Configuring IP ACLs ThischapterdescribeshowtoconfigureIPaccesscontrollists(ACLs)onCiscoNX-OSdevices. Unlessotherwisespecified,thetermIPACLreferstoIPv4andIPv6ACLs. Thischapterincludesthefollowingsections: •AboutACLs,onpage1 •LicensingRequirementsforIPACLs,onpage14 •PrerequisitesforIPACLs,onpage14 •GuidelinesandLimitationsforIPACLs,onpage15 •DefaultSettingsforIPACLs,onpage17 •ConfiguringIPACLs,onpage17 •VerifyingtheIPACLConfiguration,onpage41 •MonitoringandClearingIPACLStatistics,onpage43 •ConfigurationExamplesforIPACLs,onpage43 •ConfiguringObjectGroups,onpage44 •VerifyingtheObject-GroupConfiguration,onpage49 •ConfiguringTime-Ranges,onpage49 •VerifyingtheTime-RangeConfiguration,onpage54 About ACLs AnACLisanorderedsetofrulesthatyoucanusetofiltertraffic.Eachrulespecifiesasetofconditionsthat apacketmustsatisfytomatchtherule.WhenthedevicedeterminesthatanACLappliestoapacket,ittests thepacketagainsttheconditionsofallrules.Thefirstmatchingruledetermineswhetherthepacketispermitted ordenied.Ifthereisnomatch,thedeviceappliestheapplicableimplicitrule.Thedevicecontinuesprocessing packetsthatarepermittedanddropspacketsthataredenied. YoucanuseACLstoprotectnetworksandspecifichostsfromunnecessaryorunwantedtraffic.Forexample, youcoulduseACLstodisallowHTTPtrafficfromahigh-securitynetworktotheInternet.Youcouldalso useACLstoallowHTTPtrafficbutonlytospecificsites,usingtheIPaddressofthesitetoidentifyitinan IPACL. ACL Types and Applications ThedevicesupportsthefollowingtypesofACLsforsecuritytrafficfiltering: ConfiguringIPACLs 1 ConfiguringIPACLs ACLTypesandApplications IPv4ACLs ThedeviceappliesIPv4ACLsonlytoIPv4traffic. IPv6ACLs ThedeviceappliesIPv6ACLsonlytoIPv6traffic. MACACLs ThedeviceappliesMACACLsonlytonon-IPtraffic. IPandMACACLshavethefollowingtypesofapplications: PortACL FiltersLayer2traffic RouterACL FiltersLayer3traffic VLANACL FiltersVLANtraffic VTYACL Filtersvirtualteletype(VTY)traffic ThistablesummarizestheapplicationsforsecurityACLs. Table1:SecurityACLApplications Application SupportedInterfaces TypesofACLsSupported PortACL •Layer2interfaces •IPv4ACLs •Layer2Ethernetport-channelinterfaces •IPv6ACLs •MACACLs WhenaportACLisappliedtoatrunkport,the ACLfilterstrafficonallVLANsonthetrunk port. Router •VLANinterfaces •IPv4ACLs ACL •PhysicalLayer3interfaces •IPv6ACLs •Layer3Ethernetsubinterfaces Note MACACLsaresupportedon •Layer3Ethernetport-channelinterfaces Layer3interfacesonlyifyou enableMACpacketclassification. •Managementinterfaces Note EgressrouterACLsarenot Note YoumustenableVLANinterfaces supportedonsubinterfacesandon globallybeforeyoucanconfigurea CiscoNexus9300Seriesswitch VLANinterface. uplinkports. VLAN •VLANs •IPv4ACLs ACL •IPv6ACLs •MACACLs VTYACL •VTYs •IPv4ACLs •IPv6ACLs ConfiguringIPACLs 2 ConfiguringIPACLs OrderofACLApplication RelatedTopics AboutVLANACLs AboutMACACLs Order of ACL Application Whenthedeviceprocessesapacket,itdeterminestheforwardingpathofthepacket.Thepathdetermines whichACLsthatthedeviceappliestothetraffic.ThedeviceappliestheACLsinthefollowingorder: 1. PortACL 2. IngressVACL 3. IngressrouterACL 4. IngressVTYACL 5. EgressVTYACL 6. EgressrouterACL 7. EgressVACL IfthepacketisbridgedwithintheingressVLAN,thedevicedoesnotapplyrouterACLs. Figure1:OrderofACLApplication ThefollowingfigureshowstheorderinwhichthedeviceappliesACLs. Figure2:ACLsandPacketFlow ThefollowingfigureshowswherethedeviceappliesACLs,dependinguponthetypeofACL.Theredpath indicatesapacketsenttoadestinationonadifferentinterfacethanitssource.Thebluepathindicatesapacket