Important: You do not require a license to configure ACLs; however, the number of ACLs configured might impact performance significantly.
Important: Not all commands and keywords/variables may be available. This is dependent on the platform type.
•Important: Refer to the ACL Configuration Mode Commands chapter of the Command Line Interface Reference for the full command syntax.
Important: Configured ACLs consisting of no rules imply a “deny any” rule. The deny action and any criteria are discussed later in this section. This is the default behavior for an empty ACL.
• Permit: The packet is accepted and processed.
• Deny: The packet is rejected.
• Redirect: The packet is forwarded to the specified next-hop address through a specific system interface or to the specified context for processing.Important: Redirect rules are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context, or APN for UMTS subscribers.
• Any: Filters all packets
• Host: Filters packets based on the source host IP address
• ICMP: Filters Internet Control Message Protocol (ICMP) packets
• IP: Filters Internet Protocol (IP) packets
• Source IP Address: Filter packets based on one or more source IP addresses
• TCP: Filters Transport Control Protocol (TCP) packets
• UDP: Filters User Datagram Protocol (UDP) packetsImportant: The following sections contain basic ACL rule syntax information. Refer to the ACL Configuration Mode Commands chapter of the Command Line Interface Reference for the full command syntax.
• Any: The rule applies to all packets.
• Host: The rule applies to a specific host as determined by its IP address.
• ICMP: The rule applies to specific Internet Control Message Protocol (ICMP) packets, Types, or Codes.
• IP: The rule applies to specific Internet Protocol (IP) packets or fragments.
• IP Packet Size Identification Algorithm: The rule applies to specific Internet Protocol (IP) packets identification for fragmentation during forwarding.
• Source IP Address: The rule applies to specific packets originating from a specific source address or a group of source addresses.
• TCP: The rule applies to any Transport Control Protocol (TCP) traffic and could be filtered on any combination of source/destination IP addresses, a specific port number, or a group of port numbers.
• UDP: The rule applies to any User Datagram Protocol (UDP) traffic and could be filtered on any combination of source/destination IP addresses, a specific port number, or a group of port numbers.
•
•Important: This section provides the minimum instruction set for configuring access control list on the system. For more information on commands that configure additional parameters and options, refer ACL Configuration Mode Commands chapter in Command Line Interface Reference.
Step 1
Step 2
Step 3 Optional. The system provides an “undefined” ACL that acts as a default filter for all packets into the context. The default action is to “permit all”. Modify default configuration for “unidentified” ACLs for by applying the example configuration in the Configuring an Undefined ACL section.
Step 4
Step 5 Save your configuration as described in the Verifying and Saving Your Configuration chapter.context <acl_ctxt_name> [ -noconfirm ]ip access-list <acl_list_name>context <acl_ctxt_name> -noconfirmip access-list <acl_list_name>deny { <ip_address> | any | host | icmp | ip | log | tcp | udp }permit { <ip_address> | any | host | icmp | ip | log | tcp | udp }
• Use the information provided in the Actions and Criteria sections of this chapter to configure the rules that comprise the ACL. For more information, refer ACL Configuration Mode Commands in Command Line Interface Reference.
• The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. For more information, refer Engineering Rules in System Administration Guide.Caution: Unless configured to do otherwise, the system implicitly adds a “deny any” rule to the end of the ACL resulting in the packet being dropped if it does not match any other configured rule. This behavior can be changed by adding a “permit any” rule as the last rule in the ACL.
context <acl_ctxt_name> -noconfirm
• Context name is the name of the context containing the “undefined” ACL to be modified. For more information, refer Context Configuration Mode Commands in Command Line Interface Reference.The following is a sample output of this command. In this example, an ACL named acl_1 was configured.ip access list acl_1deny host 1.2.3.4deny ip any host 1.2.3.4permit any 1.2.4.4
• Applying an ACL to All Traffic Within a Context (known as a policy ACL)
• Applying a Single ACL to Multiple Subscribers via APNs (for 3GPP subscribers only)Important: ACLs must be configured in the same context in which the subscribers and/or interfaces to which they are to be applied. Similarly, ACLs to be applied to a context must be configured in that context.
Important: It is recommended that all ACLs be configured and verified according to the instructions in the Configuring ACLs on the System section of this chapter prior to beginning this procedure.
Important: This section provides the minimum instruction set for applying the ACL list to an interface on the system. For more information on commands that configure additional parameters and options, refer Ethernet Interface Configuration Mode Commands chapter in Command Line Interface Reference.
Step 1
Step 2
Step 3 Save your configuration as described in the Verifying and Saving Your Configuration chapter.context <acl_ctxt_name> -noconfirminterface <interface_name>show configuration context context_namecontext_name is the name of the context containing the interface to which the ACL(s) was/were applied.context context_nameip access-list acl_namedeny host ip_addressdeny ip any host ip_addressip access-group access_group_nameinterface interface_nameip address ip_address/maskImportant: It is recommended that all ACLs be configured and verified according to the instructions in the Configuring ACLs on the System section of this chapter prior to beginning this procedure.
Important: This section provides the minimum instruction set for applying the ACL list to all traffic within a context. For more information on commands that configure additional parameters and options, refer Context Configuration Mode Commands chapter in Command Line Interface Reference.
Step 1
Step 2
Step 3 Save your configuration as described in the Verifying and Saving Your Configuration chapter.context <acl_ctxt_name> [ -noconfirm ]
• The context-level ACL are applied only to outgoing packets. The in and out keywords are deprecated and are only present for backward compatibility.
