IP Access Listsssss

An IP access-list, also known as an access control list (ACL), is a list of rules that filters network traffic by specifying which types of traffic are allowed or denied. It is used to control the flow of traffic through a network device, such as a router or firewall, by permitting or denying traffic based on criteria such as source and destination IP addresses, protocol, port number, and other packet attributes.

IP access-lists can be configured in two formats: standard and extended. Standard access-lists only match based on the source IP address, whereas extended access-lists can match based on a variety of packet attributes. ACLs can be applied to inbound or outbound traffic on an interface and can be used for a variety of purposes such as network security, traffic shaping, and routing.

When configuring an IP access-list, it is important to carefully consider the traffic that needs to be allowed or denied and to test the ACL thoroughly to ensure that it is working as intended.

Soodar router is shipped with a rich ip access list set of tools. It supports standard ACLs and extended ACLs in a named manner.
An access list uses a first match approach. That means the first entry that matches is selected as the result, and the whole process of evaluation is terminated.

Define an ACL

To define or modify an ipv4 access list, issue the following command:

ip access-list ACL4

The ACL4 argument in this command is the name of the access list being created or modified.

Example :

soodar(config)# ip access-list ACL_TEST
soodar(config-nacl)#

For ipv6 access list, the command uses ipv6 name.

ipv6 access-list ACL6

Example :

soodar(config)# ipv6 access-list ACL6_TEST
soodar(config-ipv6-acl)#

Delete an ACL

Use no command to remove an existing IP access-list

no ip access-list ACL4
no ipv6 access-list ACL6

Remark

remark LINE ..

The command is used within an IP access-list to insert a comment that describes the purpose of a particular access-list rule or section. It is essentially a way to document the access-list for future reference and is particularly useful when managing complex access-lists.

Define an entry

An access-list entry is a line in an access-list that specifies a set of criteria to match against an incoming or outgoing packet, and an action to take if the criteria are met. The criteria can include a source IP address, destination IP address, protocol, port numbers, and other packet attributes. The action can be either to permit the packet to pass through the router or to deny it. Access-list entries are evaluated in order, from top to bottom, and the first entry that matches the packet’s characteristics determines the action taken. If no match is found, the packet is denied by default.

Rules( or entries) can be defined in access-list configuration mode

Since access lists use first match approach, entries have priorities. It is by default sequential( the first entry has the highest priority), and behavior can be changed by using sequence numbers

To enter the ACL config mode, it is just required to enter ACL’s name.

soodar(config)# ip access-list ACL_TEST
soodar(config-nacl)# permit any

An access list can contain both the standard and extended ACL rules.

(1-4294967295) <deny|permit> <any|A.B.C.D/M>

Standard ACL entry rule. It is limited to controlling traffic only based on the source IP address.

  • (1-4294967295): specifies the sequence number of the access-list entry. It can be any value between 1 and 4294967295.

  • <deny|permit>: specifies whether the traffic should be denied or permitted.

  • <any|A.B.C.D/M>: specifies the source IP address or range of addresses that the access-list entry applies to. any means any source IP address, while A.B.C.D/M represents a specific network prefix.

For example, the following commands creates an access-list entry with a sequence number of 20 that permits traffic from any source IP address and an access-list entry with a sequence number of 10 that denies traffic from the IP address 192.168.1.1:

soodar(config)# ip access-list ACL_TEST
soodar(config-nacl)# 20 permit any
soodar(config-nacl)# 20 deny 192.168.1.1/32
(1-4294967295) <deny|permit> <any|A.B.C.D/M> <any|A.B.C.D/M> [reflect] [exact-match]

The command is used to create an access-list entry that specifies whether traffic is allowed or denied based on the source and destination IP addresses.

  • (1-4294967295): specifies the sequence number of the access-list entry. It can be any value between 1 and 4294967295.

  • <deny|permit>: This specifies whether the traffic matching the access-list entry should be allowed or denied.

  • <any|A.B.C.D/M>: This specifies the source IP address or network for the traffic. any can be used to match any source IP address. Alternatively, A.B.C.D/M represents a specific network prefix.