thatisbridgedwithinitsVLAN. ThedeviceappliesonlytheapplicableACLs.Forexample,iftheingressportisaLayer2portandthetraffic isonaVLANthatisaVLANinterface,aportACLandarouterACLbothcanapply.Inaddition,ifaVACL isappliedtotheVLAN,thedeviceappliesthatACLtoo. ConfiguringIPACLs 3 ConfiguringIPACLs AboutRules About Rules Rulesarewhatyoucreate,modify,andremovewhenyouconfigurehowanACLfiltersnetworktraffic.Rules appearintherunningconfiguration.WhenyouapplyanACLtoaninterfaceorchangearulewithinanACL thatisalreadyappliedtoaninterface,thesupervisormodulecreatesACLentriesfromtherulesintherunning configurationandsendsthoseACLentriestotheapplicableI/Omodule.Dependinguponhowyouconfigure theACL,theremaybemoreACLentriesthanrules,especiallyifyouimplementpolicy-basedACLsbyusing objectgroupswhenyouconfigurerules. Youcancreaterulesinaccess-listconfigurationmodebyusingthepermitordenycommand.Thedevice allowstrafficthatmatchesthecriteriainapermitruleandblockstrafficthatmatchesthecriteriainadeny rule.Youhavemanyoptionsforconfiguringthecriteriathattrafficmustmeetinordertomatchtherule. Thissectiondescribessomeoftheoptionsthatyoucanusewhenyouconfigurearule. Protocols for IP ACLs and MAC ACLs IPv4,IPv6,andMACACLsallowyoutoidentifytrafficbyprotocol.Foryourconvenience,youcanspecify someprotocolsbyname.Forexample,inanIPv4orIPv6ACL,youcanspecifyICMPbyname. Youcanspecifyanyprotocolbynumber.InMACACLs,youcanspecifyprotocolsbytheEtherTypenumber oftheprotocol,whichisahexadecimalnumber.Forexample,youcanuse0x0800tospecifyIPtrafficina MACACLrule. InIPv4andIPv6ACLs,youcanspecifyprotocolsbytheintegerthatrepresentstheInternetprotocolnumber. Source and Destination Ineachrule,youspecifythesourceandthedestinationofthetrafficthatmatchestherule.Youcanspecify boththesourceanddestinationasaspecifichost,anetworkorgroupofhosts,oranyhost.Howyouspecify thesourceanddestinationdependsonwhetheryouareconfiguringIPv4ACLs,IPv6ACLs,orMACACLs. Implicit Rules for IP and MAC ACLs IPandMACACLshaveimplicitrules,whichmeansthatalthoughtheserulesdonotappearintherunning configuration,thedeviceappliesthemtotrafficwhennootherrulesinanACLmatch.Whenyouconfigure thedevicetomaintainper-rulestatisticsforanACL,thedevicedoesnotmaintainstatisticsforimplicitrules. AllIPv4ACLsincludethefollowingimplicitrule: ConfiguringIPACLs 4 ConfiguringIPACLs AdditionalFilteringOptions deny ip any any ThisimplicitruleensuresthatthedevicedeniesunmatchedIPtraffic. AllIPv6ACLsincludethefollowingimplicitrule: deny ipv6 any any ThisimplicitruleensuresthatthedevicedeniesunmatchedIPv6traffic. Note IPv6nd-na,nd-ns,router-advertisement,androuter-solicitationpacketswillnotbepermittedastheimplicit permitrulesonIPv6ACL.Youmustaddthefollowingrulesexplicitlytoallowthem: •permiticmpanyanynd-na •permiticmpanyanynd-ns •permiticmpanyanyrouter-advertisement •permiticmpanyanyrouter-solicitation AllMACACLsincludethefollowingimplicitrule: deny any any protocol Thisimplicitruleensuresthatthedevicedeniestheunmatchedtraffic,regardlessoftheprotocolspecifiedin theLayer2headerofthetraffic. Additional Filtering Options Youcanidentifytrafficbyusingadditionaloptions.TheseoptionsdifferbyACLtype.Thefollowinglist includesmostbutnotalladditionalfilteringoptions: •IPv4ACLssupportthefollowingadditionalfilteringoptions: •Layer4protocol •TCPandUDPports •ICMPtypesandcodes •IGMPtypes •Precedencelevel •DifferentiatedServicesCodePoint(DSCP)value •TCPpacketswiththeACK,FIN,PSH,RST,SYN,orURGbitset •EstablishedTCPconnections •Packetlength •IPv6ACLssupportthefollowingadditionalfilteringoptions: •Layer4protocol ConfiguringIPACLs 5 ConfiguringIPACLs SequenceNumbers •EncapsulatingSecurityPayload •PayloadCompressionProtocol •StreamControlTransmissionProtocol(SCTP) •SCTP,TCP,andUDPports •ICMPtypesandcodes •DSCPvalue •TCPpacketswiththeACK,FIN,PSH,RST,SYN,orURGbitset •EstablishedTCPconnections •Packetlength •MACACLssupportthefollowingadditionalfilteringoptions: •Layer3protocol(Ethertype) •VLANID •ClassofService(CoS) Sequence Numbers Thedevicesupportssequencenumbersforrules.Everyrulethatyouenterreceivesasequencenumber,either assignedbyyouorassignedautomaticallybythedevice.SequencenumberssimplifythefollowingACL tasks: Addingnewrulesbetweenexistingrules Byspecifyingthesequencenumber,youspecifywhereintheACLanewruleshouldbepositioned.For example,ifyouneedtoinsertarulebetweenrulesnumbered100and110,youcouldassignasequence numberof105tothenewrule. Removingarule Withoutusingasequencenumber,removingarulerequiresthatyouenterthewholerule,asfollows: switch(config-acl)# no permit tcp 10.0.0.0/8 any However,ifthesamerulehadasequencenumberof101,removingtherulerequiresonlythefollowing command: switch(config-acl)# no 101 Movingarule Withsequencenumbers,ifyouneedtomovearuletoadifferentpositionwithinanACL,youcanadd asecondinstanceoftheruleusingthesequencenumberthatpositionsitcorrectly,andthenyoucan removetheoriginalinstanceoftherule.Thisactionallowsyoutomovetherulewithoutdisrupting traffic. Ifyouenterarulewithoutasequencenumber,thedeviceaddstheruletotheendoftheACLandassignsa sequencenumberthatis10greaterthanthesequencenumberoftheprecedingruletotherule.Forexample, ConfiguringIPACLs 6 ConfiguringIPACLs LogicalOperatorsandLogicalOperationUnits ifthelastruleinanACLhasasequencenumberof225andyouaddarulewithoutasequencenumber,the deviceassignsthesequencenumber235tothenewrule. Inaddition,CiscoNX-OSallowsyoutoreassignsequencenumberstorulesinanACL.Resequencingis usefulwhenanACLhasrulesnumberedcontiguously,suchas100and101,andyouneedtoinsertoneor morerulesbetweenthoserules. Logical Operators and Logical Operation Units IPACLrulesforTCPandUDPtrafficcanuselogicaloperatorstofiltertrafficbasedonportnumbers.Cisco NX-OSsupportslogicaloperatorsinonlytheingressdirection. Thedevicestoresoperator-operandcouplesinregisterscalledlogicaloperatorunits(LOUs).TheLOUusage foreachtypeofoperatorisasfollows: eq IsneverstoredinanLOU gt Uses1LOU lt Uses1LOU neq Uses1LOU range Uses1LOU IPv4 ACL Logging TheIPv4ACLloggingfeaturemonitorsIPv4ACLflowsandlogsstatistics. Aflowisdefinedbythesourceinterface,protocol,sourceIPaddress,sourceport,destinationIPaddress,and destinationportvalues.Thestatisticsmaintainedforaflowincludethenumberofforwardedpackets(for eachflowthatmatchesthepermitconditionsoftheACLentry)anddroppedpackets(foreachflowthat matchesthedenyconditionsoftheACLentry). Time Ranges YoucanusetimerangestocontrolwhenanACLruleisineffect.Forexample,ifthedevicedeterminesthat aparticularACLappliestotrafficarrivingonaninterface,andaruleintheACLusesatimerangethatisnot ineffect,thedevicedoesnotcomparethetraffictothatrule.Thedeviceevaluatestimerangesbasedonits clock. WhenyouapplyanACLthatusestimeranges,thedeviceupdatestheaffectedI/Omodulewheneveratime rangereferencedintheACLstartsorends.Updatesthatareinitiatedbytimerangesoccuronabest-effort priority.Ifthedeviceisespeciallybusywhenatimerangecausesanupdate,thedevicemaydelaytheupdate byuptoafewseconds. IPv4,IPv6,andMACACLssupporttimeranges.WhenthedeviceappliesanACLtotraffic,therulesin effectareasfollows: •Allruleswithoutatimerangespecified •RuleswithatimerangethatincludesthesecondwhenthedeviceappliestheACLtotraffic ConfiguringIPACLs 7 ConfiguringIPACLs