- Information About ACLs
- Configuring IP ACLs
Configuring Access Control Lists
This chapter contains the following sections:
- Information About ACLs
- Configuring IP ACLs
- Information About VLAN ACLs
- Configuring VACLs
- Configuration Examples for VACL
- Configuring ACL TCAM Region Sizes
- Configuring ACLs on Virtual Terminal Lines
Information About ACLs
An access control list (ACL) is an ordered set of rules that you can use to filter traffic. Each rule specifies a set of conditions that a packet must satisfy to match the rule. When the switch determines that an ACL applies to a packet, it tests the packet against the conditions of all rules. The first match determines whether the packet is permitted or denied. If there is no match, the switch applies the applicable default rule. The switch continues processing packets that are permitted and drops packets that are denied.
You can use ACLs to protect networks and specific hosts from unnecessary or unwanted traffic. For example, you could use ACLs to disallow HTTP traffic from a high-security network to the Internet. You could also use ACLs to allow HTTP traffic but only to specific sites, using the IP address of the site to identify it in an IP ACL.
- IP ACL Types and Applications
- Rules
- ACL TCAM Regions
- Licensing Requirements for ACLs
- Prerequisites for ACLs
- Guidelines and Limitations for ACLs
- Default ACL Settings
IP ACL Types and Applications
The Cisco Nexus device supports IPv4 for security traffic filtering. The switch allows you to use IP access control lists (ACLs) as port ACLs, VLAN ACLs, and Router ACLs as shown in the following table.
Application Order
Rules
You can create rules in access-list configuration mode by using the permit or deny command. The switch allows traffic that matches the criteria in a permit rule and blocks traffic that matches the criteria in a deny rule. You have many options for configuring the criteria that traffic must meet in order to match the rule.
- Source and Destination
- Protocols
- Implicit Rules
- Additional Filtering Options
- Sequence Numbers
- Logical Operators and Logical Operation Units
Source and Destination
In each rule, you specify the source and the destination of the traffic that matches the rule. You can specify both the source and destination as a specific host, a network or group of hosts, or any host.
Protocols
IPv4 and MAC ACLs allow you to identify traffic by protocol. For your convenience, you can specify some protocols by name. For example, in an IPv4 ACL, you can specify ICMP by name.
You can specify any protocol by the integer that represents the Internet protocol number.
Implicit Rules
IP and MAC ACLs have implicit rules, which means that although these rules do not appear in the running configuration, the switch applies them to traffic when no other rules in an ACL match.
All IPv4 ACLs include the following implicit rule:
deny ip any any
This implicit rule ensures that the switch denies unmatched IP traffic.
permit icmp any any nd-na permit icmp any any nd-ns permit icmp any any router-advertisement permit icmp any any router-solicitation
All MAC ACLs include the following implicit rule:
deny any any protocol
This implicit rule ensures that the device denies the unmatched traffic, regardless of the protocol specified in the Layer 2 header of the traffic.
Additional Filtering Options
You can identify traffic by using additional options. IPv4 ACLs support the following additional filtering options:
Sequence Numbers
The Cisco Nexus device supports sequence numbers for rules. Every rule that you enter receives a sequence number, either assigned by you or assigned automatically by the device. Sequence numbers simplify the following ACL tasks:
- Adding new rules between existing rules—By specifying the sequence number, you specify where in the ACL a new rule should be positioned. For example, if you need to insert a rule between rules numbered 100 and 110, you could assign a sequence number of 105 to the new rule.
-
Removing a rule—Without using a sequence number, removing a rule requires that you enter the whole rule, as follows:
switch(config-acl)# no permit tcp 10.0.0.0/8 any
However, if the same rule had a sequence number of 101, removing the rule requires only the following command:switch(config-acl)# no 101
- Moving a rule—With sequence numbers, if you need to move a rule to a different position within an ACL, you can add a second instance of the rule using the sequence number that positions it correctly, and then you can remove the original instance of the rule. This action allows you to move the rule without disrupting traffic.
