IP Access List

Soodar router is shipped with a rich ip access list set of tools. It supports standard ACLs and extended ACLs in a named manner.
An access list uses a first match approach. That means the first entry that matches is selected as the result, and the whole process of evaluation is terminated.

Define an ACL

To define an ipv4 access list, issue the following command:

ip access-list ACL4

ACL4 is access list name.

Example :

soodar(config)# ip access-list ACL_TEST
soodar(config-nacl)#

For ipv6 access list, the command uses ipv6 name.

ipv6 access-list ACL6

Example :

soodar(config)# ipv6 access-list ACL6_TEST
soodar(config-ipv6-acl)#

Delete an ACL

Use no command to delete an ACL

no ip access-list ACL4

no ipv6 access-list ACL6

Remark

You can include comments or remark about the IP access list

remark LINE ..: Adds a remark for the access list. The remark indicates the purpose of the access list.

Define an entry

Rules( or entries) can be defined in access-list configuration mode

Since access lists use first match approach, entries have priorities. It is by default sequential( the first entry has the highest priority), and behavior can be changed by using sequence numbers

To enter the ACL config mode, it is just required to enter ACL’s name.

soodar(config)# ip access-list ACL_TEST
soodar(config-nacl)# permit any

An access list can contain both the standard and extended ACL rules.

(1-4294967295) <deny|permit> <any|A.B.C.D/M>: Standard ACL entry rule. It is limited to controlling traffic only based on the source IP address.

(1-4294967295) <deny|permit> <any|A.B.C.D/M> <any|A.B.C.D/M> [exact-match]

Create a simple IPv4 entry. Matches against all IP packets. if exact-match is entered, the prefixes are also checked and should be the same( 192.168.1.1/24 is not matched 192.168.1.1/16).
The first input is the entry sequence number. The following input is the action done when entry is matched. Then we have source and destination prefixes. Instead of specifying each address, the user can input any to match every address.

Example :

soodar(config)# ip access-list TEST_ACL1
soodar(config-nacl)# deny any 10.1.16.68/32
soodar(config-nacl)# permit any any

Note

It’s the best practice to add a permit any rule as the latest entry because by default if a packet doesn’t match against non of the entries, it will be dropped.

(1-4294967295) <deny|permit> <any|X:X::X:X/M>: Standard ACL entry rule. It is limited to controlling traffic only based on the source IPv6 address.

(1-4294967295) <deny|permit> <any|X:X::X:X/M> <any|X:X::X:X/M> [exact-match]

Create a simple IPv6 entry. Matches against all IP packets. if exact-match is entered, the prefixes are also checked and should be the same( fd00:12::1/64 is not matched with fd00:12::1/96).
The first input is the entry sequence number. The following input is the action done when entry is matched. Then we have source and destination prefixes. Instead of specifying each address, the user can input any to match every address.

Example :

soodar(config)# ipv6 access-list TEST_ACLV6
soodar(config-ipv6-acl)# deny any 2001::1:2:1/64 exact-match
soodar(config-ipv6-acl)# permit any any

(1-4294967295) <deny|permit> PROTOSERVICE <any|A.B.C.D/M> <any|A.B.C.D/M> [exact-match]

(1-4294967295) <deny|permit> PROTOSERVICE <any|X:X::X:X/M> <any|X:X::X:X/M> [exact-match]

Create an IP entry based on service or protocol.

Example :

soodar(config)# ip access-list SSH_DENY
soodar(config-nacl)# deny ssh any any
soodar(config-nacl)# permit any
soodar(config-nacl)# ipv6 access-list SSH6_DENY
soodar(config-ipv6-acl)# deny ssh any any
soodar(config-ipv6-acl)# permit any

Deny any ``SSH`` connection. This entry creates a rule which denies *TCP* connection to port *22* from the source.

