Configuring IP ACLs ThischapterdescribeshowtoconfigureIPaccesscontrollists(ACLs)onCiscoNX-OS. Unlessotherwisespecified,thetermIPACLreferstoIPv4ACLs. Note TheCiscoNX-OSreleasethatisrunningonamanagedmaynotsupportalldocumentedfeaturesor settings.Forthelatestfeatureinformationandcaveats,seethedocumentationandreleasenotesforyour platformandsoftwarerelease. Thischapterincludesthefollowingsections: • InformationAboutACLs, page 1 • LicensingRequirementsforIPACLs, page 8 • PrerequisitesforIPACLs, page 9 • GuidelinesandLimitationsforIPACLs, page 9 • DefaultSettingsforIPACLs, page 10 • ConfiguringIPACLs, page 10 • VerifyingIPACLConfigurations, page 27 • MonitoringandClearingIPACLStatistics, page 28 • ConfigurationExamplesforIPACLs, page 28 Information About ACLs AnACLisanorderedsetofrulesthatyoucanusetofiltertraffic.Eachrulespecifiesasetofconditionsthat apacketmustsatisfytomatchtherule.WhenthedevicedeterminesthatanACLappliestoapacket,ittests thepacketagainsttheconditionsofallrules.Thefirstmatchingruledetermineswhetherthepacketispermitted ordenied.Ifthereisnomatch,thedeviceappliestheapplicableimplicitrule.Thedevicecontinuesprocessing packetsthatarepermittedanddropspacketsthataredenied. YoucanuseACLstoprotectnetworksandspecifichostsfromunnecessaryorunwantedtraffic.Forexample, youcoulduseACLstodisallowHTTPtrafficfromahigh-securitynetworktotheInternet.Youcouldalso Cisco Nexus 3000 Series NX-OS Security Configuration Guide, Release 5.0(3)U2(2) OL-25780-01 1 Configuring IP ACLs ACL Types and Applications useACLstoallowHTTPtrafficbutonlytospecificsites,usingtheIPaddressofthesitetoidentifyitinan IPACL. ACL Types and Applications ThedevicesupportsthefollowingtypesofACLsforsecuritytrafficfiltering: IPv4ACLs ThedeviceappliesIPv4ACLsonlytoIPv4traffic. IPACLshavethefollowingtypesofapplications: PortACL FiltersLayer2traffic RouterACL FiltersLayer3traffic VLANACL FiltersVLANtraffic VTYACL Filtersvirtualteletype(VTY)traffic ThistablesummarizestheapplicationsforsecurityACLs. Table 1: Security ACL Applications Application Supported Interfaces Types of ACLs Supported PortACL •Layer2interfaces •IPv4ACLs •Layer2Ethernetport-channel interfaces WhenaportACLisappliedtoa trunkport,theACLfilterstraffic onallVLANsonthetrunkport. RouterACL •VLANinterfaces •IPv4ACLs •PhysicalLayer3interfaces •Layer3Ethernet subinterfaces •Layer3Ethernetport-channel interfaces •Layer3Ethernetport-channel subinterfaces •Managementinterfaces Note YoumustenableVLAN interfacesgloballybefore youcanconfigurea VLANinterface. VLANACL •VLANs •IPv4ACLs Cisco Nexus 3000 Series NX-OS Security Configuration Guide, Release 5.0(3)U2(2) 2 OL-25780-01 Configuring IP ACLs Order of ACL Application Application Supported Interfaces Types of ACLs Supported VTYACL •VTYs •IPv4ACLs Order of ACL Application Whenthedeviceprocessesapacket,itdeterminestheforwardingpathofthepacket.Thepathdetermines whichACLsthatthedeviceappliestothetraffic.ThedeviceappliestheACLsinthefollowingorder: 1 PortACL 2 IngressVACL 3 IngressrouterACL 4 IngressVTYACL 5 EgressVTYACL 6 EgressrouterACL 7 EgressVACL IfthepacketisbridgedwithintheingressVLAN,thedevicedoesnotapplyrouterACLs. ThefollowingfigureshowstheorderinwhichthedeviceappliesACLs. Figure 