If you enter a rule without a sequence number, the device adds the rule to the end of the ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule to the rule. For example, if the last rule in an ACL has a sequence number of 225 and you add a rule without a sequence number, the device assigns the sequence number 235 to the new rule.
In addition, the device allows you to reassign sequence numbers to rules in an ACL. Resequencing is useful when an ACL has rules numbered contiguously, such as 100 and 101, and you need to insert one or more rules between those rules.
Logical Operators and Logical Operation Units
IP ACL rules for TCP and UDP traffic can use logical operators to filter traffic based on port numbers.
The Cisco Nexus device stores operator-operand couples in registers called logical operation units (LOUs) to perform operations (greater than, less than, not equal to, and range) on the TCP and UDP ports specified in an IP ACL.
 Note |
The range operator is inclusive of boundary values. |
These LOUs minimize the number of ternary content addressable memory (TCAM) entries needed to perform these operations. A maximum of two LOUs are allowed for each feature on an interface. For example an ingress RACL can use two LOUs, and a QoS feature can use two LOUs. If an ACL feature requires more than two arithmetic operations, the first two operations use LOUs, and the remaining access control entries get expanded.
The following guidelines determine when the device stores operator-operand couples in LOUs:
- If the operator or operand differs from other operator-operand couples that are used in other rules, the couple is stored in an LOU. For example, the operator-operand couples "gt 10" and "gt 11" would be stored separately in half an LOU each. The couples "gt 10" and "lt 10" would also be stored separately.
- Whether the operator-operand couple is applied to a source port or a destination port in the rule affects LOU usage. Identical couples are stored separately when one of the identical couples is applied to a source port and the other couple is applied to a destination port. For example, if a rule applies the operator-operand couple "gt 10" to a source port and another rule applies a "gt 10" couple to a destination port, both couples would also be stored in half an LOU, resulting in the use of one whole LOU. Any additional rules using a "gt 10" couple would not result in further LOU usage.
ACL TCAM Regions
You can change the size of the ACL ternary content addressable memory (TCAM) regions in the hardware.
The IPv4 TCAMs are single wide.
- To revert to the default ACL TCAM size, use the no hardware profile tcam region command. You no longer need to use the write erase command and reload the switch.
- Depending on the Cisco Nexus device, each TCAM region might have a different minimum/maximum/aggregate size restriction.
- The default size of the ARPACL TCAM is zero. Before you use the ARP ACLs in a Control Policing Plane (CoPP) policy, you must set the size of this TCAM to a non-zero size.
- You must set the VACL and egress VLAN ACL (E-VACL) size to the same value.
- The total TCAM depth is 2000 for ingress and 1000 for egress, which can be carved in 256 entries blocks.
- After TCAM carving, you must reload the switch.
- All existing TCAMs cannot be set to size 0.
- By default, all IPv6 TCAMs are disabled (the TCAM size is set to 0).
TCAM ACL Region |
Default Size |
Minimum Size |
Incremental Size |
Maximum Size |
|---|---|---|---|---|
SUP (ingress) |
128 x 2 |
128 x 2 |
N/A | 128 x 2 |
PACL (ingress) |
384 |
ARPACL disabled = 128 ARPACL enabled = 256 |
256 |
1664 (combined) |
VACL (ingress) |
512 |
0 |
256 |
|
RACL (ingress) |
512 |
256 |
256 |
|
QOS (ingress) |
256 |
256 |
256 |
|
E-VACL (egress) |
512 |
0 |
256 |
1024 (combined) |
E-RACL (egress) |
512 |
0 |
256 |
|
NAT |
256 |
256 |
16 |
Licensing Requirements for ACLs
The following table shows the licensing requirements for this feature:
| Product |
License Requirement |
|---|---|
| Cisco NX-OS |
No license is required to use ACLs. |
Prerequisites for ACLs
IP ACLs have the following prerequisites:
- You must be familiar with IP addressing and protocols to configure IP ACLs.
