The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The ability to filter packets in a modular and scalable way is important for both network security and network management. Access Control Lists (ACLs) provide the capability to filter packets at a fine granularity. In Metro Ethernet networks, ACLs are directly applied on Ethernet virtual circuits (EVCs).
Earlier, the layer 3 ACLs were only supported on the routed ports (physical ports or BDIs). The support of layer 3 ACLs on EVCs provides the capability to filter the layer 3 packets on layer 2 bridges that support Ethernet services.
An ACL is a set of rules (or permit or deny statements) for identifying traffic based on criteria such as source IP address, destination IP address, and port number. ACLs are essentially used for packet filtering. A packet filter drops packets that match a deny rule and permits packets that match a permit rule. ACLs are also widely used by many modules, for example, QoS and IP routing, for traffic identification.
The packets are filtered based on the source or destination address or the protocol against the conditions (ACEs) in the access-list.
The incoming packet is compared to ACL entries based on the order that the entries occur in the router.
If a packet does not match an ACE, the packet is then matched against the next ACE in the list.
If a packet and an access list statement match, the rest of the statements in the list are skipped.
If no conditions match an ACE, the packet is dropped.
IPv4 ACLs support matching on all the same fields in IP ACLs, which include bitwise matching on IP source and destination fields, DSCP, upper layer protocol values, TCP and UDP port numbers, and TCP flags.
IPv4 ACLs can be applied to EVCs on ingress direction.
Both IOS numbered and named IP ACL syntax are supported.
IPv4 ACL only apply to IPv4 packets
An Ethernet virtual circuit (EVC) as defined by the Metro Ethernet Forum is a port-level point-to-point or multipoint-to-multipoint Layer 2 circuit. It is an end-to-end representation of a single instance of a Layer 2 service being offered by a provider to a customer. An EVC contains the different parameters on which the service is being offered. A service instance is the instantiation of an EVC on a specified port.
Service instances are configured under a port channel. The traffic carried by the service instance is load balanced across member links. Service instances under a port channel are grouped and each group is associated with one member link. Ingress traffic for a single EVC can arrive on any member of the bundle. All egress traffic for a service instance uses only one of the member links. Load balancing is achieved by grouping service instances and assigning them to a member link.
Ethernet virtual connection services (EVCS) uses the EVCs and service instances to provide Layer 2 switched Ethernet services. EVC status can be used by a customer edge (CE) device either to find an alternative path to the service provider network or in some cases, to fall back to a backup path over Ethernet or over another alternative service such as ATM.
This section shows the information about ACLs.
Logging is a mechanism where the entries of ACL that are matched are recorded via a logging mechanism. ACL entries that have logging enabled are sent to a logging queue, which then sends packets to the logging buffer to enable logging. The ACL counters depend on the number of packets that hit the hardware queue and not on the number of packets sent.
The first packet that triggers the ACL causes a logging message, and subsequent packets are collected over 5-minute intervals before they appear or are logged. The logging message includes the access list number, whether the packet was permitted or denied, the source IP address of the packet, and the number of packets from that source permitted or denied in the prior 5-minute interval.
Fragmentation of IP datagrams leads to problems in matching IP access lists that match on layer 4 fields. This is because only the first fragment of the IP datagram contains the layer 4 information. Hence, only the first fragment can be used to match the layer 4 information in the ACLs. In the case of ACEs that match on layer 4 fields and permits packets, this case is circumvented by creating two entries for a single ACE, one that matches on the first fragment in the packet and matches on the L4 information and another entry that matches on the non first fragment and layer 3 fields in the ACE. The ACE entries that match on layer 4 fields and drop packets are programmed to match on the first fragment with the layer 4 fields.
Layer 3 ACL on EVC is not supported on egress direction.
Layer 3 ACL is not supported on Trunk-EFP.
IPv4 ACL and IPv6 ACL are not supported on same EVC.
Layer 2 ACL and layer 3 ACL are not supported on the same EVC.
QOS and ACL are not supported on same EVC.
Layer 3 ACL on EVC on port-channel having member links on different ASICs is not supported.
