Layer 3 Switching Software and Feature Configuration Guide, 12.1(10)EY
Configuring Access Control Lists
Download this chapter
Configuring Access Control ListsConfiguring Access Control Lists
Download the complete book
Full book PDF filesFull book PDF files (PDF - 3 MB)
give_us_feedback

Table of Contents

Configuring Access Control
 About Access Control
 Configuring IP Access Lists
 Configuring IPX Packets
 Verifying Access Lists
 Monitoring IP and IPX Access Lists

Configuring Access Control

This chapter describes how to configure and maintain access control lists, which are used to permit or deny incoming or outgoing packets on an interface of the switch router.

Note   For more detailed information on the commands used in this chapter, refer to the Cisco IOS AppleTalk and Novell IPX Command Reference and the Cisco IOS IP and IP Routing Command Reference.

This chapter includes the following sections:

About Access Control

Access control lists (ACLs), sometimes called filters, provide a tool for network control and security. They allow you to filter packet flow into or out of switch router interfaces. You can use ACLs to limit network traffic, and to restrict network use by certain users or devices. Access lists must be created on a per protocol, per interface basis.

To create access lists, first define the criteria for each packet processed by the switch router. The switch router then decides whether to forward or block a packet based on whether the packet matches the criteria defined in the access list. Packets that do not match any criteria on the list are automatically blocked by the implicit "deny all traffic" criteria statement at the end of every access list.

The specific instructions for creating access lists and applying them to interfaces vary from protocol to protocol. The methods used to configure Layer 3 switch access lists is identical to the configuration methods currently used on Cisco routers.

With the exception of the 8-port Gigabit Ethernet interface module, all interface modules and port adapters support access control. Fast EtherChannels (FECs), Gigabit EtherChannels (GECs), and bridge-group virtual interfaces (BVIs) also support access control. The Gigabit Ethernet interfaces on the enhanced Gigabit Ethernet interface module, the Packet-over-SONET uplink interface module, and the ATM uplink interface module have built-in ACL functionality.

The following ACL features are supported on the Catalyst 8500:

  • Standard IP access lists
  • Extended IP access lists
    • TCP ACL based on TCP-precedence, TCP port number, TCP ToS, and TCP flags
    • UDP ACL based on UDP port number
    • ICMP ACL
  • Standard IPX access lists without source node
  • Inbound and outbound access lists
  • Named access lists
    • Note   The 8-port Gigabit Ethernet interface module does not support the ACL daughter card. The Catalyst 8500 does not support dynamic and reflexive ACL, extended IPX access lists, or ACL logging. User Datagram Protocol (UDP) turbo flooding is disabled when there is an ACL daughter card installed on any interface module.

Configuring IP Access Lists

An IP access list is a sequential collection of permit and deny conditions that apply to IP addresses. The software supports the following styles of access lists for IP:

  • Standard access list—Restricts traffic based on the source network number. You can further restrict traffic by specifying a destination address and a source and destination address mask. Standard IP access lists use numbers from 1—99 and 1201—1999.
  • Extended access list—Restricts traffic based on the IP protocol type. You can further restrict traffic by specifying source and destination addresses and address masks, and source and destination sockets. Extended IP access lists use numbers from 100—199 and 2000—2699.

The procedure for configuring access lists is as follows:

Step 1   Create an access list by specifying an access list number or name, and the access conditions.

Step 2   Apply the access list to the appropriate interfaces.




Note   Catalyst 8500 software tests the incoming and outgoing packets against ACL criteria. The first criteria match determines whether the software accepts or rejects the address. Because the software stops testing access list criteria after the first match, the order of the criteria is critical. If none of the criteria match, the software rejects the address.

Creating Standard and Extended IP Access Lists Using Numbers

To create standard IP access lists using numbers, enter the following commands in global configuration mode. To remove the access lists, use the no form of these commands.

Command Purpose
Step 1 

Router(config)# access-list access-list-number remark remark

Indicates the purpose of the deny or permit statement.1

Step 2 

Router(config)# access-list access-list-number {deny | permit} source [source-wildcard]

Defines a standard IP access list using a source address and wildcard.

Router(config)# access-list access-list-number {deny | permit} any

Defines a standard IP access list using the following abbreviation for the source and source mask: 0.0.0.0 255.255.255.255.
Step 3 

Router(config)# exit

Exits global configuration mode.
1The remark can be configured before or after the deny or permit statement.