- You must be familiar with the interface types that you want to configure with ACLs.
VACLs have the following prerequisite:
Guidelines and Limitations for ACLs
IP ACLs have the following configuration guidelines and limitations:
- We recommend that you perform ACL configuration using the Session Manager. This feature allows you to verify ACL configuration and confirm that the resources required by the configuration are available prior to committing them to the running configuration. This is especially useful for ACLs that include more than about 1000 rules.
- Packets that fail the Layer 3 maximum transmission unit check and therefore require fragmenting.
- IPv4 packets that have IP options (additional IP packet header fields following the destination address field).
- When you apply an ACL that uses time ranges, the device updates the ACL entries whenever a time range referenced in an ACL entry starts or ends. Updates that are initiated by time ranges occur on a best-effort priority. If the device is especially busy when a time range causes an update, the device may delay the update by up to a few seconds.
- To apply an IP ACL to a VLAN interface, you must have enabled VLAN interfaces globally.
- To use the match-local-traffic option for all inbound and outbound traffic you must first enable the ACL in the software.
VACLs have the following configuration
- We recommend that you perform ACL configurations using the Session Manager. This feature allows you to verify ACL configuration and confirm that the resources required by the configuration are available prior to committing them to the running configuration.
- ACL statistics are not supported if the DHCP snooping feature is enabled.
- If an IPv4 ACL, applied as a VLAN ACL, contains one or more ACEs with logical operators for TCP/UDP port numbers, the port numbers are matched in the ingress direction but ignored in the egress direction.
- One VLAN access map can match only one IP ACL.
- An IP ACL can have multiple permit/deny ACEs.
- One VLAN can have only one access map applied.
- Egress RACLs and VACLs cannot be applied in warp mode.
- Egress ACLs cannot be applied to multicast traffic.
- Ingress RACLs cannot distinguish multicast routed versus bridged traffic.
- Link Local (ARP, HSRP, VRRP, OSPF, IGMP, and so on) and IP-option packets cannot be matched in an interface policy, RACL, VACL, or PACL.
Default ACL Settings
The following table lists the default settings for IP ACLs parameters.
| Parameters |
Default |
|---|---|
| IP ACLs |
No IP ACLs exist by default. |
| ACL rules |
Implicit rules apply to all ACLs . |
The following table lists the default settings for VACL parameters.
| Parameters |
Default |
|---|---|
| VACLs |
No IP ACLs exist by default. |
| ACL rules |
Implicit rules apply to all ACLs. |
Configuring IP ACLs
Creating an IP ACL
You can create an IPv4 ACL on the switch and add rules to it.
The following example shows how to create an IPv4 ACL:
switch# configure terminal switch(config)# ip access-list acl-01 switch(config-acl)# permit ip 192.168.2.0/24 any switch(config-acl)# statistics
Changing an IP ACL
You can add and remove rules in an existing IPv4 ACL. You cannot change existing rules. Instead, to change a rule, you can remove it and recreate it with the desired changes.
If you need to add more rules between existing rules than the current sequence numbering allows, you can use the resequence command to reassign sequence numbers.
Removing an IP ACL
You can remove an IP ACL from the switch.
Before you remove an IP ACL from the switch, be sure that you know whether the ACL is applied to an interface. The switch allows you to remove ACLs that are currently applied. Removing an ACL does not affect the configuration of interfaces where you have applied the ACL. Instead, the switch considers the removed ACL to be empty.
Changing Sequence Numbers in an IP ACL
You can change all the sequence numbers assigned to the rules in an IP ACL.
Applying an IP ACL to mgmt0
You can apply an IPv4 ACL to the management interface (mgmt0).
Ensure that the ACL that you want to apply exists and that it is configured to filter traffic in the manner that you need for this application.
Related Topics
Applying an IP ACL as a Port ACL
You can apply an IPv4 ACL to a physical Ethernet interface or a PortChannel. ACLs applied to these interface types are considered port ACLs.