The maximum number of ACE entries supported is 512.
When layer 3 ACL is configured on EVC and the corresponding BDI, ACL configured on BDI takes priority.
Layer 3 ACL on EVC is not supported when QoS policy is attached on the interface.
1.
enable
2.
configure
terminal
3.
ip access-list standard
name
4.
permit /
deny
{source [source-wildcard] |
any}
[log]
5.
access-list
access-list-number
permit
/
deny
{source [source-wildcard] |
any}
[log]
6.
ip access-list extended
name
7.
permit /
deny
protocol
source [source-wildcard]
destination [destination-wildcard] [option
option-name] [precedence
precedence] [tos
tos]
[established]
[log |
log-input] [time-range
time-range-name] [fragments]
8.
access-list
access-list number
permit
protocol {source [source-wildcard] |
any}
{destination
[destination-wildcard] |
any}
[precedence
precedence] [tos
tos]
[established]
[log |
log-input] [time-range
time-range-name] [fragments]
1.
enable
2.
configure
terminal
3.
interface <interface-number>
4.
service instance
id
ethernet
5.
ip access-group {access-list-number |
access-list-name}
in
6.
end
Command or Action | Purpose | |
---|---|---|
Step 1 | enable
|
|
Step 2 | configure
terminal
|
Enters global configuration mode. |
Step 3 | interface <interface-number>
|
Enters the interface configuration mode for the interface connected to the service-provider network. You can enter a physical interface or an EtherChannel port channel. |
Step 4 | service instance
id
ethernet
|
|
Step 5 | ip access-group {access-list-number |
access-list-name}
in
|
|
Step 6 | end
|
Returns to privileged EXEC mode. |
If you want to filter on source address only, a standard access list is simple and sufficient. There are two alternative types of standard access list: named and numbered. Named access lists allow you to identify your access lists with a more intuitive name rather than a number, and they also support more features than numbered access lists.
Use a standard, named access list if you need to filter on source address only. This task illustrates one permit statement and one deny statement, but the actual statements you use and their order depend on what you want to filter or allow. Define your permit and deny statements in the order that achieves your filtering goals.
1.
enable
2.
configure
terminal
3.
ip access-list standard
iname
4.
remark
remark
5.
deny {source [source-wildcard] |any} [log]
6.
remark
remark
7.
permit {source [source-wildcard] |any} [log]
8. Repeat some combination of Steps 4 through 7 until you have specified the sources on which you want to base your access list.
9.
end
10.
show ip access-list
Command or Action | Purpose | |
---|---|---|
Step 1 | enable
|
|
Step 2 | configure
terminal
|
Enters global configuration mode. |
Step 3 | ip access-list standard
iname
|
Defines a standard IP access list using a name and enters standard named access list configuration mode. |
Step 4 | remark
remark
|
|
Step 5 | deny {source [source-wildcard] |any} [log]
|
|
Step 6 | remark
remark
|
|
Step 7 | permit {source [source-wildcard] |any} [log]
|
|
Step 8 | Repeat some combination of Steps 4 through 7 until you have specified the sources on which you want to base your access list. |
Remember that all sources not specifically permitted are denied by an implicit deny statement at the end of the access list. |
Step 9 | end
|
Returns to privileged EXEC mode. |
Step 10 | show ip access-list
|
(Optional) Displays the contents of all current IP access lists. |
Configure a standard, numbered access list if you need to filter on source address only and you prefer not to use a named access list.
IP standard access lists are numbered 1 to 99 or 1300 to 1999. This task illustrates one permit statement and one deny statement, but the actual statements you use and their order depend on what you want to filter or allow. Define your permit and deny statements in the order that achieves your filtering goals.
1.
enable
2.
configure
terminal
3.
access-list
access-list-number
permit
{source [source-wildcard] |
any}
[log]
4.
access-list
access-list-number
deny
{source [source-wildcard] |
any}
[log]
5. Repeat some combination of Steps 3 through 6 until you have specified the sources on which you want to base your access list.