  • <any|A.B.C.D/M>: This specifies the destination IP address or network for the traffic. any can be used to match any destination IP address. Alternatively, a specific network prefix can be specified using the A.B.C.D/M format.

  • reflect: The reflect option make this entry stateful. When using this option, the router will keep track of the outgoing connection(s) and it will automatically add the return entry to the access-list.

  • exact-match: When it is entered, the prefixes are also checked and should be the same( 192.168.1.1/24 is not matched 192.168.1.1/16). This is useful for applications such as BGP route filtering, where a specific match is required rather than a range of addresses.

Note

The dynamic reflexive entry is added to the same ACL, so for the ACL to be completely useful, it should be applied on both directions on the interface.

Note

exact-match option is used in route-maps and has no effects in normal packet filtering.

For example, to create an access-list entry that allows traffic from any source to the destination network 192.168.1.0/24 , the command would be:

soodar(config)# ip access-list TEST_ACL1
soodar(config-nacl)# 10 permit any 192.168.1.0/24
(1-4294967295) <deny|permit> <any|X:X::X:X/M>

The command is used to create IPv6 ACL entries that can be used to filter traffic based on source IPv6 addresses.

  • (1-4294967295): specifies the sequence number of the access-list entry. It can be any value between 1 and 4294967295.

  • <deny|permit>: This specifies whether the traffic matching the access-list entry should be allowed or denied.

  • <any|X:X::X:X/M>: The any keyword can be used to match any source IPv6 address. Alternatively, a specific IPv6 address or subnet can be specified using the X:X::X:X/M notation, where M is the prefix length.

(1-4294967295) <deny|permit> <any|X:X::X:X/M> <any|X:X::X:X/M> [reflect] [exact-match]

this command can be used to filter IPv6 traffic based on specific source and/or destination addresses.

  • (1-4294967295): specifies the sequence number of the access-list entry. It can be any value between 1 and 4294967295.

  • <deny|permit>: This specifies whether the traffic matching the access-list entry should be allowed or denied.

  • <any|X:X::X:X/M>: The any keyword can be used to match any source IPv6 address. Alternatively, a specific IPv6 address or subnet can be specified using the X:X::X:X/M notation, where M is the prefix length.

  • <any|X:X::X:X/M>: The any keyword can be used to match any destination IPv6 address. Alternatively, a specific IPv6 address or subnet can be specified using the X:X::X:X/M notation, where M is the prefix length.

  • reflect: The reflect option make this entry stateful. When using this option, the router will keep track of the outgoing connection(s) and it will automatically add the return entry to the access-list.

  • exact-match: When it is entered, the prefixes are also checked and should be the same. This is useful for applications such as BGP route filtering, where a specific match is required rather than a range of addresses.

In this example, the access-list is named TEST_ACLV6 and it permits traffic from the source IPv6 address 2001:db8:1234::1/64 to any destination, while denying all other traffic.

soodar(config)# ipv6 access-list TEST_ACLV6
soodar(config-ipv6-acl)# permit ipv6 2001:db8:1234::1/64 any
(1-4294967295) <deny|permit> PROTOSERVICE <any|A.B.C.D/M> <any|A.B.C.D/M> [reflect] [exact-match]
(1-4294967295) <deny|permit> PROTOSERVICE <any|X:X::X:X/M> <any|X:X::X:X/M> [reflect] [exact-match]

The command is used to create an access-list entry to control traffic based on protocol type and service.

  • (1-4294967295): specifies the sequence number of the access-list entry. It can be any value between 1 and 4294967295.

  • <deny|permit>: This specifies whether the traffic matching the access-list entry should be allowed or denied.

  • PROTOSERVICE: Specifies the protocol or service for which the access list will apply. The protocol is specified as either a name or a number( e.g: pim, sctp, eigrp… ), and the service( e.g: ssh, http, …) is specified as a name.

  • <any|A.B.C.D/M>: This specifies the source IP address or network for the traffic. any can be used to match any source IP address. Alternatively, A.B.C.D/M represents a specific network prefix.