Configuring standard IP Access Lists

The following example shows how to create a standard ip access list:

Router(config)# access-list 2 use on pos interface
Router(config)# access-list 2 deny 36.48.0.0 0.0.255.255
Router(config)# access-list 2 deny any
Router(config)# exit

To create an extended IP access list using numbers, enter the following commands:

Command Purpose
Step 1 

Router(config)# access-list access-list-number remark remark

Indicates the purpose of the deny or permit statement.1

Step 2 

Router(config)# {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [established]
or

Defines an extended IP access list number and the access conditions.

Router(config)# {deny | permit} protocol any any
 or

Defines an extended IP access list using 0.0.0.0 255.255.255.255 as an abbreviation for a source and source wildcard, and 0.0.0.0 255.255.255.255 as an abbreviation for a destination and destination wildcard.

Router(config)# {deny | permit} protocol host source host destination

Defines an extended IP access list using 0.0.0.0 as an abbreviation for a source and source wildcard, and 0.0.0.0 as an abbreviation for a destination and destination wildcard.
Step 3 

Router(config)# exit

Exits global configuration mode.
1The remark can be configured before or after the deny or permit statement.

Configuring Extended Access Lists

The following example an extended access list configuration:

Router(config)# access list 101
Router(config)# access list 101 deny ip any precedence 5 established
Router(config)# exit

For more detailed information on the commands used to configure numbered IP access lists, refer to the Cisco IOS IP and IP Routing Command Reference .

After an access list is created, any subsequent additions (entered from the terminal, for example) are placed at the end of the list. In other words, you cannot selectively add or remove access list command lines from an access list.

Note   By default, the end of the access list contains an implicit deny statement for everything if it did not find a match before reaching the end. Further, with standard access lists, if you omit the mask from an associated IP host-address access-list specification, 0.0.0.0 is assumed to be the mask.

After creating an access list, you must apply it to an interface or channel, as shown in the "Applying IP Access Lists to Interfaces" section.

Creating Standard and Extended IP Access Lists Using Names

You can identify IP access lists with an alphanumeric string (a "name") rather than a number. Using named access lists permits you to configure a larger number of IP access lists on a router than can be configured when using numbered access lists.

Note   If you identify your access list(s) with a name rather than a number, the mode and command syntax are slightly different. The tables in this section provide the necessary mode and syntax information.

ACL names can be up to 31 characters in length; are case sensitive; and can in addition to alphanumeric characters, can include the dash (-), the underscore (_), and the period (.). ACL names must start with an alphabetic character, and must be unique from all other ACLs of all types on the switch router. You cannot use keywords from any command as an ACL name.

Consider the following before configuring named access lists:

  • Not all access lists that accept a number will accept a name. Access lists for packet filters and route filters on interfaces can use a name.
  • A standard access list and an extended access list cannot have the same name.
  • Numbered access lists are also available, as described in the section, "Creating Standard and Extended IP Access Lists Using Numbers" section.

To create a standard IP access list using names, enter the following commands from global configuration mode:

Command Purpose
Step 1 

Router(config)# ip access-list standard name

Defines a standard IP access list using a name.
Step 2 

Router(config-standard-nacl)# {permit | deny} source [source wildcard]

Sets conditions for a named IP access list.
Step 3 

Router(config-standard-nacl)# exit

Exits access-list configuration mode.

Configuring Named Access Lists

The following example shows a named IP access list configuration:

Switch(config)# ip access-list standard Market_group
Switch(config-std-nacl)# permit host 1.1.1.
Switch(config-std-nacl)# deny 2.0.0.1 0.0.0.0
Switch(config-std-nacl)# permit 4.1.0.0 0.0.255.255
Switch(config-market_group)# exit

To create an extended IP access list using names, enter the following commands from global configuration mode:

Command Purpose
Step 1 

Router(config)# ip access-list extended name

Defines an extended IP access list using a name.

Step 2 

Router(config-ext-nacl)# {permit | deny} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos]

or

Specifies one or more conditions as allowed or denied. This determines whether the packet is passed or dropped.

Router(config-ext-nacl)# {deny | permit} protocol any any

or

Defines an extended IP access list using 0.0.0.0 255.255.255.255 as an abbreviation for a source and source wildcard and 0.0.0.0 255.255.255.255 as an abbreviation for a destination and destination wildcard.

Router(config-ext-nacl)# {deny | permit} protocol host source host destination

Defines an extended IP access list using an abbreviation for a source and source wildcard of source 0.0.0.0, and an abbreviation for a destination and destination wildcard of destination 0.0.0.0.
Step 3 

Router(config-ext-nacl)# exit

Exits configuration mode.

Configuring Extended Named Access Lists

The following example shows an extended named IP access list configuration:

Router(config)# ip access-list extended market_group
Router(config-ext-nacl)# permit 172.83.5.17 0.0.255.255 any precedence 5 tos min-delay
Router(config)# permit ip any any

For more information on the commands used to configure named IP access lists, refer to the Cisco IOS IP and IP Routing Command Reference.