6.
end
7.
show ip access-list
Command or Action | Purpose | |
---|---|---|
Step 1 | enable
|
|
Step 2 | configure
terminal
|
Enters global configuration mode. |
Step 3 | access-list
access-list-number
permit
{source [source-wildcard] |
any}
[log]
|
|
Step 4 | access-list
access-list-number
deny
{source [source-wildcard] |
any}
[log]
|
|
Step 5 | Repeat some combination of Steps 3 through 6 until you have specified the sources on which you want to base your access list. |
Remember that all sources not specifically permitted are denied by an implicit deny statement at the end of the access list. |
Step 6 | end
|
Exits global configuration mode and enters privileged EXEC mode. |
Step 7 | show ip access-list
|
(Optional) Displays the contents of all current IP access lists. |
1.
enable
2.
configure
terminal
3.
ip access-list
standardname
4.
standard
ip access-list
number
5.
standard
ip access-list
extended
name
6.
access-list
name
Command or Action | Purpose | |
---|---|---|
Step 1 | enable
|
|
Step 2 | configure
terminal
|
Enters global configuration mode. |
Step 3 | ip access-list
standardname
|
Defines a standard IP access list using a name and enters standard named access list configuration mode. |
Step 4 | standard
ip access-list
number
|
Applies the specified access list to the inbound interface. |
Step 5 | standard
ip access-list
extended
name
|
Defines an extended IP access list using a name and enters extended named access list configuration mode |
Step 6 | access-list
name
|
Applies the specified access list to the inbound interface |
If you want to filter on anything other than source address, you need to create an extended access list. There are two alternative types of extended access list: named and numbered. Named access lists allow you to identify your access lists with a more intuitive name rather than a number, and they also support more features.
For details on how to filter something other than source or destination address, see the syntax descriptions in the command reference documentation.
Create a named extended access list if you want to filter on source and destination address, or a combination of addresses and other IP fields.
1.
enable
2.
configure
terminal
3.
ip access-list extended
name
4.
remark
remark
5.
deny
protocol source [source-wildcard]
destination [destination-wildcard]
[option
option-name] [precedence
precedence] [tos
tos] [established] [log |
log-input] [time-range
time-range-name] [fragments]
6.
remark
remark
7.
permit
protocol source [source-wildcard]
destination [destination-wildcard]
[option
option-name] [precedence
precedence] [tos
tos] [established] [log |
log-input] [time-range
time-range-name] [fragments]
8. Repeat some combination of Steps 4 through 7 until you have specified the fields and values on which you want to base your access list.
9.
end
10.
show ip access-list
Command or Action | Purpose | |
---|---|---|
Step 1 | enable
|
|
Step 2 | configure
terminal
|
Enters global configuration mode. |
Step 3 | ip access-list extended
name
|
Defines an extended IP access list using a name and enters extended named access list configuration mode. |
Step 4 | remark
remark
|
|
Step 5 | deny
protocol source [source-wildcard]
destination [destination-wildcard]
[option
option-name] [precedence
precedence] [tos
tos] [established] [log |
log-input] [time-range
time-range-name] [fragments]
|
|
Step 6 | remark
remark
|
|
Step 7 | permit
protocol source [source-wildcard]
destination [destination-wildcard]
[option
option-name] [precedence
precedence] [tos
tos] [established] [log |
log-input] [time-range
time-range-name] [fragments]
|
|
Step 8 | Repeat some combination of Steps 4 through 7 until you have specified the fields and values on which you want to base your access list. |
Remember that all sources not specifically permitted are denied by an implicit deny statement at the end of the access list. |
Step 9 | end
|
Exits global configuration mode and enters privileged EXEC mode. |
Step 10 | show ip access-list
|
(Optional) Displays the contents of all current IP access lists. |
Create a numbered extended access list if you want to filter on source and destination address, or a combination of addresses and other IP fields, and you prefer not to use a name. Extended IP access lists are numbered 100 to 199 or 2000 to 2699
1.
enable
2.
configure
terminal
3.
access-list
access-list-number
remark
remark
4.
