Configuring IP ACLs ThischapterdescribeshowtoconfigureIPaccesscontrollists(ACLs)onCiscoNX-OSdevices. Unlessotherwisespecified,thetermIPACLreferstoIPv4andIPv6ACLs. Note TheCiscoNX-OSreleasethatisrunningonamanageddevicemaynotsupportalldocumentedfeaturesor settings.Forthelatestfeatureinformationandcaveats,seethedocumentationandreleasenotesforyour platformandsoftwarerelease. Thischapterincludesthefollowingsections: •FindingFeatureInformation,onpage1 •InformationAboutACLs,onpage2 •PrerequisitesforIPACLs,onpage16 •GuidelinesandLimitationsforIPACLs,onpage17 •DefaultSettingsforIPACLs,onpage21 •ConfiguringIPACLs,onpage22 •ConfiguringScaleACL,onpage37 •ConfigurationExamplesforScaleACL,onpage38 •VerifyingtheIPACLConfiguration,onpage40 •MonitoringandClearingIPACLStatistics,onpage42 •ConfigurationExamplesforIPACLs,onpage42 •ConfiguringObjectGroups,onpage43 •VerifyingtheObject-GroupConfiguration,onpage48 •ConfiguringTimeRanges,onpage49 •VerifyingtheTime-RangeConfiguration,onpage54 •AdditionalReferencesforIPACLs,onpage54 •FeatureHistoryforIPACLs,onpage55 Finding Feature Information Yoursoftwarereleasemightnotsupportallthefeaturesdocumentedinthismodule.Forthelatestcaveats andfeatureinformation,seetheBugSearchToolathttps://tools.cisco.com/bugsearch/andthereleasenotes foryoursoftwarerelease.Tofindinformationaboutthefeaturesdocumentedinthismodule,andtoseealist ConfiguringIPACLs 1 ConfiguringIPACLs InformationAboutACLs ofthereleasesinwhicheachfeatureissupported,seethe"NewandChangedInformation"chapterorthe FeatureHistorytableinthischapter. Information About ACLs AnACLisanorderedsetofrulesthatyoucanusetofiltertraffic.Eachrulespecifiesasetofconditionsthat apacketmustsatisfytomatchtherule.WhenthedevicedeterminesthatanACLappliestoapacket,ittests thepacketagainsttheconditionsofallrules.Thefirstmatchingruledetermineswhetherthepacketispermitted ordenied.Ifthereisnomatch,thedeviceappliestheapplicableimplicitrule.Thedevicecontinuesprocessing packetsthatarepermittedanddropspacketsthataredenied. YoucanuseACLstoprotectnetworksandspecifichostsfromunnecessaryorunwantedtraffic.Forexample, youcoulduseACLstodisallowHTTPtrafficfromahigh-securitynetworktotheInternet.Youcouldalso useACLstoallowHTTPtrafficbutonlytospecificsites,usingtheIPaddressofthesitetoidentifyitinan IPACL. ACL Types and Applications ThedevicesupportsthefollowingtypesofACLsforsecuritytrafficfiltering: FCoEACLs ThedeviceappliesFibreChanneloverEthernet(FCoE)ACLsonlytoFibreChanneltraffic.Formore informationonFCoE,seetheCiscoNX-OSFCoEConfigurationGuideforCiscoNexus7000andCisco MDS9500. IPv4ACLs ThedeviceappliesIPv4ACLsonlytoIPv4traffic. IPv6ACLs ThedeviceappliesIPv6ACLsonlytoIPv6traffic. MACACLs ThedeviceappliesMACACLsonlytonon-IPtrafficbydefault;however,youcanconfigureLayer2 interfacestoapplyMACACLstoalltraffic. Security-groupACLs(SGACLs) ThedeviceappliesSGACLstotraffictaggedbyCiscoTrustSec. IPandMACACLshavethefollowingtypesofapplications: PortACL FiltersLayer2traffic RouterACL FiltersLayer3traffic VLANACL FiltersVLANtraffic VTYACL Filtersvirtualteletype(VTY)traffic ConfiguringIPACLs 2 ConfiguringIPACLs OrderofACLApplication