IP Access List

Soodar router is shipped with a rich ip access list set of tools. It supports standard ACLs and extended ACLs in a named manner.
An access list uses a first match approach. That means the first entry that matches is selected as the result, and the whole process of evaluation is terminated.

Define an ACL

To define an ipv4 access list, issue the following command:

ip access-list ACL4

ACL4 is access list name.

Example :

soodar(config)# ip access-list ACL_TEST
soodar(config-nacl)#

Delete an ACL

Use no command to delete an ACL

no ip access-list ACL4

Remark

You can include comments or remark about the IP access list

remark LINE ..: Adds a remark for the access list. The remark indicates the purpose of the access list.

Define an entry

Rules( or entries) can be defined in access-list configuration mode

Since access lists use first match approach, entries have priorities. It is by default sequential( the first entry has the highest priority), and behavior can be changed by using sequence numbers

To enter the ACL config mode, it is just required to enter ACL’s name.

soodar(config)# ip access-list ACL_TEST
soodar(config-nacl)# permit any

An access list can contain both the standard and extended ACL rules.

(1-4294967295) <deny|permit> <any|A.B.C.D/M>: Standard ACL entry rule. It is limited to controlling traffic only based on the source IP address.

(1-4294967295) <deny|permit> <any|A.B.C.D/M> <any|A.B.C.D/M> [exact-match]

Create a simple IPv4 entry. Matches against all IP packets. if exact-match is entered, the prefixes are also checked and should be the same( 192.168.1.1/24 is not a match in 192.168.1.1/16).
The first input is the entry sequence number. The following input is the action done when entry is matched. Then we have source and destination prefixes. Instead of specifying each address, the user can input any to match every address.

Example :

n1(config)# ip access-list TEST_ACL1
n1(config-nacl)# deny any 10.1.16.68/32
n1(config-nacl)# permit any any

Note

It’s the best practice to add a permit any rule as the latest entry because by default if a packet doesn’t match against non of the entries, it will be dropped.

(1-4294967295) <deny|permit> PROTOSERVICE <any|A.B.C.D/M> <any|A.B.C.D/M> [exact-match]

Create an IP entry based on service or protocol.

Example :

n1(config)# ip access-list SSH_DENY deny ssh any any
n1(config)# ip access-list SSH_DENY permit any any

Deny any ``SSH`` connection. This entry creates a rule which denies *TCP* connection to port *22* from the source.

::

   ip access-list TEST_ACL1 deny tcp any le 65535 any eq 22

(1-4294967295) <deny|permit> tcp <any|A.B.C.D/M> SRC_PORT <any|A.B.C.D/M> DST_PORT [tcp-flag-mask (0-255)] [TCP FLAGS] [exact-match]

(1-4294967295) <deny|permit> udp <any|A.B.C.D/M> SRC_PORT <any|A.B.C.D/M> DST_PORT [exact-match]

n1(config)# ip access-list DENY_DNS
n1(config-nacl)# deny udp any eq domain any

   Deny any DNS service

(1-4294967295) <deny|permit> icmp <any|A.B.C.D/M> <any|A.B.C.D/M> ICMP_TYPE_CODES [exact-match]": ICMP_TYPE_CODES is Well known ICMP message code type to match.
They can be defined by their name( like echo-reply) or their code and type values.

Negate an entry

Just use no form of command

Example in config mode:

soodar(config)# ip access-list ACL_TEST
soodar(config-nacl)# no 100
soodar(config-nacl)# no 10 deny tcp 10.0.0.0/8 eq www 64.233.185.113/32
soodar(config-nacl)# no deny udp any 8.8.8.8 eq 53

You can negate an entry by using its sequence number, its definition or both of them

ACL Resequencing

By default, the ACL sequence number starts from 10 and increases with a 10 step factor. To change this behavior use the following command

access-list resequence ACL4 (1-2147483647) (1-32765): Resequence all access list entries. The first number is the beginning, and the second is the step.

Apply ACL

An ACL is applied to the ingress or egress traffic of an interface.

ip access-group ACL4 in

Apply an IPv4 ACL to the interface’s input traffic

Example :

n1(config)# interface ge3
n1(config-if)# ip access-group IN_ACL in

ipv6 access-group ACL6 in

ip access-group ACL4 out: Apply an IPv4 ACL to the interface’s output traffic

ipv6 access-group ACL6 out

ip access-group ACL4 in out: Apply ACL to both ways of traffic

ipv6 access-group ACL6 in out

no ip access-group ACL4 in: Detach an IPv4 ACL from the interface’s input traffic

no ipv6 access-group ACL6 in

no ip access-group ACL4 out: Detach an IPv4 ACL from the interface’s output traffic

no ipv6 access-group ACL6 out

no ip access-group ACL4 in out: Detach ACL from both ways of traffic

no ipv6 access-group ACL6 in out

Debug

show ip access-list [NAME]

Example :

n1# show ip access-list
IP access list TESTACL1
   10 permit tcp 1.1.1.10/32 eq 200 2.1.1.0/24 ge 5060 tcp-flag-mask 0 tcp-flag-value 0

Debugging logs can be set in case of need.

[no] debug acl event

log data plane installation processes and results