access-list
access-list-number
permit
protocol {source [source-wildcard]
|
any} {destination
[destination-wildcard] |
any} [precedence
precedence] [tos
tos] [established] [log |
log-input] [time-range
time-range-name] [fragments]
5.
access-list
access-list-number
remark
remark
6.
access-list
access-list-number
deny
protocol {source [source-wildcard]
|
any} {destination
[destination-wildcard] |
any} [precedence
precedence] [tos
tos] [established] [log |
log-input] [time-range
time-range-name] [fragments]
7. Repeat some combination of Steps 3 through 6 until you have specified the fields and values on which you want to base your access list.
8.
end
9.
show ip access-list
Command or Action | Purpose | |
---|---|---|
Step 1 | enable
|
|
Step 2 | configure
terminal
|
Enters global configuration mode. |
Step 3 | access-list
access-list-number
remark
remark
|
|
Step 4 | access-list
access-list-number
permit
protocol {source [source-wildcard]
|
any} {destination
[destination-wildcard] |
any} [precedence
precedence] [tos
tos] [established] [log |
log-input] [time-range
time-range-name] [fragments]
|
|
Step 5 | access-list
access-list-number
remark
remark
|
|
Step 6 | access-list
access-list-number
deny
protocol {source [source-wildcard]
|
any} {destination
[destination-wildcard] |
any} [precedence
precedence] [tos
tos] [established] [log |
log-input] [time-range
time-range-name] [fragments]
|
|
Step 7 | Repeat some combination of Steps 3 through 6 until you have specified the fields and values on which you want to base your access list. |
Remember that all sources not specifically permitted are denied by an implicit deny statement at the end of the access list. |
Step 8 | end
|
Exits global configuration mode and enters privileged EXEC mode. |
Step 9 | show ip access-list
|
(Optional) Displays the contents of all current IP access lists. |
1.
enable
2.
configure
terminal
3.
ipv6 access-list
access-list-name
4.
deny |
permit
protocol {source-ipv6-prefix |
prefix-length |
host
source-ipv6-address} [operator
[port-number]] {destination-ipv6-prefix |
prefix-length |
any |
host
destination-ipv6-address} [operator
[port-number]] [dscp
value] [fragments] [log]
[log-input] [sequence
value] [time-range
name]
Command or Action | Purpose | |
---|---|---|
Step 1 | enable
|
|
Step 2 | configure
terminal
|
Enters global configuration mode. |
Step 3 | ipv6 access-list
access-list-name
|
|
Step 4 | deny |
permit
protocol {source-ipv6-prefix |
prefix-length |
host
source-ipv6-address} [operator
[port-number]] {destination-ipv6-prefix |
prefix-length |
any |
host
destination-ipv6-address} [operator
[port-number]] [dscp
value] [fragments] [log]
[log-input] [sequence
value] [time-range
name]
|
|
1.
enable
2.
configure
terminal
3.
interface <interface-number>
4.
service instance
id
ethernet
5.