  • <any|A.B.C.D/M>: This specifies the destination IP address or network for the traffic. any can be used to match any destination IP address. Alternatively, a specific network prefix can be specified using the A.B.C.D/M format.

  • reflect: The reflect option make this entry stateful. When using this option, the router will keep track of the outgoing connection(s) and it will automatically add the return entry to the access-list.

  • exact-match: When it is entered, the prefixes are also checked and should be the same. This is useful for applications such as BGP route filtering, where a specific match is required rather than a range of addresses.

Example :

soodar(config)# ip access-list SSH_DENY
soodar(config-nacl)# deny ssh any any
soodar(config-nacl)# permit any
soodar(config-nacl)# ipv6 access-list SSH6_DENY
soodar(config-ipv6-acl)# deny ssh any any
soodar(config-ipv6-acl)# permit any

Deny any ``SSH`` connection. This entry creates a rule which denies *TCP* connection to port *22* from the source.

::

   ip access-list TEST_ACL1 deny tcp any le 65535 any eq 22
(1-4294967295) <deny|permit> tcp <any|A.B.C.D/M> SRC_PORT <any|A.B.C.D/M> DST_PORT [TCP FLAGS] [reflect] [exact-match]
(1-4294967295) <deny|permit> tcp <any|X:X::X:X/M> SRC_PORT <any|X:X::X:X/M> DST_PORT [TCP FLAGS] [reflect] [exact-match]

The command is used to create an access list that matches TCP traffic based on the source IP address, destination IP address, source port, destination port, and TCP flag values.

  • (1-4294967295): specifies the sequence number of the access-list entry. It can be any value between 1 and 4294967295.

  • <deny|permit>: This specifies whether the traffic matching the access-list entry should be allowed or denied.

  • tcp: This indicates that the access list entry is for TCP traffic.

  • <any|A.B.C.D/M>: This specifies the source IP address or network for the traffic. any can be used to match any source IP address. Alternatively, A.B.C.D/M represents a specific network prefix.

  • SRC_PORT: Specifies the source port(s) that the traffic must match using an operator keyword and a source port. A source port can be a number or a service name. The port number or named service can range from 0 to 65535. Examples of named services include “ftp-data”, “http”, “telnet”, “ssh”, and many others. The operator keywords are defined below:
    • gt PORT: means “greater than”, and will match any TCP traffic with a source or destination port number greater than the specified number or service.

    • lt PORT: means “less than”, and will match any TCP traffic with a source or destination port number less than the specified number or service.

    • eq PORT: means “equal to”, and will match any TCP traffic with a source or destination port number equal to the specified number or service.

    • range LOWER_PORT UPPER_PORT: Specifies a range of ports and will match any TCP traffic with a source or destination port number between the lower and upper ports.

  • <any|A.B.C.D/M>: This specifies the destination IP address or network for the traffic. any can be used to match any destination IP address. Alternatively, a specific network prefix can be specified using the A.B.C.D/M format.

  • DST_PORT: like SRC_PORT, but applies for destination port.

  • TCP FLAGS: This specifies the TCP flag values to be matched. It can include any combination of the following flags: FIN, SYN, RST, PSH, ACK, and URG.

  • reflect: The reflect option make this entry stateful. When using this option, the router will keep track of the outgoing connection(s) and it will automatically add the return entry to the access-list.

  • exact-match: When it is entered, the prefixes are also checked and should be the same. This is useful for applications such as BGP route filtering, where a specific match is required rather than a range of addresses.

For example, the following example creates an IP access list named “PERMIT_TRUSTED” that permits TCP traffic from any source IP address in the 10.0.0.0/8 network with a source port number less than 1000 to any destination IP address and any destination port number.

soodar(config)# ip access-list PERMIT_TRUSTED
soodar(config-nacl)# permit tcp 10.0.0.0/8 lt 1000 any

Or consider this example:

soodar(config)# ip access-list DENY_FROM_HTTP_TO_HTTPS
soodar(config-nacl)# deny tcp 10.0.0.0/8 range 80 443 any
soodar(config-nacl)# permit any any

In the above example, The first command denies TCP traffic with source IP addresses in the 10.0.0.0/8 subnet and destination ports between 80 and 443 (inclusive) to any destination IP address. This effectively blocks web traffic( and other TCP services that use a port between 80 and 443) from hosts in the 10.0.0.0/8 subnet to any destination.