Note |
Some configuration parameters when applied to an PortChannel are not reflected on the configuration of the member ports. |
Applying an IP ACL as a Router ACL
You can apply an IPv4 ACL to any of the following types of interfaces:
- Physical Layer 3 interfaces and subinterfaces
- Layer 3 Ethernet port-channel interfaces and subinterfaces
- VLAN interfaces
- Tunnels
- Management interfaces
ACLs applied to these interface types are considered router ACLs.
Note |
Logical operation units (LOUs) are not available for router ACLs applied in the out direction. If an IPv4 ACL is applied as a router ACL in the out direction, access control entiries (ACEs) that contain logical operators for TCP/UDP port numbers are expanded internally to multiple ACEs and might require more TCAM entries when compared to the same ACL applied in the in direction. |
Ensure that the ACL you want to apply exists and that it is configured to filter traffic in the manner that you need for this application.
Verifying IP ACL Configurations
To display IP ACL configuration information, perform one of the following tasks:
switch# show running-config
Displays ACL configuration, including IP ACL configuration and interfaces that IP ACLs are applied to.
switch# show running-config interface
Displays the configuration of an interface to which you have applied an ACL.
For detailed information about the fields in the output from these commands, refer to the Command Reference for your Cisco Nexus device.
Monitoring and Clearing IP ACL Statistics
Use the show ip access-lists command to display statistics about an IP ACL, including the number of packets that have matched each rule. For detailed information about the fields in the output from this command, see the Command Reference for your Cisco Nexus device.
Note |
The mac access-list is applicable to non-IPv4 traffic only. |
switch# show ip access-lists name
Displays IP ACL configuration. If the IP ACL includes the statistics command, then the show ip access-lists command output includes the number of packets that have matched each rule.
switch#show ip access-lists name
Displays IP ACL configuration. If the IP ACL includes the statistics command, then the show ip access-lists command output includes the number of packets that have matched each rule.
switch# clear ip access-list counters [access-list-name]
Clears statistics for all IP ACLs or for a specific IP ACL.
switch# clear ip access-list counters [access-list-name]
Clears statistics for all IP ACLs or for a specific IP ACL.
Information About VLAN ACLs
A VLAN ACL (VACL) is one application of a IP ACL. You can configure VACLs to apply to all packets that are bridged within a VLAN. VACLs are used strictly for security packet filtering. VACLs are not defined by direction (ingress or egress).
VACLs and Access Maps
VACLs use access maps to link an IP ACL to an action. The switch takes the configured action on packets permitted by the VACL.
VACLs and Actions
In access map configuration mode, you use the action command to specify one of the following actions:
Statistics
The Cisco Nexus device can maintain global statistics for each rule in a VACL. If a VACL is applied to multiple VLANs, the maintained rule statistics are the sum of packet matches (hits) on all the interfaces on which that VACL is applied.
Note |
The Cisco Nexus device does not support interface-level VACL statistics. |
For each VLAN access map that you configure, you can specify whether the switch maintains statistics for that VACL. This allows you to turn VACL statistics on or off as needed to monitor traffic filtered by a VACL or to help troubleshoot VLAN access-map configuration.
Configuring VACLs
Creating or Changing a VACL
You can create or change a VACL. Creating a VACL includes creating an access map that associates an IP ACL with an action to be applied to the matching traffic.
To create or change a VACL, perform this task:
Removing a VACL
You can remove a VACL, which means that you will delete the VLAN access map.
Be sure that you know whether the VACL is applied to a VLAN. The switch allows you to remove VACLs that are current applied. Removing a VACL does not affect the configuration of VLANs where you have applied the VACL. Instead, the switch considers the removed VACL to be empty.
Applying a VACL to a VLAN
You can apply a VACL to a VLAN.
Verifying VACL Configuration
To display VACL configuration information, perform one of the following tasks:
switch# show running-config aclmgr
Displays ACL configuration, including VACL-related configuration.
switch# show vlan filter
Displays information about VACLs that are applied to a VLAN.
switch# show vlan access-map
Displays information about VLAN access maps.