1: Order of ACL Application ThefollowingfigureshowswherethedeviceappliesACLs,dependinguponthetypeofACL.Theredpath indicatesapacketsenttoadestinationonadifferentinterfacethanitssource.Thebluepathindicatesapacket thatisbridgedwithinitsVLAN. ThedeviceappliesonlytheapplicableACLs.Forexample,iftheingressportisaLayer2portandthetraffic isonaVLANthatisaVLANinterface,aportACLandarouterACLbothcanapply.Inaddition,ifaVACL isappliedtotheVLAN,thedeviceappliesthatACLtoo. Cisco Nexus 3000 Series NX-OS Security Configuration Guide, Release 5.0(3)U2(2) OL-25780-01 3 Configuring IP ACLs About Rules Figure 2: ACLs and Packet Flow About Rules Rulesarewhatyoucreate,modify,andremovewhenyouconfigurehowanACLfiltersnetworktraffic.Rules appearintherunningconfiguration.WhenyouapplyanACLtoaninterfaceorchangearulewithinanACL Cisco Nexus 3000 Series NX-OS Security Configuration Guide, Release 5.0(3)U2(2) 4 OL-25780-01 Configuring IP ACLs About Rules thatisalreadyappliedtoaninterface,thesupervisormodulecreatesACLentriesfromtherulesintherunning configurationandsendsthoseACLentriestotheapplicableI/Omodule.Dependinguponhowyouconfigure theACL,theremaybemoreACLentriesthanrules,especiallyifyouimplementpolicy-basedACLsbyusing objectgroupswhenyouconfigurerules. Youcancreaterulesinaccess-listconfigurationmodebyusingthepermitordenycommand.Thedevice allowstrafficthatmatchesthecriteriainapermitruleandblockstrafficthatmatchesthecriteriainadeny rule.Youhavemanyoptionsforconfiguringthecriteriathattrafficmustmeetinordertomatchtherule. Thissectiondescribessomeoftheoptionsthatyoucanusewhenyouconfigurearule.Forinformationabout everyoption,seetheapplicablepermitanddenycommandsintheCiscoNexus7000SeriesNX-OSSecurity CommandReference. Protocols IPv4ACLsallowyoutoidentifytrafficbyprotocol.Foryourconvenience,youcanspecifysomeprotocols byname.Forexample,inanIPv4ACL,youcanspecifyICMPbyname. Youcanspecifyanyprotocolbynumber. InIPv4,youcanspecifyprotocolsbytheintegerthatrepresentstheInternetprotocolnumber.Forexample, youcanuse115tospecifyLayer2TunnelingProtocol(L2TP)traffic. ForalistoftheprotocolsthateachtypeofACLsupportsbyname,seetheapplicablepermitanddeny commandsintheCiscoNexus3000SeriesNX-OSSecurityCommandReference. Source and Destination Ineachrule,youspecifythesourceandthedestinationofthetrafficthatmatchestherule.Youcanspecify boththesourceanddestinationasaspecifichost,anetworkorgroupofhosts,oranyhost.Howyouspecify thesourceanddestinationdependsonwhetheryouareconfiguringIPv4ACLs. Implicit Rules IPandMACACLshaveimplicitrules,whichmeansthatalthoughtheserulesdonotappearintherunning configuration,thedeviceappliesthemtotrafficwhennootherrulesinanACLmatch.Whenyouconfigure thedevicetomaintainper-rulestatisticsforanACL,thedevicedoesnotmaintainstatisticsforimplicitrules. AllIPv4ACLsincludethefollowingimplicitrule: deny ip any any ThisimplicitruleensuresthatthedevicedeniesunmatchedIPtraffic. Thisimplicitruleensuresthatthedevicedeniestheunmatchedtraffic,regardlessoftheprotocolspecifiedin theLayer2headerofthetraffic. Additional Filtering Options Youcanidentifytrafficbyusingadditionaloptions.TheseoptionsdifferbyACLtype.Thefollowinglist