ThistablesummarizestheapplicationsforsecurityACLs. Table1:SecurityACLApplications Application SupportedInterfaces TypesofACLsSupported PortACL •Layer2interfaces •IPv4ACLs •Layer2Ethernetport-channelinterfaces •IPv6ACLs •MACACLs WhenaportACLisappliedtoatrunkport,theACL filterstrafficonallVLANsonthetrunkport. Router •VLANinterfaces •IPv4ACLs ACL •PhysicalLayer3interfaces •IPv6ACLs •Layer3Ethernetsubinterfaces Note MACACLsaresupported •Layer3Ethernetport-channelinterfaces onLayer3interfacesonly ifyouenableMACpacket •Layer3Ethernetport-channelsubinterfaces classification. •Tunnels •Managementinterfaces Note YoumustenableVLANinterfacesglobally beforeyoucanconfigureaVLANinterface. Formoreinformation,seetheCiscoNexus 7000SeriesNX-OSInterfacesConfiguration Guide. VLAN •VLANs •IPv4ACLs ACL •IPv6ACLs •MACACLs VTYACL •VTYs •IPv4ACLs •IPv6ACLs RelatedTopics MACPacketClassification InformationAboutMACACLs InformationAboutVLANACLs SGACLsandSGTs Order of ACL Application Whenthedeviceprocessesapacket,itdeterminestheforwardingpathofthepacket.Thepathdetermines whichACLsthatthedeviceappliestothetraffic.ThedeviceappliestheACLsinthefollowingorder: ConfiguringIPACLs 3 ConfiguringIPACLs OrderofACLApplication 1. PortACL 2. IngressVACL 3. IngressrouterACL 4. IngressVTYACL 5. SGACL 6. EgressVTYACL 7. EgressrouterACL 8. EgressVACL IfthepacketisbridgedwithintheingressVLAN,thedevicedoesnotapplyrouterACLs. Figure1:OrderofACLApplication Thefollowingfigureshowstheorderinwhichthedeviceapplies ACLs. Figure2:ACLsandPacketFlow ThefollowingfigureshowswherethedeviceappliesACLs,dependinguponthetypeofACL.Theredpath indicatesapacketsenttoadestinationonadifferentinterfacethanitssource.Thebluepathindicatesapacket thatisbridgedwithinitsVLAN. ThedeviceappliesonlytheapplicableACLs.Forexample,iftheingressportisaLayer2portandthetraffic isonaVLANthatisaVLANinterface,aportACLandarouterACLbothcanapply.Inaddition,ifaVACL isappliedtotheVLAN,thedeviceappliesthatACLtoo. ConfiguringIPACLs 4 ConfiguringIPACLs AboutRules RelatedTopics SGACLsandSGTs About Rules Rulesarewhatyoucreate,modify,andremovewhenyouconfigurehowanACLfiltersnetworktraffic.Rules appearintherunningconfiguration.WhenyouapplyanACLtoaninterfaceorchangearulewithinanACL thatisalreadyappliedtoaninterface,thesupervisormodulecreatesACLentriesfromtherulesintherunning configurationandsendsthoseACLentriestotheapplicableI/Omodule.Dependinguponhowyouconfigure theACL,theremaybemoreACLentriesthanrules,especiallyifyouimplementpolicy-basedACLsbyusing objectgroupswhenyouconfigurerules. Youcancreaterulesinaccess-listconfigurationmodebyusingthepermitordenycommand.Thedevice allowstrafficthatmatchesthecriteriainapermitruleandblockstrafficthatmatchesthecriteriainadeny rule.Youhavemanyoptionsforconfiguringthecriteriathattrafficmustmeetinordertomatchtherule. Thissectiondescribessomeoftheoptionsthatyoucanusewhenyouconfigurearule.Forinformationabout everyoption,seetheapplicablepermitanddenycommandsintheCiscoNexus7000SeriesNX-OSSecurity CommandReference. Protocols for IP ACLs IPv4,IPv6,andMACACLsallowyoutoidentifytrafficbyprotocol.Foryourconvenience,youcanspecify