IP Access List

Soodar router is shipped with a rich ip access list set of tools. It supports standard ACLs and extended ACLs in a named manner.
An access list, uses a first match approach. That means the first entry that matches, is selected as result and whole process of evaluation is terminated.

Define an ACL

To define an ipv4 access list, just issue the following command:

ip access-list ACL4

ACL4 is access list name.

Example :

soodar(config)# ip access-list ACL_TEST
soodar(config-nacl)#

For ipv6 access list, the command uses ipv6 name.

ipv6 access-list ACL6

Delete an ACL

Use no command to delete an ACL

no ip access-list ACL4

no ipv6 access-list ACL6

Define an entry

Rules( or entries) can be defined in two ways:

Along access list name and without sequence number

In access-list configuration mode

Since access lists uses first match approach, entries have priorities. It is by default sequential( the first entry has the highest priority) and behaviour can be changed by using sequence numbers

Define an entry one-line mode

ip access-list ACL4 <deny|permit> <any|A.B.C.D/M> <any|A.B.C.D/M> [exact-match]

Create a simple IPv4 entry. Matches against all IP packets. if exact-match is entered, the prefixes are also checked and should be the same( 192.168.1.1/24 is not a match in 192.168.1.1/16).
ACL4 is access-list’s name. the next input is the action done when entry is matched. Then we have source and destination prefix. intead of each, user can input any to match every address.

Example :

n1(config)# ip access-list TEST_ACL1 deny any 10.1.16.68/32
n1(config)# ip access-list TEST_ACL1 permit any any

Note

It’s the best practice to add a permit any rule as latest entry, because by default if a packet doesn’t match against non of entries, it will be dropped.

ipv6 access-list ACL6 <deny|permit> <any|X:X::X:X/M> <any|X:X::X:X/M> [exact-match]

Example :

n1(config)# ipv6 access-list TEST_ACLV6 deny any 2001::1:2:1/64 exact-match
n1(config)# ipv6 access-list TEST_ACLV6 permit any any

Create a simple IPv6 entry. Matches against all IP packets. if exact-match is entered, the prefixes are also checked and should be the same.
ACL6 is access-list’s name. the next input is the action done when entry is matched. Then we have source and destination prefix. intead of each, user can input any to match every address.

ip access-list ACL4 <deny|permit> PROTOSERVICE <any|A.B.C.D/M> <any|A.B.C.D/M> [exact-match]

Create an IP entry, based on service or protocol.

Example :

n1(config)# ip access-list SSH_DENY deny ssh any any
n1(config)# ip access-list SSH_DENY permit any any

Deny any ``SSH`` connection. In fact this entry, creates two entries. First entry deny *TCP* connection with port *22* from source, the second do the same for destination:

::

   ip access-list TEST_ACL1 deny tcp any eq 22 any le 65535
   ip access-list TEST_ACL1 deny tcp any le 65535 any eq 22

ipv6 access-list ACL6 <deny|permit> PROTOSERVICE <any|A.B.C.D/M> <any|A.B.C.D/M> [exact-match]

ip access-list ACL4 <deny|permit> tcp <any|A.B.C.D/M> SRC_PORT <any|A.B.C.D/M> DST_PORT [tcp-flag-mask (0-255)] [tcp-flag-value (0-255)] [exact-match]

ipv6 access-list ACL6 <deny|permit> tcp <any|A.B.C.D/M> SRC_PORT <any|A.B.C.D/M> DST_PORT [tcp-flag-mask (0-255)] [tcp-flag-value (0-255)] [exact-match]

A TCP connection entry. It filters based on address prefix and port number and, if specified, by flags.
Port number is defined by using operators or ranges.
Operators includes operator name and an integer in [0-65535]. operator names include eq ( equal), le ( lower or equal), ge ( greater or equal), lt ( lower than) and gt ( greater than)
Range is defined by two integers in [0-65535]
Instead of entering port number, one can use the names of well-known TCP services.
TCP flag mask and value is used to mask TCP Flags( to chose the needed flags) and compare with value( are they set or not)

n1(config)# ip access-list PERMIT_TRUSTED permit tcp 10.0.0.0/8 lt 1000 any
n1(config)# ip access-list DENY_FROM_HTTP_TO_HTTPS deny tcp 10.0.0.0/8 range 80 443 any
n1(config)# ip access-list DENY_FROM_HTTP_TO_HTTPS permit any any