includesmostbutnotalladditionalfilteringoptions: •IPv4ACLssupportthefollowingadditionalfilteringoptions: Cisco Nexus 3000 Series NX-OS Security Configuration Guide, Release 5.0(3)U2(2) OL-25780-01 5 Configuring IP ACLs About Rules ◦Layer4protocol ◦AuthenticationHeaderProtocol ◦EnhancedInteriorGatewayRoutingProtocol(EIGRP) ◦OpenShortestPathFirst(OSPF) ◦PayloadCompressionProtocol ◦Protocol-independentmulticast(PIM) ◦TCPandUDPports ◦ICMPtypesandcodes ◦Precedencelevel ◦DifferentiatedServicesCodePoint(DSCP)value ◦TCPpacketswiththeACK,FIN,PSH,RST,SYN,orURGbitset ◦EstablishedTCPconnections ◦Packetlength Sequence Numbers Thedevicesupportssequencenumbersforrules.Everyrulethatyouenterreceivesasequencenumber,either assignedbyyouorassignedautomaticallybythedevice.SequencenumberssimplifythefollowingACL tasks: Addingnewrules Byspecifyingthesequencenumber,youspecifywhereintheACLanewrule betweenexistingrules shouldbepositioned.Forexample,ifyouneedtoinsertarulebetweenrules numbered100and110,youcouldassignasequencenumberof105tothenew rule. Removingarule Withoutusingasequencenumber,removingarulerequiresthatyouenterthewhole rule,asfollows: switch(config-acl)# no permit tcp 10.0.0.0/8 any However,ifthesamerulehadasequencenumberof101,removingtherulerequires onlythefollowingcommand: switch(config-acl)# no 101 Movingarule Withsequencenumbers,ifyouneedtomovearuletoadifferentpositionwithin anACL,youcanaddasecondinstanceoftheruleusingthesequencenumberthat positionsitcorrectly,andthenyoucanremovetheoriginalinstanceoftherule. Thisactionallowsyoutomovetherulewithoutdisruptingtraffic. Ifyouenterarulewithoutasequencenumber,thedeviceaddstheruletotheendoftheACLandassignsa sequencenumberthatis10greaterthanthesequencenumberoftheprecedingruletotherule.Forexample, ifthelastruleinanACLhasasequencenumberof225andyouaddarulewithoutasequencenumber,the deviceassignsthesequencenumber235tothenewrule. Cisco Nexus 3000 Series NX-OS Security Configuration Guide, Release 5.0(3)U2(2) 6 OL-25780-01 Configuring IP ACLs Statistics and ACLs Inaddition,CiscoNX-OSallowsyoutoreassignsequencenumberstorulesinanACL.Resequencingis usefulwhenanACLhasrulesnumberedcontiguously,suchas100and101,andyouneedtoinsertoneor morerulesbetweenthoserules. Logical Operators and Logical Operation Units IPACLrulesforTCPandUDPtrafficcanuselogicaloperatorstofiltertrafficbasedonportnumbers.The devicestoresoperator-operandcouplesinregisterscalledlogicaloperatorunits(LOUs). TheLOUusageforeachtypeofoperatorisasfollows: eq IsneverstoredinanLOU gt Uses1LOU lt Uses1LOU neq Uses1LOU range Uses1LOU Statistics and ACLs ThedevicecanmaintainglobalstatisticsforeachrulethatyouconfigureinIPv4,IPv6,andMACACLs.If anACLisappliedtomultipleinterfaces,themaintainedrulestatisticsarethesumofpacketmatches(hits) onalltheinterfacesonwhichthatACLisapplied. Note Thedevicedoesnotsupportinterface-levelACLstatistics. ForeachACLthatyouconfigure,youcanspecifywhetherthedevicemaintainsstatisticsforthatACL,which allowsyoutoturnACLstatisticsonoroffasneededtomonitortrafficfilteredbyanACLortohelp troubleshoottheconfigurationofanACL. ThedevicedoesnotmaintainstatisticsforimplicitrulesinanACL.Forexample,thedevicedoesnotmaintain