::

   ip access-list TEST_ACL1 deny tcp any le 65535 any eq 22

(1-4294967295) <deny|permit> tcp <any|A.B.C.D/M> SRC_PORT <any|A.B.C.D/M> DST_PORT [TCP FLAGS] [exact-match]

(1-4294967295) <deny|permit> tcp <any|X:X::X:X/M> SRC_PORT <any|X:X::X:X/M> DST_PORT [TCP FLAGS] [exact-match]

A TCP connection entry. It filters based on address prefix and port number and, if specified, by TCP flags.
Port number is defined by using operators or ranges.
Operators include operator name and an integer in [0-65535]. operator names include eq ( equal), lt ( lower than) and gt ( greater than), and range.
The range is defined by two integers in [0-65535].
Instead of entering a port number, one can use the names of well-known TCP services.
Supported TCP flags are fin,*syn*,*rst*,*psh*,*ack*, and urg. These flags behave as a match all filter( All named flags should be in a packet for entry to be accepted)|br|

soodar(config)# ip access-list PERMIT_TRUSTED
soodar(config-nacl)# permit tcp 10.0.0.0/8 lt 1000 any
soodar(config)# ip access-list DENY_FROM_HTTP_TO_HTTPS
soodar(config-nacl)# deny tcp 10.0.0.0/8 range 80 443 any
soodar(config-nacl)# permit any any

soodar(config)# ipv6 access-list PERMIT_TRUSTED6
soodar(config-ipv6-acl)# permit tcp fc00::/8 lt 1000 any
soodar(config)# ipv6 access-list DENY_FROM_HTTP_TO_HTTPS6
soodar(config-nacl)# deny tcp fc00::/8 range 80 443 any
soodar(config-nacl)# permit any any

In fact the DENY_FROM_HTTP_TO_HTTPS could be rewritten like this:

soodar(config)# deny tcp 10.0.0.0/8 range http https any
soodar(config)# permit any any

(1-4294967295) <deny|permit> udp <any|A.B.C.D/M> SRC_PORT <any|A.B.C.D/M> DST_PORT [exact-match]

(1-4294967295) <deny|permit> udp <any|X:X::X:X/M> SRC_PORT <any|X:X::X:X/M> DST_PORT [exact-match]

soodar(config)# ip access-list DENY_DNS
soodar(config-nacl)# deny udp any eq domain any

   Deny any DNS service

(1-4294967295) <deny|permit> icmp <any|A.B.C.D/M> <any|A.B.C.D/M> ICMP_TYPE_CODES [exact-match]"

(1-4294967295) <deny|permit> icmp <any|X:X::X:X/M> <any|X:X::X:X/M> ICMPV6_TYPE_CODES [exact-match]": ICMP_TYPE_CODES is Well known ICMP message code type to match.
ICMPV6_TYPE_CODES is Well known ICMPv6 message code type to match.
They can be defined by their name( like echo-reply) or their code and type values.

Negate an entry

Just use no form of command

Example in config mode:

soodar(config)# ip access-list ACL_TEST
soodar(config-nacl)# no 100
soodar(config-nacl)# no 10 deny tcp 10.0.0.0/8 eq www 64.233.185.113/32
soodar(config-nacl)# no deny udp any 8.8.8.8 eq 53

You can negate an entry by using its sequence number, its definition or both of them

ACL Resequencing

By default, the ACL sequence number starts from 10 and increases with a 10 step factor. To change this behavior use the following command

ip access-list resequence ACL4 (1-2147483647) (1-2147483647)

ipv6 access-list resequence ACL6 (1-2147483647) (1-2147483647): Resequence all access list entries. The first number is the beginning, and the second is the step.

Apply ACL

An ACL is applied to the ingress or egress traffic of an interface.

ip access-group ACL4 in

ipv6 traffic-group ACL6 in

Apply an IPv4/IPv6 ACL to the interface’s input traffic.

The negating form, detaches an ACL from interface’s input.

Example :

soodar(config)# interface ge3
soodar(config-if)# ip access-group IN_ACL in
soodar(config-if)# ipv6 traffic-group IN_ACL6 in

ip access-group ACL4 out

ipv6 traffic-group ACL6 out

Apply an IPv4/IPv6 ACL to the interface’s output traffic

The negating form, detaches an ACL from interface’s output.

ip access-group ACL4 in out

ipv6 traffic-group ACL6 in out: Apply ACL to both ways of traffic. The negating form, detaches an ACL from interface.

Debug

show ip access-list [NAME] [json]

show ipv6 access-list [NAME] [json]

Example :

n1# show ip access-list
IP access list TESTACL1
   10 permit tcp 1.1.1.10/32 eq 200 2.1.1.0/24 ge 5060 tcp-flag-mask 0 tcp-flag-value 0

show ip access-list interfaces: Show interfaces’ access-lists and their direction.

Debugging logs can be set in case of need.

[no] debug acl event

log data plane installation processes and results