TimeRanges Thedevicesupportsnamed,reusabletimeranges,whichallowsyoutoconfigureatimerangeonceandspecify itbynamewhenyouconfiguremanyACLrules.Timerangenameshaveamaximumlengthof64alphanumeric characters. Atimerangecontainsoneormorerules.Thetwotypesofrulesareasfollows: Absolute Arulewithaspecificstartdateandtime,specificenddateandtime,both,orneither.Thefollowing itemsdescribehowthepresenceorabsenceofastartorenddateandtimeaffectwhetheranabsolute timerangeruleisactive: •Startandenddateandtimebothspecified—Thetimerangeruleisactivewhenthecurrenttimeis laterthanthestartdateandtimeandearlierthantheenddateandtime. •Startdateandtimespecifiedwithnoenddateandtime—Thetimerangeruleisactivewhenthe currenttimeislaterthanthestartdateandtime. •Nostartdateandtimewithenddateandtimespecified—Thetimerangeruleisactivewhenthe currenttimeisearlierthantheenddateandtime. •Nostartorenddateandtimespecified—Thetimerangeruleisalwaysactive. Forexample,youcouldprepareyournetworktoallowaccesstoanewsubnetbyspecifyingatimerange thatallowsaccessbeginningatmidnightofthedaythatyouplantoplacethesubnetonline.Youcanuse thattimerangeinACLrulesthatapplytothesubnet.Afterthestarttimeanddatehavepassed,thedevice automaticallybeginsapplyingtherulesthatusethistimerangewhenitappliestheACLsthatcontain therules. Periodic Arulethatisactiveoneormoretimesperweek.Forexample,youcoulduseaperiodictimerangeto allowaccesstoalabsubnetonlyduringworkhoursonweekdays.ThedeviceautomaticallyappliesACL rulesthatusethistimerangeonlywhentherangeisactiveandwhenitappliestheACLsthatcontain therules. Note Theorderofrulesinatimerangedoesnotaffecthowadeviceevaluateswhetheratimerangeisactive.Cisco NX-OSincludessequencenumbersintimerangestomakeeditingthetimerangeeasier. Timerangesalsoallowyoutoincluderemarks,whichyoucanusetoinsertcommentsintoatimerange. Remarkshaveamaximumlengthof100alphanumericcharacters. Thedevicedetermineswhetheratimerangeisactiveasfollows: •Thetimerangecontainsoneormoreabsoluterules—Thetimerangeisactiveifthecurrenttimeiswithin oneormoreabsoluterules. •Thetimerangecontainsoneormoreperiodicrules—Thetimerangeisactiveifthecurrenttimeiswithin oneormoreperiodicrules. •Thetimerangecontainsbothabsoluteandperiodicrules—Thetimerangeisactiveifthecurrenttime iswithinoneormoreabsoluterulesandwithinoneormoreperiodicrules. Whenatimerangecontainsbothabsoluteandperiodicrules,theperiodicrulescanonlybeactivewhenat leastoneabsoluteruleisactive. ConfiguringIPACLs 8 ConfiguringIPACLs Policy-BasedACLs Policy-Based ACLs Thedevicesupportspolicy-basedACLs(PBACLs),whichallowyoutoapplyaccesscontrolpoliciesacross objectgroups.AnobjectgroupisagroupofIPaddressesoragroupofTCPorUDPports.Whenyoucreate arule,youspecifytheobjectgroupsratherthanspecifyingIPaddressesorports. UsingobjectgroupswhenyouconfigureIPv4orIPv6ACLscanhelpreducethecomplexityofupdating ACLswhenyouneedtoaddorremoveaddressesorportsfromthesourceordestinationofrules.Forexample, ifthreerulesreferencethesameIPaddressgroupobject,youcanaddanIPaddresstotheobjectinsteadof changingallthreerules. PBACLsdonotreducetheresourcesrequiredbyanACLwhenyouapplyittoaninterface.Whenyouapply aPBACLorupdateaPBACLthatisalreadyapplied,thedeviceexpandseachrulethatreferstoobjectgroups intooneACLentryperobjectwithinthegroup.Ifarulespecifiesthesourceanddestinationbothwithobject groups,thenumberofACLentriescreatedontheI/OmodulewhenyouapplythePBACLisequaltothe numberofobjectsinthesourcegroupmultipliedbythenumberofobjectsinthedestinationgroup. Thefollowingobjectgrouptypesapplytoport,router,policy-basedrouting(PBR),andVLANACLs: IPv4AddressObjectGroups CanbeusedwithIPv4ACLrulestospecifysourceordestinationaddresses.Whenyouusethepermit ordenycommandtoconfigurearule,the addrgroup keywordallowsyoutospecifyanobjectgroup forthesourceordestination. IPv6AddressObjectGroups CanbeusedwithIPv6ACLrulestospecifysourceordestinationaddresses.Whenyouusethepermit ordenycommandtoconfigurearule,the addrgroup keywordallowsyoutospecifyanobjectgroup forthesourceordestination. ProtocolPortObjectGroups CanbeusedwithIPv4andIPv6TCPandUDPrulestospecifysourceordestinationports.Whenyou usethepermitordenycommandtoconfigurearule,theportgroupkeywordallowsyoutospecifyan objectgroupforthesourceordestination. Note Policy-basedrouting(PBR)ACLsdonotsupportdenyaccesscontrolentries(ACEs)ordenycommandsto configurearule. Statistics and ACLs ThedevicecanmaintainglobalstatisticsforeachrulethatyouconfigureinIPv4,IPv6,andMACACLs.If anACLisappliedtomultipleinterfaces,themaintainedrulestatisticsarethesumofpacketmatches(hits) onalltheinterfacesonwhichthatACLisapplied. Note Thedevicedoesnotsupportinterface-levelACLstatistics. ForeachACLthatyouconfigure,youcanspecifywhetherthedevicemaintainsstatisticsforthatACL,which allowsyoutoturnACLstatisticsonoroffasneededtomonitortrafficfilteredbyanACLortohelp troubleshoottheconfigurationofanACL. ConfiguringIPACLs 9 ConfiguringIPACLs AtomicACLUpdates ThedevicedoesnotmaintainstatisticsforimplicitrulesinanACL.Forexample,thedevicedoesnotmaintain acountofpacketsthatmatchtheimplicitdenyipanyanyruleattheendofallIPv4ACLs.Ifyouwantto maintainstatisticsforimplicitrules,youmustexplicitlyconfiguretheACLwithrulesthatareidenticaltothe implicitrules. RelatedTopics MonitoringandClearingIPACLStatistics,onpage43 ImplicitRulesforIPandMACACLs,onpage4 Atomic ACL Updates Bydefault,whenasupervisormoduleofaCiscoNexus9000SeriesdeviceupdatesanI/Omodulewith changestoanACL,itperformsanatomicACLupdate.Anatomicupdatedoesnotdisrupttrafficthatthe updatedACLappliesto;however,anatomicupdaterequiresthatanI/OmodulethatreceivesanACLupdate hasenoughavailableresourcestostoreeachupdatedACLentryinadditiontoallpre-existingentriesinthe affectedACL.Aftertheupdateoccurs,theadditionalresourcesusedfortheupdatearefreed.IftheI/Omodule lackstherequiredresources,thedevicegeneratesanerrormessageandtheACLupdatetotheI/Omodule fails. IfanI/Omodulelackstheresourcesrequiredforanatomicupdate,youcandisableatomicupdatesbyusing thenohardwareaccess-listupdateatomiccommand;however,duringthebrieftimerequiredforthedevice toremovethepreexistingACLandimplementtheupdatedACL,trafficthattheACLappliestoisdropped bydefault. IfyouwanttopermitalltrafficthatanACLappliestowhileitreceivesanonatomicupdate,usethehardware access-listupdatedefault-resultpermitcommand. ThisexampleshowshowtodisableatomicupdatestoACLs: switch# config t switch(config)# no hardware access-list update atomic ThisexampleshowshowtopermitaffectedtrafficduringanonatomicACLupdate: switch# config t switch(config)# hardware access-list update default-result permit Thisexampleshowshowtoreverttotheatomicupdatemethod: switch# config t switch(config)# no hardware access-list update default-result permit switch(config)# hardware access-list update atomic Session Manager Support for IP ACLs SessionManagersupportstheconfigurationofIPandMACACLs.ThisfeatureallowsyoutoverifyACL configurationandconfirmthattheresourcesrequiredbytheconfigurationareavailablepriortocommitting themtotherunningconfiguration. ACL TCAM Regions YoucanchangethesizeoftheACLternarycontentaddressablememory(TCAM)regionsinthehardware. ConfiguringIPACLs 10