In fact the DENY_FROM_HTTP_TO_HTTPS could be rewritten like this:

n1(config)# ip access-list DENY_FROM_HTTP_TO_HTTPS deny tcp 10.0.0.0/8 range http https any
n1(config)# ip access-list DENY_FROM_HTTP_TO_HTTPS permit any any

ip access-list ACL4 <deny|permit> udp <any|A.B.C.D/M> SRC_PORT <any|A.B.C.D/M> DST_PORT [exact-match]

ipv6 access-list ACL6 <deny|permit> udp <any|A.B.C.D/M> SRC_PORT <any|A.B.C.D/M> DST_PORT

n1(config)# ip access-list DENY_DNS deny udp any eq domain any

   Deny any DNS service

ip access-list ACL4 <deny|permit> icmp <any|A.B.C.D/M> ICMP_TYPE_OPERATOR <any|A.B.C.D/M> ICMP_CODE_OPERATOR [exact-match]"

ipv6 access-list ACL6 <deny|permit> icmp <any|A.B.C.D/M> ICMP_TYPE_OPERATOR <any|A.B.C.D/M> ICMP_CODE_OPERATOR [exact-match]: ICMP type and code is defined by using operators or ranges.
Operators includes operator name and an integer in [0-65535]. operator names include eq ( equal), le ( lower or equal), ge ( greater or equal), lt ( lower than) and gt ( greater than)
Range is defined by two integers in [0-65535]

Define an entry config mode

To enter the ACL config mode, it is just required to enter ACL’s name.

soodar(config)# ip access-list ACL_TEST
soodar(config-nacl)# permit any

Entry definition is like acl-definition-one-line mode.

soodar(config)# ip access-list ACL_TEST
soodar(config-nacl)# 100 permit any
soodar(config-nacl)# 10 deny tcp 10.0.0.0/8 eq www 64.233.185.113/32
soodar(config-nacl)# 20 deny udp any 8.8.8.8 eq 53

Negate an entry

Just use no form of command

Example in config mode:

soodar(config)# ip access-list ACL_TEST
soodar(config-nacl)# no 100
soodar(config-nacl)# no 10 deny tcp 10.0.0.0/8 eq www 64.233.185.113/32
soodar(config-nacl)# no deny udp any 8.8.8.8 eq 53

You can negate an entry by using it’s sequence number, it’s defition or both of them

All above commands can be entered in one-line mode:

soodar(config)# no ip access-list ACL_TEST permit any
soodar(config)# no ip access-list ACL_TEST deny tcp 10.0.0.0/8 eq www 64.233.185.113/32
soodar(config)# no ip access-list ACL_TEST deny udp any 8.8.8.8 eq 53

ACL Resequencing

By default, ACL sequence number starts from 10 and increases with a 10 step factor. To change this behaviour use following command

ip access-list resequence ACL4 (1-2147483647) (1-32765): Resequence all access list entries. First number is begining and second is step.

Apply ACL

An ACL is applied to ingress or egress traffic of an interface.

ip access-group ACL4 in

Apply an IPv4 ACL to interface’s input traffic

Example :

n1(config)# interface ge3
n1(config-if)# ip access-group IN_ACL in

ipv6 access-group ACL6 in

ip access-group ACL4 out: Apply an IPv4 ACL to interface’s output traffic

ipv6 access-group ACL6 out

ip access-group ACL4 in out: Apply ACL to both ways of traffic

ipv6 access-group ACL6 in out

no ip access-group ACL4 in: Detach an IPv4 ACL from interface’s input traffic

no ipv6 access-group ACL6 in

no ip access-group ACL4 out: Detach an IPv4 ACL from interface’s output traffic

no ipv6 access-group ACL6 out

no ip access-group ACL4 in out: Detach ACL from both ways of traffic

no ipv6 access-group ACL6 in out

Debug

sh (ip/ipv6) access-list [NAME]

Example :

n1# show ip access-list
IP access list TESTACL1
   10 permit tcp 1.1.1.10/32 eq 200 2.1.1.0/24 ge 5060 tcp-flag-mask 0 tcp-flag-value 0