someprotocolsbyname.Forexample,inanIPv4orIPv6ACL,youcanspecifyICMPbyname. Youcanspecifyanyprotocolbynumber.InMACACLs,youcanspecifyprotocolsbytheEtherTypenumber oftheprotocol,whichisahexadecimalnumber.Forexample,youcanuse0x0800tospecifyIPtrafficina MACACLrule. InIPv4andIPv6ACLs,youcanspecifyprotocolsbytheintegerthatrepresentstheInternetprotocolnumber. Forexample,youcanuse115tospecifyLayer2TunnelingProtocol(L2TP)traffic. ConfiguringIPACLs 5 ConfiguringIPACLs SourceandDestination ForalistoftheprotocolsthateachtypeofACLsupportsbyname,seetheapplicablepermitanddeny commandsintheCiscoNexus7000SeriesNX-OSSecurityCommandReference. Source and Destination Ineachrule,youspecifythesourceandthedestinationofthetrafficthatmatchestherule.Youcanspecify boththesourceanddestinationasaspecifichost,anetworkorgroupofhosts,oranyhost.Howyouspecify thesourceanddestinationdependsonwhetheryouareconfiguringIPv4,IPv6,orMACACLs.Forinformation aboutspecifyingthesourceanddestination,seetheapplicablepermitanddenycommandsintheCiscoNexus 7000SeriesNX-OSSecurityCommandReference. Implicit Rules for IP and MAC ACLs IPandMACACLshaveimplicitrules,whichmeansthatalthoughtheserulesdonotappearintherunning configuration,thedeviceappliesthemtotrafficwhennootherrulesinanACLmatch.Whenyouconfigure thedevicetomaintainper-rulestatisticsforanACL,thedevicedoesnotmaintainstatisticsforimplicitrules. AllIPv4ACLsincludethefollowingimplicitrule: deny ip any any ThisimplicitruleensuresthatthedevicedeniesunmatchedIPtraffic. AllIPv6ACLsincludethefollowingimplicitrules: permit icmp any any nd-na permit icmp any any nd-ns permit icmp any any router-advertisement permit icmp any any router-solicitation deny ipv6 any any UnlessyouconfigureanIPv6ACLwitharulethatdeniesICMPv6neighbordiscoverymessages,thefirst fourrulesensurethatthedevicepermitsneighbordiscoveryadvertisementandsolicitationmessages.The fifthruleensuresthatthedevicedeniesunmatchedIPv6traffic. Note IfyouexplicitlyconfigureanIPv6ACLwithadenyipv6anyanyrule,theimplicitpermitrulescannever permittraffic.Ifyouexplicitlyconfigureadenyipv6anyanyrulebutwanttopermitICMPv6neighbor discoverymessages,explicitlyconfigurearuleforallfiveimplicitIPv6ACLrules. AllMACACLsincludethefollowingimplicitrule: deny any any protocol Thisimplicitruleensuresthatthedevicedeniestheunmatchedtraffic,regardlessoftheprotocolspecifiedin theLayer2headerofthetraffic. Additional Filtering Options Youcanidentifytrafficbyusingadditionaloptions.TheseoptionsdifferbyACLtype.Thefollowinglist includesmostbutnotalladditionalfilteringoptions: •IPv4ACLssupportthefollowingadditionalfilteringoptions: ConfiguringIPACLs 6 ConfiguringIPACLs AdditionalFilteringOptions •Layer4protocol •AuthenticationHeaderProtocol •EnhancedInteriorGatewayRoutingProtocol(EIGRP) •EncapsulatingSecurityPayload •GeneralRoutingEncapsulation(GRE) •KA9QNOS-compatibleIP-over-IPtunneling •OpenShortestPathFirst(OSPF) •PayloadCompressionProtocol •Protocol-independentmulticast(PIM) •TCPandUDPports •ICMPtypesandcodes •IGMPtypes •Precedencelevel •DifferentiatedServicesCodePoint(DSCP)value •TCPpacketswiththeACK,FIN,PSH,RST,SYN,orURGbitset •EstablishedTCPconnections •Packetlength •IPv6ACLssupportthefollowingadditionalfilteringoptions: •Layer4protocol •AuthenticationHeaderProtocol •EncapsulatingSecurityPayload •PayloadCompressionProtocol •StreamControlTransmissionProtocol(SCTP) •SCTP,TCP,andUDPports •ICMPtypesandcodes •IGMPtypes •Flowlabel •DSCPvalue •TCPpacketswiththeACK,FIN,PSH,RST,SYN,orURGbitset •EstablishedTCPconnections •Packetlength ConfiguringIPACLs 7 ConfiguringIPACLs SequenceNumbers •MACACLssupportthefollowingadditionalfilteringoptions: •Layer3protocol •VLANID •ClassofService(CoS) Forinformationaboutallfilteringoptionsavailableinrules,seetheapplicablepermitanddenycommands intheCiscoNexus7000SeriesNX-OSSecurityCommandReference. Sequence Numbers Thedevicesupportssequencenumbersforrules.Everyrulethatyouenterreceivesasequencenumber,either assignedbyyouorassignedautomaticallybythedevice.SequencenumberssimplifythefollowingACL tasks: Addingnewrulesbetweenexistingrules Byspecifyingthesequencenumber,youspecifywhereintheACLanewruleshouldbepositioned.For example,ifyouneedtoinsertarulebetweenrulesnumbered100and110,youcouldassignasequence numberof105tothenewrule. Removingarule Withoutusingasequencenumber,removingarulerequiresthatyouenterthewholerule,asfollows: switch(config-acl)# no permit tcp 10.0.0.0/8 any However,ifthesamerulehadasequencenumberof101,removingtherulerequiresonlythefollowing command: switch(config-acl)# no 101 Movingarule Withsequencenumbers,ifyouneedtomovearuletoadifferentpositionwithinanACL,youcanadd asecondinstanceoftheruleusingthesequencenumberthatpositionsitcorrectly,andthenyoucan removetheoriginalinstanceoftherule.Thisactionallowsyoutomovetherulewithoutdisrupting traffic. Ifyouenterarulewithoutasequencenumber,thedeviceaddstheruletotheendoftheACLandassignsa sequencenumberthatis10greaterthanthesequencenumberoftheprecedingruletotherule.Forexample, ifthelastruleinanACLhasasequencenumberof225andyouaddarulewithoutasequencenumber,the deviceassignsthesequencenumber235tothenewrule. Inaddition,CiscoNX-OSallowsyoutoreassignsequencenumberstorulesinanACL.Resequencingis usefulwhenanACLhasrulesnumberedcontiguously,suchas100and101,andyouneedtoinsertoneor morerulesbetweenthoserules. Logical Operators and Logical Operation Units IPACLrulesforTCPandUDPtrafficcanuselogicaloperatorstofiltertrafficbasedonportnumbers.The devicestoresoperator-operandcouplesinregisterscalledlogicaloperatorunits(LOUs).CiscoNexus7000 Seriesdevicessupport104LOUs. TheLOUusageforeachtypeofoperatorisasfollows: ConfiguringIPACLs 8 ConfiguringIPACLs Logging eq IsneverstoredinanLOU gt Uses1/2LOU lt Uses1/2LOU neq Uses1/2LOU range Uses1LOU Thefollowingguidelinesdeterminewhenthedevicesstoreoperator-operandcouplesinLOUs: •Iftheoperatororoperanddiffersfromotheroperator-operandcouplesthatareusedinotherrules,the coupleisstoredinanLOU. Forexample,theoperator-operandcouples"gt10"and"gt11"wouldbestoredseparatelyinhalfan LOUeach.Thecouples"gt10"and"lt10"wouldalsobestoredseparately. •Whethertheoperator-operandcoupleisappliedtoasourceportoradestinationportintheruleaffects LOUusage.Identicalcouplesarestoredseparatelywhenoneoftheidenticalcouplesisappliedtoa sourceportandtheothercoupleisappliedtoadestinationport. Forexample,ifaruleappliestheoperator-operandcouple"gt10"toasourceportandanotherruleapplies