate traffic, such as the definition of traffic classification rules in QoS. The ACL classifies packets through a series of matching conditions, which can be SMAC, DMAC, SIP, DIP, etc. According to the matching conditions, ACLs can be divided into the following types: Standard IP-based ACL: Make rules based only on the source IP address of the packet. Extended IP-based ACL: formulate rules based on the source IP address, destination IP address, ETYPE, and protocol of the data packet. MAC-based ACL: formulate rules based on the source MAC address and destination MAC address of the data packet. IPV6-based ACL: develop rules based on the source IPV6 address, destination IPV6 address, protocol, etc. of the data packet.
Configuring
Configure IP Standard ACL
- Configure IP-based Standard ACL Rules
SWITCH(config)# ip-access-list {<1-99> | <1300-1999>} {permit | deny} {host SIPADDR | SIPADDR SIPADDRMASK | any}SWITCH(config)# no ip-access-list {<1-99> | <1300-1999>}Create /delete standard IP-based ACL rules
SWITCH(config)# ip-access-list standard {<1-99> | <1300-1999> | NAME}SWITCH(config)# no ip-access-list standard {<1-99> | <1300-1999> | NAME}Create/delete standard IP ACL and switch to IP standard ACL mode
SWITCH(config-std-acl)# [SN] {permit | deny} {host SIPADDR | SIPADDR SIPADDRMASK | any}SWITCH( config-std-acl )# no {permit | deny} {host SIPADDR | SIPADDR SIPADDRMASK | any}SWITCH( config-std-acl )# no SNCreate/delete a standard IP ACL rule SN: Serial number of each rule (1-2147483647)
Configure IP Extended ACL
- Configure IP-based Extended ACL Rules
SWITCH(config)# ip-access-list {<100-199> | <2000-2699>} {permit | deny} PROTOCOL {host SIPADDR | SIPADDR SIPADDRMASK | any} [eq SPORT] {host | DIPADDR DIPADDRMASK | any} [eq DPORT]SWITCH(config)# no ip-access-list {<100-199> | <2000-2699>}Create /delete IP-based extended ACL rules PROTOCOL list: <0-255>: Specify the ID of the protocol any: any protocol message gre: GRE message icmp: ICMP message igmp: IGMP message ip: IPv4 message (0x4) ipcomp: IPComp message ospf: OSPF message pim: PIM message rsvp: RSVP message tcp: TCP message udp: UDP message vrrp: VRRP message The eq option is only available for TCP and UDP protocols. For the following port number names, you can use the port number name or port number to specify a specific port: TCP port number list: <0-65535> Specify port number bgp (179) ftp (21) ftp-data (20) Login (513) pop2 (109) pop3 (110) smtp (25) telnet (23) www (80) UDP port number list: <0-65535> Specify port number bootpc (68) boots (67) domain (53) echo (7) rip (520) snmp (161) syslog (514) tftp (69)
SWITCH(config)# ip-access-list extended {<100-199> | <2000-2699> | NAME}SWITCH(config)# no ip-access-list extended {<100-199> | <2000-2699> | NAME}Create/delete extended IP ACL and switch to IP extended ACL mode
SWITCH(config-ext-acl)# [SN] {permit | deny} PROTOCOL {host SIPADDR | SIPADDR SIPADDRMASK | any} [eq SPORT] {host DIPADDR | DIPADDR DIPADDRMASK | any} [eq DPORT]SWITCH( config-ext-acl )# no {permit | deny} PROTOCOL {host SIPADDR | SIPADDR SIPADDRMASK | any} [eq SPORT] {host DIPADDR | DIPADDR DIPADDRMASK | any} [eq DPORT]SWITCH( config-ext-acl )# no SNCreate/delete an extended IP ACL rule SN: Serial number of each rule (1-2147483647) PROTOCOL list: <0-255>: Specify the ID of the protocol any: any protocol message gre: GRE message icmp: ICMP message igmp: IGMP message ip: IPv4 message (0x4) ipcomp: IPComp message ospf: OSPF message pim: PIM message rsvp: RSVP message tcp: TCP message udp: UDP message vrrp: VRRP message For the following port number names, you can use the port number name or port number to specify a specific port: eq (TCP and UDP only) TCP port number list: <0-65535> Specify port number bgp (179) ftp (21) ftp-data (20) Login (513) pop2(109) pop3(110) smtp (25) telnet (23) www (80) UDP port number list: <0-65535> Specify port number bootpc (68) boots (67) domain (53) echo (7) rip (520) snmp (161) syslog (514) tftp (69)