After creating an access list, place any subsequent additions (entered from the terminal, for example) at the end of the list. You cannot selectively add access list command lines to a specific access list. Use the no permit and the no deny commands to remove entries from a named access list.

Note   When creating standard and extended access lists, remember that as the default the end of the access list contains an implicit deny statement, which is applicable for all unmatched data. In addition, when creating standard access lists, if you omit the mask from an associated IP host-address access-list specification, the default, 0.0.0.0, is assigned as the mask.

Applying IP Access Lists to Interfaces

After you create an access list, you can apply it to one or more interfaces. Access lists can be applied on either outbound or inbound interfaces. When controlling access to an interface, you can use a named access list or numbered access list.

Use the following commands in interface configuration mode to apply an IP access list to an interface:

Command Purpose
Step 1 

Router(config)# interface type card/subcard/port

Enters interface configuration mode.
Step 2 

Router(config-if)# ip access-group {access-list-number | name} {in | out}

Controls access to an interface.
Step 3 

Router(config-if)# exit

Exits interface configuration mode.

Applying Access Lists to Interfaces

The following example shows how to apply an access list to an interface:

Router(config)# interface pos9/0/0
Router(config-if)# ip access-group market_group in
Router(config-if)# exit

For more information on configuring IP access lists, refer to the "Configuring IP Services" section of the Cisco IOS IP and IP Routing Configuration Guide .

Configuring IPX Packets

The software supports standard access lists for IPX. Standard access lists restrict traffic based on the source network number. You can further restrict traffic by specifying a destination address and a source and destination address mask.

Standard IPX access lists use numbers from 800-899 for both inbound and outbound traffic.

The software supports the following types of access lists for IPX:

  • Numbered IPX simple ACL without source node
  • Named IPX simple ACL without source node

The procedure involved in configuring access lists is as follows:

Step 1   Create an access list by specifying an access list number or name, and the access conditions.

Step 2   Apply the access list to the appropriate interfaces.




Note   Catalyst 8500 software tests incoming and outgoing packets against access list criteria. The first criteria match determines whether the software accepts or rejects the address. Because the software stops testing access list criteria after the first match, the order of the criteria is critical. If none of the criteria match, the software rejects the address.

Creating IPX Access Lists Using Numbers

To create standard IPX access lists using numbers, use one of the following commands in global configuration mode:

Command Purpose

Router(config) access-list access-list-number {deny | permit} source network [.source-node[source-node-mask]destination network [.destination-node[destination-node-mask]]
or

Defines a standard IPX access list number and the access conditions.

Router(config)# access-list access-list-number {deny | permit}-1[.source-node[source-
node-mask]] -1[.destination-node [destination-node-mask]]
or

Defines a standard IPX access list using 0.0.0.0 255.255.255.255 as an abbreviation for a source and source wildcard, and 0.0.0.0 255.255.255.255 as an abbreviation for a destination and destination wildcard.

Router(config)# access-list access-list-number {deny | permit}0[.source-node[source-node-mask]]0[.destination-node[destination-node-mask]]

Defines a standard IPX access list using 0.0.0.0 255.255.255.255 as an abbreviation for a local network source and a source wildcard, and 0.0.0.0 255.255.255.255 as an abbreviation for a local network destination and destination wildcard.

Configuring IPX Access Lists

The following example shows how to configure an IPX numbered access list:

Router(config)# access-list 2 deny -1 -1
Router(config)# exit

For more information on the commands used to configure numbered IPX access lists, refer to the Cisco IOS AppleTalk and Novell IPX Command Reference.

Creating Named IPX Access Lists

To create standard IPX access lists using names, use the following commands in global configuration mode:

Command Purpose
Step 1 

Router(config)# ipx access-list standard name

Defines a standard IPX access list using a name. (Generic, routing, and broadcast filters use this type of access list.)
Step 2 

Router(config-ipx-std-nacl)# {deny | permit} source-network [.source-node [source-node-mask]] [destination-network [.destination-node [destination-node-mask]]]
or

Specifies one or more conditions as allowed or denied. This determines whether the packet is passed or dropped.

 

Router(config-ipx-std-nacl)# access-list access-list-number {deny | permit}-1[.source-node[source-node-mask]] -1[.destination-node [destination-node-mask]]
or

Defines a standard IPX access list using an abbreviation for a source and source wildcard of 0.0.0.0 255.255.255.255, and an abbreviation for a destination and destination wildcard of 0.0.0.0 255.255.255.255.