acountofpacketsthatmatchtheimplicitdenyipanyanyruleattheendofallIPv4ACLs.Ifyouwantto maintainstatisticsforimplicitrules,youmustexplicitlyconfiguretheACLwithrulesthatareidenticaltothe implicitrules. VTY Support CiscoNX-OSdoesnotsupportapplyinganACLdirectlytoaVTYline;however,youcanusecontrolplane policing(CoPP)tofilterVTYtraffic.Todoso,youmustdefinetwoACLsforusewithfilteringVTYtraffic: oneACLthatpermitstrafficthatyouwanttoallowandanotherACLthatpermitstrafficthatyouwantto drop.ThenyoucanconfigureCoPPtotransmitthepacketsthatarepermittedbytheACLthatmatches desirabletrafficandtodropthepacketsthatarepermittedbytheACLthatmatchesundesirabletraffic. Inthefollowingexample,theACLcopp-system-acl-allowexplicitlyallowsTelnet,SSH,SNMP,NTP, RADIUS,andTACACS+trafficthatisinboundfromthe10.30.30.0/24networkandallowsanytraffic outboundfromthedevicetothe10.30.30.0/24network.Thecopp-system-acl-denyexplicitlyallowsalltraffic. Cisco Nexus 3000 Series NX-OS Security Configuration Guide, Release 5.0(3)U2(2) OL-25780-01 7 Configuring IP ACLs Session Manager Support for IP ACLs Thepolicingpoliciesareconfiguredtotransmitthetrafficpermittedbythecopp-system-acl-allowACLand todropthetrafficpermittedbythecopp-system-acl-denyACL. ip access-list copp-system-acl-allow 10 remark ### ALLOW TELNET from 10.30.30.0/24 20 permit tcp 10.30.30.0/24 any eq telnet 30 permit tcp 10.30.30.0/24 any eq 107 40 remark ### ALLOW SSH from 10.30.30.0/24 50 permit tcp 10.30.30.0/24 any eq 22 60 remark ### ALLOW SNMP from 10.30.30.0/24 70 permit udp 10.30.30.0/24 any eq snmp 80 remark ### ALLOW TACACS from 10.30.30.0/24 90 permit tcp 10.30.30.0/24 any eq tacacs 100 remark ### ALLOW RADIUS from 10.30.30.0/24 110 permit udp 10.30.30.0/24 any eq 1812 120 permit udp 10.30.30.0/24 any eq 1813 130 permit udp 10.30.30.0/24 any eq 1645 140 permit udp 10.30.30.0/24 any eq 1646 150 permit udp 10.30.30.0/24 eq 1812 any 160 permit udp 10.30.30.0/24 eq 1813 any 170 permit udp 10.30.30.0/24 eq 1645 any 180 permit udp 10.30.30.0/24 eq 1646 any 190 remark ### ALLOW NTP from 10.30.30.0/24 200 permit udp 10.30.30.0/24 any eq ntp 210 remark ### ALLOW ALL OUTBOUND traffic TO 10.30.30.0/24 220 permit ip any 10.30.30.0/24 statistics # keep statistics on matches ip access-list copp-system-acl-deny 10 remark ### this is a catch-all to match any other traffic 20 permit ip any any statistics # keep statistics on matches class-map type control-plane match-any copp-system-class-management-allow match access-group name copp-system-acl-allow class-map type control-plane match-any copp-system-class-management-deny match access-group name copp-system-acl-deny policy-map type control-plane copp-system-policy class copp-system-class-management-allow police cir 60000 kbps bc 250 ms conform transmit violate drop class copp-system-class-management-deny police cir 60000 kbps bc 250 ms conform drop violate drop control-plane service-policy input copp-system-policy Session Manager Support for IP ACLs SessionManagersupportstheconfigurationofIPandMACACLs.ThisfeatureallowsyoutoverifyACL configurationandconfirmthattheresourcesrequiredbytheconfigurationareavailablepriortocommitting