Configure MAC ACL
- Configure MAC-based ACL Rules
SWITCH(config)# mac-access-list <200-699> {permit | deny} {host SMAC | SMAC SMACMASK | any} {host DMAC | DMAC DMACMASK | any} [ethertype ETYPE] [cos VALUE] SWITCH(config)# no mac-access-list <200-699>Create/delete MAC-based ACL rules ethertype: Ethernet protocol type (0x05DD-0xFFFF) cos: priority value of the message (0-7)
SWITCH(config)# mac-access-list {<200-699> | NAME}SWITCH(config)# no mac-access-list {<200-699> | NAME}Create/delete standard MAC ACL and switch to MAC ACL mode
SWITCH(config-mac-acl)# [SN] {permit | deny} {host SMAC | SMAC SMACMASK | any} {host DMAC | DMAC DMACMASK | any} [ethertype ETYPE] [cos VALUE]SWITCH( config-mac-acl )# no {permit | deny} {host SMAC | SMAC SMACMASK | any} {host DMAC | DMAC DMACMASK | any} [ethertype ETYPE] [cos VALUE]SWITCH( config-mac-ext-acl )# no SNCreate/delete a MAC ACL rule SN: Serial number of each rule (1-2147483647) ethertype: Ethernet protocol type (0x05DD-0xFFFF) cos: priority value of the message (0-7) Configure IPv6 ACL
SWITCH(config)# ipv6-access-list {NAME}SWITCH(config)# no ipv6-access-list {NAME}Create/delete IPV6 ACL and switch to IPV6 ACL mode
SWITCH(config-ipv6-acl)# [SN] {permit | deny} [PROTOCOL] {SOURCE-IPV6-PREFIX/PREFIX-LENGTH | any | host SOURCE-IPV6-ADDRESS} [eq SPORT] {DESTINATION- IPV6-PREFIX / PREFIX-LENGTH | any | host DESTINATION-IPV6-ADDRESS} [eq DPORT]SWITCH(config-ipv6-acl)# no {permit | deny} [PROTOCOL] {SOURCE-IPV6-PREFIX/PREFIX-LENGTH | any | host SOURCE-IPV6-ADDRESS} [eq SPORT] {DESTINATION- IPV6-PREFIX / PREFIX-LENGTH | any| host DESTINATION-IPV6-ADDRESS} [eq DPORT]SWITCH(config-ipv6-acl)# no SNCreate/delete an IPV6 ACL rule SN: Serial number of each rule (1-2147483647) PROTOCOL list: <0-255>: Specify the ID of the protocol any: any protocol message icmp: ICMP message tcp: TCP message udp: UDP message For the following port number names, you can use the port number name or port number to specify a specific port: eq (TCP and UDP only) TCP port number list: <0-65535> Specify port number bgp (179) ftp (21) ftp-data (20) login (513) pop2 (109) pop3 (110) smtp (25) telnet (23) www (80) UDP port number list: <0-65535> Specify port number biff (512) bootpc (68) boots (67) discard (9) dnsix (195) domain 53) echo (7) Isakmp (500) ntp (123) pim-auto-rp (496) rip (520) snmp (161) snmptrap (162) tftp (69)
Note
✦ Up to 128 rules can be configured under a single ACL-ID; ✦ Mask inversion, if it matches an IP address in the 192.168.1.0/24 range, 192.168.1.0 0.0.0.255 should be configured; ✦ The name of the ACL can be named, and the first character cannot be a number; ✦ MAC ACL does not take effect on IPV6 packets; ✦ The final default configuration of each ACL is deny any item;
Other Configuration Items
- Configure ACL Counters
If the user wants to start the packet matching counting function on the access list, please enable it in the access list.
SWITCH(config-std-acl)# counter enableSWITCH(config-std-acl)# no counter enableEnable / disable ACL counter in all ACL modes
SWITCH# clear access-list counter NAMEClear the ACL count value
- Configure ACL Descriptor
SWITCH(config-std-acl)# description TEXTSWITCH(config-std-acl)# no descriptionConfigure/delete ACL descriptors TEXT: descriptor (up to 64 characters)
Configurable in all ACL modes
- Trigger ACL Sequence Number Reordering
SN is the sequence number of the rule entry, and the value range is [1,2147483647]. This sequence number determines the priority of this rule entry in the access list. The smaller the sequence number, the greater the priority. The packet with the higher priority will be matched first. If the sequence number is not specified when configuring the matching rule, the system will automatically Assign a sequence number, the starting value of the sequence number is 10, and the increment value is 10.