The second command permits all other traffic to any destination, effectively allowing all traffic that is not blocked by the first command.

The IP6 equivalent of above access-lists is like this:

soodar(config)# ipv6 access-list PERMIT_TRUSTED6
soodar(config-ipv6-acl)# permit tcp fc00::/8 lt 1000 any
soodar(config)# ipv6 access-list DENY_FROM_HTTP_TO_HTTPS6
soodar(config-nacl)# deny tcp fc00::/8 range 80 443 any
soodar(config-nacl)# permit any any

Also, the DENY_FROM_HTTP_TO_HTTPS could be rewritten like this:

soodar(config)# deny tcp 10.0.0.0/8 range http https any
soodar(config)# permit any any
(1-4294967295) <deny|permit> udp <any|A.B.C.D/M> SRC_PORT <any|A.B.C.D/M> DST_PORT [reflect] [exact-match]
(1-4294967295) <deny|permit> udp <any|X:X::X:X/M> SRC_PORT <any|X:X::X:X/M> DST_PORT [reflect] [exact-match]

The command is used to create an access list that matches UDP traffic based on the source IP address, destination IP address, source port, destination port, and UDP flag values.

  • (1-4294967295): specifies the sequence number of the access-list entry. It can be any value between 1 and 4294967295.

  • <deny|permit>: This specifies whether the traffic matching the access-list entry should be allowed or denied.

  • udp: This indicates that the access list entry is for UDP traffic.

  • <any|A.B.C.D/M>: This specifies the source IP address or network for the traffic. any can be used to match any source IP address. Alternatively, A.B.C.D/M represents a specific network prefix.

  • SRC_PORT: Specifies the source port(s) that the traffic must match using an operator keyword and a source port. A source port can be a number or a service name. The port number or named service can range from 0 to 65535. Examples of named services include “ftp-data”, “http”, “telnet”, “ssh”, and many others. The operator keywords are defined below:
    • gt PORT: means “greater than”, and will match any UDP traffic with a source or destination port number greater than the specified number or service.

    • lt PORT: means “less than”, and will match any UDP traffic with a source or destination port number less than the specified number or service.

    • eq PORT: means “equal to”, and will match any UDP traffic with a source or destination port number equal to the specified number or service.

    • range LOWER_PORT UPPER_PORT: Specifies a range of ports and will match any UDP traffic with a source or destination port number between the lower and upper ports.

  • <any|A.B.C.D/M>: This specifies the destination IP address or network for the traffic. any can be used to match any destination IP address. Alternatively, a specific network prefix can be specified using the A.B.C.D/M format.

  • DST_PORT: like SRC_PORT, but applies for destination port.

  • reflect: The reflect option make this entry stateful. When using this option, the router will keep track of the outgoing connection(s) and it will automatically add the return entry to the access-list.

  • exact-match: When it is entered, the prefixes are also checked and should be the same. This is useful for applications such as BGP route filtering, where a specific match is required rather than a range of addresses.

soodar(config)# ip access-list DENY_DNS
soodar(config-nacl)# deny udp any eq domain any

   The purpose of this ACL is to deny all DNS traffic (UDP port 53) from any source to any destination. This can be used to block DNS traffic from leaving a network or to prevent external DNS servers from being used by devices on the network.
(1-4294967295) <deny|permit> icmp <any|A.B.C.D/M> <any|A.B.C.D/M> ICMP_TYPE_CODES [reflect] [exact-match]"
(1-4294967295) <deny|permit> icmp <any|X:X::X:X/M> <any|X:X::X:X/M> ICMPV6_TYPE_CODES [reflect] [exact-match]"

This command is used to create an access control list (ACL) rule that either permits or denies Internet Control Message Protocol (ICMP) traffic between two IP addresses or subnets. The command consists of the following parameters:

  • (1-4294967295): specifies the sequence number of the access-list entry. It can be any value between 1 and 4294967295.