Displaying and Clearing VACL Statistics
To display or clear VACL statistics, perform one of the following tasks:
switch# show vlan access-list
Displays VACL configuration. If the VLAN access-map includes the statistics command, then the show vlan access-list command output includes the number of packets that have matched each rule.
switch# clear vlan access-list counters
Clears statistics for all VACLs or for a specific VACL.
Configuration Examples for VACL
The following example shows how to configure a VACL to forward traffic permitted by an IP ACL named acl-ip-01 and how to apply the VACL to VLANs 50 through 82:
switch# configure terminal
switch(config)# vlan access-map acl-ip-map
switch(config-access-map)# match ip address acl-ip-01
switch(config-access-map)# action forward
switch(config-access-map)# exit
switch(config)# vlan filter acl-ip-map vlan-list 50-82
Configuring ACL TCAM Region Sizes
You can change the size of the ACL ternary content addressable memory (TCAM) regions in the hardware.
The following example shows how to change the size of the RACL TCAM region:
switch(config)# hardware profile tcam region racl 256 [SUCCESS] New tcam size will be applicable only at boot time. You need to 'copy run start' and 'reload' switch(config)# copy running-config startup-config switch(config)# reload WARNING: This command will reboot the system Do you want to continue? (y/n) [n] y
The following example shows the error message you see when you set the ARP ACL TCAM value to a value other than 0 or 128, and then shows how to change the size of the ARP ACL TCAM region:
switch(config)# hardware profile tcam region arpacl 200 ARPACL size can be either 0 or 128 switch(config)# hardware profile tcam region arpacl 128 To start using ARPACL tcam, IFACL tcam size needs to be changed. Changing IFACL tcam size to 256 [SUCCESS] New tcam size will be applicable only at boot time. You need to 'copy run start' and 'reload'
The following example shows how to configure the TCAM VLAN ACLs on a switch:
switch# configure sync Enter configuration commands, one per line. End with CNTL/Z. switch(config-sync)# switch-profile s5010 Switch-Profile started, Profile ID is 1 switch(config-sync-sp)# hardware profile tcam region vacl 512 switch(config-sync-sp)# hardware profile tcam region e-vacl 512 switch(config-sync-sp)#
This example shows how to display the TCAM region sizes to verify your changes:
switch(config)# show hardware profile tcam region
sup size = 16
vacl size = 640
ifacl size = 496
qos size = 256
rbacl size = 0
span size = 0
racl size = 1536
e-racl size = 256
e-vacl size = 640
qoslbl size = 0
ipsg size = 0
arpacl size = 0
ipv6-racl size = 0
ipv6-e-racl size = 0
ipv6-sup size = 0
ipv6-qos size = 0
nat size = 256
Reverting to the Default TCAM Region Sizes
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | configure terminal Example: switch# configure terminal switch(config)# |
Enters global configuration mode. |
| Step 2 | switch(config)# no hardware profile tcam region {arpacl | e-racl} | ifacl | ipsg | nat | qos} |qoslbl | racl} | vacl } tcam_size |
Reverts the configuration to the default ACL TCAM size. |
| Step 3 | copy running-config startup-config Example: switch(config)# copy running-config startup-config |
(Optional) Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration. |
| Step 4 | switch(config)# reload |
Reloads the switch. |
switch(config)# no hardware profile tcam region racl 256 [SUCCESS] New tcam size will be applicable only at boot time. You need to 'copy run start' and 'reload' switch(config)# copy running-configur startup-config switch(config)# reload WARNING: This command will reboot the system Do you want to continue? (y/n) [n] y
Configuring ACLs on Virtual Terminal Lines
To restrict incoming and outgoing connections for IPv4 between a Virtual Terminal (VTY) line and the addresses in an access list, use the access-class command in line configuration mode. To remove access restrictions, use the no form of this command.