Step 1 show configuration context context_namecontext_name is the name of the context to which the ACL(s) was/were applied.context context_nameip access-list acl_namedeny host ip_addressdeny ip any host ip_addressip access-group access_group_nameinterface interface_nameip address ip_address/maskTo apply an ACL to a RADIUS-based subscriber, use the Filter-Id attribute. Refer to the AAA Interface Administration and Reference for more detail on this attribute.Important: It is recommended that all ACLs be configured and verified according to the instructions in the Configuring ACLs on the System section of this chapter prior to beginning this procedure. Additionally, it is assumed that the subscribers have been previously configured.
Important: This section provides the minimum instruction set for applying the ACL list to all traffic within a context. For more information on commands that configure additional parameters and options, refer Subscriber Configuration Mode Commands chapter in Command Line Interface Reference.
Step 1
Step 2
Step 3 Save your configuration as described in the Verifying and Saving Your Configuration chapter.context <acl_ctxt_name> -noconfirmsubscriber name <subs_name>ip access-group <acl_list_name> [ in | out ]
• If neither the in nor the out keyword is specified, the ACL will be applied to all packets in and out.
Step 1 show configuration context context_namecontext_name is the name of the context containing the subscriber subs1 to which the ACL(s) was/were applied.context context_nameip access-list acl_namedeny host ip_addressdeny ip any host ip_addressip access-group access_group_nameinterface interfaceip address ip_address/masksubscriber name subscriber_nameip access-group access_group_name inip access-group access_group_name outcontent-filtering server-group cfsg_nameresponse-timeout response_timeoutconnection retry-timeout retry_timeout
NOTE: The profile for the subscriber named default is not used to provide missing information for subscribers configured locally. default subscriber Command This section provides information and instructions for applying an ACL to the subscriber named default.Important: It is recommended that all ACLs be configured and verified according to the instructions in the Configuring ACLs on the System section of this chapter prior to beginning this procedure.
Important: This section provides the minimum instruction set for applying the ACL list to all traffic within a context. For more information on commands that configure additional parameters and options, refer Subscriber Configuration Mode Commands chapter in Command Line Interface Reference.
Step 1
Step 2
Step 3 Save your configuration as described in the Verifying and Saving Your Configuration chapter.context <acl_ctxt_name> [ -noconfirm ]subscriber name <subs_name>ip access-group <acl_list_name> [ in | out ]
• If neither the in nor the out keyword is specified, the ACL will be applied to all packets in and out.
Step 1 show configuration context context_namecontext_name is the name of the context containing the subscriber default to which the ACL(s) was/were applied.context context_nameip access-list acl_namedeny host ip_addressdeny ip any host ip_addressip access-group access_group_nameinterface interfaceip address ip_address/maskip access-group access_group_name inip access-group access_group_name outcontent-filtering server-group cfsg_nameresponse-timeout response_timeoutconnection retry-timeout retry_timeoutImportant: It is recommended that all ACLs be configured and verified according to the instructions in the Configuring ACLs on the System section of this chapter prior to beginning this procedure. Additionally, it is assumed that the services and subscribers have been previously configured.
Important: This section provides the minimum instruction set for applying the ACL list to all traffic within a context. For more information on commands that configure additional parameters and options, refer Subscriber Configuration Mode Commands chapter in Command Line Interface Reference.
Step 1
Step 2
Step 3 Save your configuration as described in the Verifying and Saving Your Configuration chapter.context <acl_ctxt_name> -noconfirm{ pdsn-service | fa-service | ha-service } <service_name>default subscriber <svc_default_subs_name>subscriber name <svc_default_subs_name>ip access-group <acl_list_name> [ in | out ]
• If neither the in nor the out keyword is specified, the ACL will be applied to all packets in and out.
Step 1 show configuration context context_namecontext_name is the name of the context containing the service pdsn1 having default subscriber to which the ACL(s) was/were applied.context context_nameip access-list acl_namedeny host ip_addressdeny ip any host ip_addressip access-group access_group_nameinterface interfaceip address ip_address/masksubscriber name subscriber_nameip access-group access_group_name inip access-group access_group_name outpdsn-service service_namedefault subscriber subscriber_nameImportant: It is recommended that all ACLs be configured and verified according to the instructions in the Configuring ACLs on the System section of this chapter prior to beginning this procedure.
Important: This section provides the minimum instruction set for applying the ACL list to all traffic within a context. For more information on commands that configure additional parameters and options, refer Subscriber Configuration Mode Commands chapter in Command Line Interface Reference.
Step 1
Step 2
Step 3 Save your configuration as described in the Verifying and Saving Your Configuration chapter.context <dest_context_name> -noconfirmapn <apn_name>ip access-group <acl_list_name> [ in | out ]
• If either the in or out keyword is not specified, the command is added to the config file twice, once with in and once with out, and the ACL will be applied to all packets inbound and outbound.
Step 1 show configuration context context_namecontext_name is the name of the context containing the APN apn1 having default subscriber to which the ACL(s) was/were applied.context context_nameip access-list acl_namedeny host ip_addressdeny ip any host ip_addressip access-group access_group_nameinterface interfaceip address ip_adrress/maskapn apn_nameip access-group access_group_name inip access-group access_group_name out
![]() |
Cisco Systems Inc. |
Tel: 408-526-4000 |
Fax: 408-527-0883 |