  • <deny|permit>: This specifies whether the traffic matching the access-list entry should be allowed or denied.

  • icmp: This indicates that the access list entry is for ICMP traffic.

  • <any|A.B.C.D/M>: This specifies the source IP address or network for the traffic. any can be used to match any source IP address. Alternatively, A.B.C.D/M represents a specific network prefix.

  • <any|A.B.C.D/M>: This specifies the destination IP address or network for the traffic. any can be used to match any destination IP address. Alternatively, a specific network prefix can be specified using the A.B.C.D/M format.

  • ICMP_TYPE_CODES: Specifies the type and code of the ICMP traffic being matched. It could be a name( For example, “echo-request” (type 8, code 0) or “echo-reply” (type 0, code 0)) or two numbers indicating the type and code.

  • reflect: The reflect option make this entry stateful. When using this option, the router will keep track of the outgoing connection(s) and it will automatically add the return entry to the access-list.

  • exact-match: When it is entered, the prefixes are also checked and should be the same. This is useful for applications such as BGP route filtering, where a specific match is required rather than a range of addresses.

Negate an entry

Just use no form of command

Example in config mode:

soodar(config)# ip access-list ACL_TEST
soodar(config-nacl)# no 100
soodar(config-nacl)# no 10 deny tcp 10.0.0.0/8 eq www 64.233.185.113/32
soodar(config-nacl)# no deny udp any 8.8.8.8 eq 53

You can negate an entry by using its sequence number, its definition, or both of them.

ACL Resequencing

ACL resequencing is a process of changing the sequence numbers of access control list (ACL) entries. ACLs are applied to network devices to filter traffic based on specific rules. When there is a need to modify an existing ACL, it may be necessary to add or delete an entry in the middle of the list. In such cases, resequencing is performed to maintain the logical order of ACL entries and to ensure that traffic is processed correctly.

For example, suppose an ACL has ten entries, and a new entry needs to be added between entries five and six. To insert the new entry, the administrator needs to change the sequence numbers of entries six through ten. The new entry will be added with a sequence number of six, and the existing entries will be shifted down accordingly. This ensures that traffic is processed in the correct order and that the new entry is evaluated before the subsequent entries. But another solution is to resequence all entries in such a way that there is at least 1 value in between each entry( an increment of 2).

ip access-list resequence ACL4 (1-2147483647)$start-seq-num (1-2147483647)$increment
ipv6 access-list resequence ACL6 (1-2147483647)$start-seq-num (1-2147483647)$increment

The ip access-list resequence command is used to resequence an existing access control list (ACL). The command is used to change the sequence numbers of the ACL entries, allowing you to insert or delete rules in the ACL without having to completely recreate it.

  • ACL: Specifies the name of the ACL you want to resequence.

  • start-seq-num: Specifies the starting sequence number for the resequenced ACL.

  • increment: Specifies the increment value to use for the new sequence numbers.

For example, if you have an ACL named ACL_TEST and you want to start the sequence numbers at 1 with an increment of 2, you would use the following command:

soodar(config)# ip access-list resequence ACL_TEST 1 2

This will change the sequence numbers for the ACL entries to start at 1 and increment by 2 for each subsequent rule.

Apply ACL

Applying an Access Control List (ACL) to an interface on a network device allows the network administrator to control the traffic that flows through that interface. The ACL is used to permit or deny traffic based on criteria such as source/destination IP address, protocol, and port number. The ACL is created and then applied to the inbound or outbound direction of the interface. The rules in the ACL are then processed in order from top to bottom until a match is found, and the corresponding action (permit or deny) is taken. This can help secure a network by preventing unwanted traffic from entering or leaving a particular interface.

ip access-group ACL4 in

The command is used to apply an IPv4 access control list (ACL) to an inbound interface. This command specifies that packets entering the interface should be checked against the ACL. If a packet matches a permit statement in the ACL, it is forwarded. If it matches a deny statement, it is dropped. This command is commonly used to filter incoming traffic from untrusted networks and restrict access to resources in a network.

  • ACL4: Specifies the name of the ACL you want to apply.