SWITCH(config-std-acl)# resequence START STEPSWITCH(config-std-acl)# no resequenceReorder serial numbers
START: starting position (default value: 10, range <1-2147483647>) STEP: step size (default value: 10, range <1-2147483647>) Configurable in all ACL modes
Note
✦ The serial number is unique; ✦ When configuring an ACL entry, if the sequence number is not specified, it will be specified in steps after the current maximum sequence number (rules cannot be added if it exceeds the set range);
- Applying ACL to an Interface
SWITCH(config-if)# access-group ACLNAME {in | out}SWITCH(config-if)# no access-group ACLNAME {in | out}Configure/delete ACL applied to the port
Note
✦ When the ACL has been applied to the port or configured as a QOS flow matching rule, if you need to add or delete a rule, you need to first unapply it from the interface or QOS flow matching rule; ✦ The aggregation port does not support ACL application in the out direction, and the member ports of the aggregation port do not support ACL application; ✦ ACL applications not supported by VLAN ports;
Examples
Case 1: Filter the incoming packets of port gigabitEthernet0/1, release the packets with SIP 192.168.1.0/24, and discard other packets.
- Configure ACL rules:
SWITCH(config)#ip-access-list 1 permit 192.168.1.0 0.0.0.255or
SWITCH(config)#ip-access-list standard 1SWITCH(config-std-acl)#permit 192.168.1.0 0.0.0.255SWITCH(config)#interface gigabitEthernet0/1SWITCH(config-if)#access-group 1 inCase 2: Filter the entry packets of port gigabitEthernet0/1 and reject the packets sent by the host IP 192.168.1.2 with the packet type TCP and the source port number 40. Other packets will pass.
SWITCH(config)#ip-access-list 100 deny tcp host 192.168.1.2 eq 40 anySWITCH(config)#ip-access-list 100 permit any any anyor
SWITCH(config)#ip-access-list extended 100SWITCH(config-ext-acl)#deny tcp host 192.168.1.2 eq 40 anySWITCH(config-ext-acl)#permit any any anySWITCH(config)#interface gigabitEthernet0/1SWITCH(config-if)#access-group 100 inCase 3: Filter the export packets of port gigabitEthernet0/1 and reject the Ethernet type 0x804 packets sent by the host with MAC 0000.0047.5124. Other packets will pass.
SWITCH(config)# mac-access-list 200 deny host 0000.0047.5124 any ethertype 0x804SWITCH(config)# mac-access-list 200 permit any anyor
SWITCH(config)#mac-access-list 200SWITCH(config-mac-acl)#deny host 0000.0047.5124 any ethertype 0x804SWITCH(config-mac-acl)#permit any anySWITCH(config)#interface gigabitEthernet0/1SWITCH(config-if)#access-group 200 outCase 4: Filter the ingress packets of port gigabitEthernet0/1 , release the packets with the IPv6 address of the destination host::D0F8:1900:9F51:0000 , and discard other packets.
SWITCH(config)#ipv6-access-list ip6-aclSWITCH(config-ipv6-acl)#permit any any host ::D0F8:1900:9F51:0000SWITCH(config)#interface gigabitEthernet0/1SWITCH(config-if)#access-group ip6-acl inCase 5: Filter the incoming packets of port gigabitEthernet0/1, release the packets with SIP 192.168. 2. 1, discard other packets , and turn on the counter to view packet statistics .
SWITCH(config)#ip-access-list standard 1SWITCH(config-std-acl)#permit host 192.168.2.1SWITCH(config-std-acl)#counter enableSWITCH(config)#interface gigabitEthernet0/1SWITCH(config-if)#access-group 1 inSWITCH#show access-list 1ip-access-list standard 1 10 permit host 192.168.2.1(10 match) deng any (10 match)
Display Information
- Display ACL Information
SWITCH#show access-list 1ip-access-list standard 1 10 permit host 1.1.1.1 deny any
SWITCH#show access-list 200mac-access-list 200 10 permit host 0001.0002.0003 any deny any
SWITCH#show access-list ip6-aclipv6-access-list ip6-acl 10 permit tcp host a::1 eq bgp any deny any