Follow these guidelines when configuring ACLs on VTY lines:
Be sure that the ACL that you want to apply exists and is configured to filter traffic for this application.
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | switch# configure terminal |
Enters global configuration mode. |
| Step 2 | switch(config)# line vty Example: switch(config)# line vty switch(config-line)# |
Enters line configuration mode. |
| Step 3 | switch(config-line)# access-class access-list-number {in | out} Example: switch(config-line)# access-class ozi2 in switch(config-line)#access-class ozi3 out switch(config)# |
Specifies inbound or outbound access restrictions. |
| Step 4 | switch(config-line)# no access-class access-list-number {in | out} Example: switch(config-line)# no access-class ozi2 in switch(config-line)# no access-class ozi3 out switch(config)# |
(Optional) Removes inbound or outbound access restrictions. |
| Step 5 | switch(config-line)# exit Example: switch(config-line)# exit switch# |
Exits line configuration mode. |
| Step 6 | switch# show running-config aclmgr Example: switch# show running-config aclmgr |
(Optional) Displays the running configuration of the ACLs on the switch. |
| Step 7 | switch# copy running-config startup-config Example: switch# copy running-config startup-config |
(Optional) Copies the running configuration to the startup configuration. |
The following example shows how to apply the access-class ozi2 command to the in-direction of the vty line.
switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. switch(config)# line vty switch(config-line)# access-class ozi2 in switch(config-line)# exit switch#
Verifying ACLs on VTY Lines
To display the ACL configurations on VTY lines, perform one of the following tasks:
| Command | Purpose |
|---|---|
| show running-config aclmgr | Displays the running configuration of the ACLs configured on the switch. |
| show users | Displays the users that are connected. |
| show access-lists access-list-name | Display the statistics per entry. |
Configuration Examples for ACLs on VTY Lines
The following example shows the connected users on the console line (ttyS0) and the VTY lines (pts/0 and pts/1).
switch# show users NAME LINE TIME IDLE PID COMMENT admin ttyS0 Aug 27 20:45 . 14425 * admin pts/0 Aug 27 20:06 00:46 14176 (172.18.217.82) session=ssh admin pts/1 Aug 27 20:52 . 14584 (10.55.144.118)
The following example shows how to allow vty connections to all IPv4 hosts except 172.18.217.82 and how to deny vty connections to any IPv4 host except 10.55.144.118, 172.18.217.79, 172.18.217.82, 172.18.217.92:
switch# show running-config aclmgr !Time: Fri Aug 27 22:01:09 2010 version 5.0(2)N1(1) ip access-list ozi 10 deny ip 172.18.217.82/32 any 20 permit ip any any ip access-list ozi2 10 permit ip 10.55.144.118/32 any 20 permit ip 172.18.217.79/32 any 30 permit ip 172.18.217.82/32 any 40 permit ip 172.18.217.92/32 any line vty access-class ozi in access-class ozi2 out
The following example shows how to configure the IP access list by enabling per-entry statistics for the ACL:
switch# conf t Enter configuration commands, one per line. End with CNTL/Z. switch(config)# ip access-list ozi2 switch(config-acl)# statistics per-entry switch(config-acl)# deny tcp 172.18.217.83/32 any switch(config-acl)# exit switch(config)# ip access-list ozi switch(config-acl)# statistics per-entry switch(config-acl)# permit ip 172.18.217.20/24 any switch(config-acl)# exit switch#
The following example shows how to apply the ACLs on VTY in and out directions:
switch(config)# line vty switch(config-line)# ip access-class ozi in switch(config-line)# access-class ozi2 out switch(config-line)# exit switch#
The following example shows how to remove the access restrictions on the VTY line:
switch# conf t Enter configuration commands, one per line. End with CNTL/Z. switch(config)# line vty switch(config-line)# no access-class ozi2 in switch(config-line)# no ip access-class ozi2 in switch(config-line)# exit switch#
Feedback