  • in: Indicates the ACL is applied to incoming traffic.

ipv6 traffic-group ACL6 in

The command is used to apply an IPv6 Access Control List (ACL) to an ingress interface of a device. It directs the device to evaluate incoming IPv6 packets against the specified ACL before forwarding them to their destination.

When the device receives a packet on the ingress interface, it checks the packet against the ACL rules specified in ACL6. If the packet matches a permit rule in the ACL, the device forwards the packet to the next hop. If the packet matches a deny rule in the ACL, the device drops the packet.

  • ACL6: Refers to the name of the IPv6 ACL that has been configured on the device.

  • in: specifies that the ACL is being applied to the ingress traffic of the interface.

The negating form, detaches an ACL from interface’s input.

For example, the following command applies the IPv4 ACL named “IN_ACL” and the IPv6 ACL name “IN_ACL6” to the inbound traffic of interface ge3:

soodar(config)# interface ge3
soodar(config-if)# ip access-group IN_ACL in
soodar(config-if)# ipv6 traffic-group IN_ACL6 in
ip access-group ACL4 out

The command is used to apply an IPv4 access control list (ACL) to an interface for traffic leaving the interface.

  • ACL4: Specifies the name of the ACL you want to apply.

  • out: Indicates the ACL is applied to leaving traffic.

ipv6 traffic-group ACL6 out

When this command is configured on an interface, it causes the specified IPv6 access list to be applied to all traffic that leaves the interface.

  • ACL6: Refers to the name of the IPv6 ACL that has been configured on the device.

  • out: specifies the direction of traffic flow to which the access list should be applied.

The negating form, detaches an ACL from interface’s output.

ip access-group ACL4 in out
ipv6 traffic-group ACL6 in out

Apply ACL to both ways of traffic. The negating form, detaches an ACL from interface.

Debug

show ip access-list [NAME] [json]
show ipv6 access-list [NAME] [json]

The command is used to display the details of an access control list (ACL).

When executed without any options, the command displays a list of all configured ACLs on the router along with their type (standard or extended) and their current line count. When a specific ACL is specified with the NAME parameter, the command will display the details of that particular ACL, including each line of the ACL and whether each line permits or denies traffic.

  • NAME (Optional): Specifies the name of the access list to display.

  • json (Optional): Displays the output in JSON format.

soodar# show ip access-list
IP access list TEST
    seq 10 permit tcp 1.1.1.10/32 eq 200 2.1.1.0/24 gt 5060
    seq 20 deny   1.2.1.0/24 3.1.1.0/24
soodar# show ip access-list json
{
  "ZEBRA":{
    "TEST":{
      "type":"Zebra",
      "addressFamily":"IPv4",
      "remark":"",
      "rules":[
        {
          "sequenceNumber":10,
          "filterType":"permit",
          "protocol":6,
          "prefix":"1.1.1.10\/32",
          "prefix-dest":"2.1.1.0\/24",
          "src-port-first":200,
          "src-port-last":65535,
          "src-port-operator":"equal",
          "dest-port-first":5060,
          "dest-port-last":65535,
          "dest-port-operator":"greater-than",
          "tcp-flags":"",
          "exact-match":false
        },
        {
          "sequenceNumber":20,
          "filterType":"deny",
          "protocol":0,
          "prefix":"1.2.1.0\/24",
          "prefix-dest":"3.1.1.0\/24",
          "src-port-first":0,
          "src-port-last":65535,
          "src-port-operator":"range",
          "dest-port-first":0,
          "dest-port-last":65535,
          "dest-port-operator":"range",
          "tcp-flags":"",
          "exact-match":false
        }
      ]
    }
  }
}
show ip access-list interfaces

The command is used to display information about all interfaces where an access list is applied or where an access list is not applied. This command is useful to verify which interfaces are being affected by an access list, and it can be helpful when troubleshooting access list-related issues.

The output of the command includes the following information for each interface:

  • Interface Name

  • Egress ACLs

  • Ingress ACLs

Debugging logs can be set in case of need.

[no] debug acl event

log data plane installation processes and results