a"gt10"coupletoadestinationport,bothcoupleswouldalsobestoredinhalfanLOU,resultinginthe useofonewholeLOU.Anyadditionalrulesusinga"gt10"couplewouldnotresultinfurtherLOU usage. Logging Youcanenablethedevicetocreateaninformationallogmessageforpacketsthatmatcharule.Thelog messagecontainsthefollowinginformationaboutthepacket: •Protocol •StatusofwhetherthepacketisaTCP,UDP,orICMPpacket,orifthepacketisonlyanumberedpacket. •Sourceanddestinationaddress •Sourceanddestinationportnumbers,ifapplicable Access Lists with Fragment Control Asnon-initialfragmentscontainonlyLayer3information,theseaccess-listentriescontainingonlyLayer3 information,cannowbeappliedtonon-initialfragmentsalso.Thefragmenthasalltheinformationthesystem requirestofilter,sotheaccess-listentryisappliedtothefragmentsofapacket. ThisfeatureaddstheoptionalfragmentskeywordtothefollowingIPaccesslistcommands:deny(IPv4), permit(IPv4),deny(IPv6),permit(IPv6).Byspecifyingthefragmentskeywordinanaccess-listentry, thatparticularaccess-listentryappliesonlytonon-initialfragmentsofpackets;thefragmentiseitherpermitted ordeniedaccordingly. Thebehaviorofaccess-listentriesregardingthepresenceorabsenceofthefragmentskeywordcanbe summarizedasfollows: ConfiguringIPACLs 9 ConfiguringIPACLs AccessListswithFragmentControl IftheAccess-ListEntryhas... Then... ...nofragmentskeywordandalloftheaccess-list Foranaccess-listentrycontainingonlyLayer3 entryinformationmatches information: •Theentryisappliedtonon-fragmentedpackets, initialfragments,andnon-initialfragments. Foranaccess-listentrycontainingLayer3andLayer 4information: •Theentryisappliedtonon-fragmentedpackets andinitialfragments. •Iftheentrymatchesandisapermit statement,thepacketorfragmentis permitted. •Iftheentrymatchesandisadenystatement, thepacketorfragmentisdenied. •Theentryisalsoappliedtonon-initialfragments inthefollowingmanner.Becausenon-initial fragmentscontainonlyLayer3information,only theLayer3portionofanaccess-listentrycanbe applied.IftheLayer3portionoftheaccess-list entrymatches,and •Iftheentryisapermitstatement,the non-initialfragmentispermitted. •Iftheentryisadenystatement,thenext access-listentryisprocessed. Note Thedenystatementsarehandled differentlyfornon-initialfragments versusnon-fragmentedorinitial fragments. ...thefragmentskeywordandalloftheaccess-list Theaccess-listentryisappliedonlytonon-initial entryinformationmatches fragments. Note Thefragmentskeywordcannotbe configuredforanaccess-listentrythat containsanyLayer4information. Youshouldnotaddthefragmentskeywordtoeveryaccess-listentry,becausethefirstfragmentoftheIP packetisconsideredanon-fragmentandistreatedindependentlyofthesubsequentfragments.Becausean initialfragmentwillnotmatchanaccesslistpermitordenyentrythatcontainsthefragmentskeyword,the packetiscomparedtothenextaccesslistentryuntilitiseitherpermittedordeniedbyanaccesslistentrythat doesnotcontainthefragmentskeyword.Therefore,youmayneedtwoaccesslistentriesforeverydeny entry.Thefirstdenyentryofthepairwillnotincludethefragmentskeyword,andappliestotheinitial fragment.Theseconddenyentryofthepairwillincludethefragmentskeywordandappliestothesubsequent ConfiguringIPACLs 10