Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Command Reference, Release 4.2.x
ACL and ABF Commands
Downloads: This chapterpdf (PDF - 1.28MB) The complete bookPDF (PDF - 3.61MB) | Feedback

ACL and ABF Commands

ACL and ABF Commands

This module describes the Cisco IOS XR software commands used to configure the ACL and ABF commands for Broadband Network Gateway (BNG) on the Cisco ASR 9000 Series Router. For details regarding the related configurations, refer to the Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide.

ipv4 access-group (BNG)

To control access to an interface, use the ipv4 access-group command in an appropriate configuration mode. To remove the specified access group, use the no form of this command.

ipv4 access-group access-list-name { common acl-p { [ acl1 ingress [hardware-count] [interface-statistics] ] | ingress } | acl1 { ingress | egress } [hardware-count] [interface-statistics] }

no ipv4 access-group access-list-name { common acl-p { [ acl1 ingress [hardware-count] [interface-statistics] ] | ingress } | acl1 { ingress | egress } [hardware-count] [interface-statistics] }

Syntax Description

access-list-name

The name of the ipv4 access list as specified by the ipv4 access-list command.

common

The name of the common ACL. Common ACL is only supported on the ingress direction.

ingress

Filters on inbound packets.

egress

Filters on outbound packets.

hardware-count

(Optional) Specifies to access a group's hardware counters.

interface-statistics

(Optional) Specifies per-interface statistics in the hardware. Not available for common ACL.

Command Default

The interface does not have an IPv4 access list applied to it.

Command Modes

Dynamic template configuration

Command History

Release Modification

Release 4.1.1

This command was introduced.

Release 4.2.0

This command was supported in the dynamic template configuration mode for BNG.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Use the ipv4 access-group command to control access to an interface. To remove the specified access group, use the no form of the command. Use the access-list-name argument to specify a particular IPv4 access list. Use the ingress keyword to filter on inbound packets or the egress keyword to filter on outbound packets. Use the hardware-count argument to enable hardware counters for the access group.

Permitted packets are counted only when hardware counters are enabled using the hardware-count argument. Denied packets are counted whether hardware counters are enabled or not.

To enter the dynamic template configuration mode, run dynamic-template command in the global configuration mode.


Note


Under the dynamic template configuration mode, only the egress and ingress keywords are displayed.



Note


For packet filtering applications using the ipv4/ipv6 access-group command, packet counters are maintained in hardware for each direction. If an access group is used on multiple interfaces in the same direction, then packets are counted for each interface that has the hardware-count argument enabled.

If the access list permits the addresses, the software continues to process the packet. If the access list denies the address, the software discards the packet and returns an Internet Control Message Protocol (ICMP) host unreachable message.

If the specified access list does not exist, all packets are passed.

By default, the unique or per-interface ACL statistics are disabled.

Task ID

Task ID Operation

acl

read, write

network

read, write

config-services

read, write

Examples

This is an example of the show access-lists command:

RP/0/RSP0/CPU0:router# show access-lists

ipv4 access-list acl-common

 10 permit ipv4 host 205.205.205.1 host 200.175.175.1 log-input

 15 deny ipv4 any host 200.175.175.1

 20 permit ipv4 host 205.205.205.1 host 201.175.175.1 log-input

 25 deny ipv4 any host 201.175.175.1

 30 permit ipv4 host 205.205.205.1 host 202.175.175.1 log-input

 35 deny ipv4 any host 202.175.175.1

ipv4 access-list acl-unique1

 10 permit ipv4 host 205.205.205.1 host 203.175.175.1 log-input

 15 deny ipv4 any host 203.175.175.1

 20 permit ipv4 any any

ipv4 access-list ssm-acl

 10 permit ipv4 232.0.0.0 0.255.255.255 any log

This is an example of a configured IPv4 ACL in the dynamic template configuration mode:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# dynamic-template type ppp p1
RP/0/RSP0/CPU0:router(config-dynamic-template-type)# ipv4 access-group a1 egress

ipv4 access-list (BNG)

To define an IPv4 access list by name, use the ipv4 access-list command in global configuration mode. To remove all entries in an IPv4 access list, use the no form of this command.

ipv4 access-list name

no ipv4 access-list name

Syntax Description

name

Name of the access list. Names cannot contain a space or quotation marks.

Command Default

No IPv4 access list is defined.

Command Modes

Global configuration

Command History

Release

Modification

Release 3.7.2

This command was introduced.

Release 4.3.0

This command was supported in BNG.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Use the ipv4 access-list command to configure an IPv4 access list. This command places the router in access list configuration mode, in which the denied or permitted access conditions must be defined with the deny or permit command.

Use the resequence access-list ipv4 command if you want to add a permit, deny, or remark statement between consecutive entries in an existing IPv4 access list. Specify the first entry number (the base) and the increment by which to separate the entry numbers of the statements. The software renumbers the existing statements, thereby making room to add new statements with the unused entry numbers.

Use the ipv4 access-group command to apply the access list to an interface.

Task ID

Task ID

Operations

acl

read, write

Examples

This example shows how to define a standard access list named Internetfilter:

RP/0/RSP0/CPU0:router(config)# ipv4 access-list Internetfilter
RP/0/RSP0/CPU0:router(config-ipv4-acl)# 10 permit 192.168.34.0 0.0.0.255
RP/0/RSP0/CPU0:router(config-ipv4-acl)# 20 permit 172.16.0.0 0.0.255.255
RP/0/RSP0/CPU0:router(config-ipv4-acl)# 30 permit 10.0.0.0 0.255.255.255
RP/0/RSP0/CPU0:router(config-ipv4-acl)# 39 remark Block BGP traffic from 172.16 net.
RP/0/RSP0/CPU0:router(config-ipv4-acl)# 40 deny tcp host 172.16.0.0 eq bgp host 192.168.202.203 range 1300 1400