Router(config-ipx-std-nacl)# {deny | permit} 0 [.source-node
[source-node-mask}] 0 [.destination-node[destination-node-mask]]

Defines a standard IPX access list using 0.0.0.0 255.255.255.255 as an abbreviation for a local network source and source wildcard, and 0.0.0.0 255.255.255.255 as an abbreviation for a local network destination and destination wildcard.
Step 3 

Router(config-ipx-std-nacl)# exit

Exits configuration.

Configuring Named IPX Access Lists

The following example shows how to configure a named IPX access list:

Router(config)# ipx access-list standard eng_group
Router(config-ipx-std-nacl)# deny 0 -1
Router(config-ipx-std-nacl)# exit

For more information on the commands used to configure named IPX access lists, refer to the Cisco IOS AppleTalk and Novell IPX Command Reference.

Applying IPX Access Lists to an Interface

IPX access lists can be applied on either outbound or inbound interfaces. The following table shows how to accomplish this task for network interfaces. When controlling access to an interface, you can use a name or number.

Use the following command in interface configuration mode.

Command Purpose

Router (config-if)# ipx access-group {access-list-number | name} [in | out]

Controls access to the interface.

Applying an IPX Access List to an Interface

The following example shows how to apply an IPX access list to an interface:

Router(config)# interface port-channel 1
Router(config-if)# ipx access-group eng_group out
Router(config-if)# exit

For more information on configuring IPX access lists, refer to the "Configuring Novell IPX" section of the Cisco IOS AppleTalk and Novell IPX Configuration Guide .

Verifying Access Lists

To verify the IP access list configuration, use the following commands:

Command Purpose

Router# show protocol-access lists

Verifies access list configurations.

Router# show running-configuration interface

Verifies interface configurations.

Displaying Interface Configurations

The following example shows output from the show running-configuration command:

Router# show running-config interface g9/0/0
Building configuration...
Current configuration:
!
interface GigabitEthernet9/0/0
no ip address
ip access-group 25 in
no ip directed-broadcast
shutdown
no cdp enable
end
Displaying Access List Configurations

The following example shows output from the show ip-access-lists command:

Router# show access-lists 25
Standard IP access list 25
permit 1.1.1.1
deny 2.0.0.1
permit 4.1.0.0, wildcard bits 0.0.255.255

Monitoring IP and IPX Access Lists

Once access control is configured, you can monitor and troubleshoot its operation. You can monitor individual interfaces, or incoming or outgoing packets. Use the following commands to monitor access control:

Command Purpose

show access-lists

Displays all access lists configured on the switch router.

show epc acl tcam2acl interface interface { in | out}

Displays the acl entries programmed in the tcam for a particular interface.

show epc acl lookup{in | out}[ interface | protocol | source address | destination address]

Displays whether the acl permitted or denied any ip packets on a particular interface.

Displaying ACL Entries for an Interface

The following shows output from the show epc acl tcam2acl interface command:

Router# show epc if-entry interface g9/0/0 entry g9/0/0
Mac(hex) - 00:90:21:50:D8:47
isMyInteface :True isSubInterface :False
Status Down Broute VC - 407 Bcast VC - 0
Netmask:32
MTU:1500 bytes
FEC disabled
Trunking Disabled
State :Not-Applicable/Listening/Blocking
Bridge-Group disabled
IP routing off bridging off
IPX routing off bridging off
Appletalk routing off
In Encapsulation:
ICMP Redirect disabled Unreachable disabled
IP Multicast disabled:ttl-threshold:0
ACL Indexs:
Input ACL:30 Output ACL:0
ACL Flags:
Input IP:ON Output IP:OFF
Input IPX:OFF Output IPX:OFF
Displaying ACL Configurations

The following shows output from the show epc acl lookup command:

Router# show epc acl lookup in gigabitEthernet 9/0/0 ip 1.1.1.1 2.2.2.2
Input IP ACL lookup on GigabitEthernet9/0/0:Label:1 Index:30
DestIP:2.2.2.2 IP:1.1.1.2 DestPort:0 SrcPort:0
Proto:256 Precedence:0x0 TOS:0x0 TCPFLAGS:0x0
ICMP type:0 code:0 IGMP type:0
Lookup Key:
00000000 00000100 00000101 01020202 02020000 333A3139 45000000 20536174 00000000 001E0001
TCAM Result:89000000 00427B40
Lookup got hit at
[V:0xC1C07B40 M:0xC2C07B40][0 IP] deny ip any any
Packet will be denied

For more information on the commands, refer to the Cisco IOS AppleTalk and Novell IPX Command Reference and the Cisco IOS IP and IP Routing Command Reference .