ipv6 traffic-filter
access-list-name
in
Command or Action | Purpose | |
---|---|---|
Step 1 | enable
|
|
Step 2 | configure
terminal
|
Enters global configuration mode. |
Step 3 | interface <interface-number>
|
Enters the interface configuration mode for the interface connected to the service-provider network. You can enter a physical interface or an EtherChannel port channel. |
Step 4 | service instance
id
ethernet
|
|
Step 5 | ipv6 traffic-filter
access-list-name
in
|
Defines an IPv6 ACL, and enters IPv6 access list configuration mode. |
Building configuration... Current configuration : 207 bytes ! interface GigabitEthernet0/0/4 no ip address media-type auto-select negotiation auto service instance 1 ethernet encapsulation dot1q 1 rewrite ingress tag pop 1 symmetric bridge-domain 1 ! end
Building configuration... Current configuration : 111 bytes ! interface BDI1 ip address 20.0.0.1 255.255.255.0 end Node1#sh ip access Node1#sh ip access-list IPv4 access list ipv4_acl permit udp host 20::4 eq 10 any eq 30 log sequence 10 Node1#conf t Enter configuration commands, one per line. End with CNTL/Z. Node1(config)#int g 0/0/4 Node1(config-if)#int BDI 1 Node1(config-if)#ip access-group ipv4_acl in Node1(config-if-srv)#end Node1#sh access-l Oct 19 12:48:41.580 IST: %SYS-5-CONFIG_I: Configured from console by consolei Node1#sh access-lists Extended IP access list ip_acl_25 10 permit udp host 20.0.0.4 eq 10 any eq 30 log IPv4 access list ipv4_acl permit udp host 20::4 eq 10 any eq 30 log sequence 10 Node1#conf t Enter configuration commands, one per line. End with CNTL/Z. Node1(config)#int g 0/0/4 Node1(config-if)#int BDI 1 Node1(config-if)#ip access-group ipv4_acl in Node1(config-if)# Oct 19 12:49:26.330 IST: %IPV4_ACL-6-ACCESSLOGP: list ipv4_acl/10 permitted udp 20::4(10) -> 30::2(30), 1 packet Node1(config-if)# Node1(config-if)#do sh access-li Extended IP access list ip_acl_25 10 permit udp host 20.0.0.4 eq 10 any eq 30 log IPv4 access list ipv4_acl permit udp host 20::4 eq 10 any eq 30 log (5705 matches) sequence 10 Node1(config-if)#
Building configuration... Current configuration : 207 bytes ! interface GigabitEthernet0/0/4 no ip address media-type auto-select negotiation auto service instance 1 ethernet encapsulation dot1q 1 rewrite ingress tag pop 1 symmetric bridge-domain 1 ! end Building configuration... Current configuration : 111 bytes ! interface BDI1 ip address 20.0.0.1 255.255.255.0 ip ospf 1 area 0 ipv6 address 20::1/64 ipv6 enable end Node1#sh ipv6 access Node1#sh ipv6 access-list IPv6 access list ipv6_acl permit udp host 20::4 eq 10 any eq 30 log sequence 10 Node1#conf t Enter configuration commands, one per line. End with CNTL/Z. Node1(config)#int ser Node1(config)#int g 0/0/4 Node1(config-if)#ser in 1 eth Node1(config-if-srv)#ipv6 traff Node1(config-if-srv)#ipv6 traffic-filter ipv6_acl in Node1(config-if-srv)#end Node1#sh access-l Oct 19 12:48:41.580 IST: %SYS-5-CONFIG_I: Configured from console by consolei Node1#sh access-lists Extended IP access list ip_acl_25 10 permit udp host 20.0.0.4 eq 10 any eq 30 log IPv6 access list ipv6_acl permit udp host 20::4 eq 10 any eq 30 log sequence 10 Node1#conf t Enter configuration commands, one per line. End with CNTL/Z. Node1(config)#int g 0/0/4 Node1(config-if)#int BDI 1 Node1(config-if)#ipv6 tra Node1(config-if)#ipv6 traffic-filter ipv6_acl in Node1(config-if)# Oct 19 12:49:26.330 IST: %IPV6_ACL-6-ACCESSLOGP: list ipv6_acl/10 permitted udp 20::4(10) -> 30::2(30), 1 packet Node1(config-if)# Node1(config-if)#do sh access-li Extended IP access list ip_acl_25 10 permit udp host 20.0.0.4 eq 10 any eq 30 log IPv6 access list ipv6_acl permit udp host 20::4 eq 10 any eq 30 log (5705 matches) sequence 10 Node1(config-if)#
Node2#sh run int g 0/0/4 Building configuration... Current configuration : 237 bytes ! interface GigabitEthernet0/0/4 no ip address media-type auto-select negotiation auto service instance 1 ethernet encapsulation dot1q 1 rewrite ingress tag pop 1 symmetric ip access-group ipv4_acl in bridge-domain 1 ! end
Execute the following commands to check TCAM entries:
show platform hardware pp active tcam utilization acl detail < asic -id >
show platform hardware pp active tcam utilization ipv6-acl detail <asic-id>