themtotherunningconfiguration.FormoreinformationaboutSessionManager,seethe. Licensing Requirements for IP ACLs Thefollowingtableshowsthelicensingrequirementsforthisfeature: Product License Requirement CiscoNX-OS NolicenseisrequiredtouseIPACLs.Howeverto supportupto128KACLentriesusinganXLline card,youmustinstallthescalableserviceslicense. Anyfeaturenotincludedinalicensepackageis bundledwiththeCiscoNX-OSsystemimagesand Cisco Nexus 3000 Series NX-OS Security Configuration Guide, Release 5.0(3)U2(2) 8 OL-25780-01 Configuring IP ACLs Prerequisites for IP ACLs Product License Requirement isprovidedatnoextrachargetoyou.Foran explanationoftheCiscoNX-OSlicensingscheme, seetheCiscoNX-OSLicensingGuide. Prerequisites for IP ACLs IPACLshavethefollowingprerequisites: •YoumustbefamiliarwithIPaddressingandprotocolstoconfigureIPACLs. •YoumustbefamiliarwiththeinterfacetypesthatyouwanttoconfigurewithACLs. Guidelines and Limitations for IP ACLs IPACLshavethefollowingconfigurationguidelinesandlimitations: •WerecommendthatyouperformACLconfigurationusingtheSessionManager.Thisfeatureallows youtoverifyACLconfigurationandconfirmthattheresourcesrequiredbytheconfigurationareavailable priortocommittingthemtotherunningconfiguration.ThisisespeciallyusefulforACLsthatinclude morethanabout1000rules. •Inmostcases,ACLprocessingforIPpacketsoccursontheI/Omodules,whichusehardwarethat acceleratesACLprocessing.Insomecircumstances,processingoccursonthesupervisormodule,which canresultinslowerACLprocessing,especiallyduringprocessingthatinvolvesanACLwithalarge numberofrules.Managementinterfacetrafficisalwaysprocessedonthesupervisormodule.IfIP packetsinanyofthefollowingcategoriesareexitingaLayer3interface,theyaresenttothesupervisor moduleforprocessing: ◦PacketsthatfailtheLayer3maximumtransmissionunitcheckandthereforerequirefragmenting. ◦IPv4packetsthathaveIPoptions(additionalIPpacketheaderfieldsfollowingthedestination addressfield). Ratelimiterspreventredirectedpacketsfromoverwhelmingthesupervisormodule. Note PriortoCiscoNX-OSRelease4.2(3),ACLloggingdoesnotsupportACLprocessing thatoccursonthesupervisormodule. •WhenyouapplyanACLthatusestimeranges,thedeviceupdatestheACLentriesontheaffectedI/O moduleswheneveratimerangereferencedinanACLentrystartsorends.Updatesthatareinitiatedby timerangesoccuronabest-effortpriority.Ifthedeviceisespeciallybusywhenatimerangecausesan update,thedevicemaydelaytheupdatebyuptoafewseconds. •ToapplyanIPACLtoaVLANinterface,youmusthaveenabledVLANinterfacesglobally. •ThemaximumnumberofsupportedIPACLentriesis64KfordeviceswithoutanXLlinecardand 128KfordeviceswithanXLlinecard. Cisco Nexus 3000 Series NX-OS Security Configuration Guide, Release 5.0(3)U2(2) OL-25780-01 9 Configuring IP ACLs Default Settings for IP ACLs •IfyoutrytoapplytoomanyACLentriestoanon-XLlinecard,theconfigurationisrejected. •EachforwardingengineonanF1Seriesmodulesupports1KingressACLentries,with984entries availableforuserconfiguration.ThetotalnumberofIPACLentriesfortheF1Seriesmodulesisfrom 1Kto16K,dependingonwhichforwardingenginesthepoliciesareapplied. •F1SeriesmodulesdonotsupportrouterACLs. •F1SeriesmodulesdonotsupportACLlogging. •F1Seriesmodulesdonotsupportbankchaining. •EachportACLcansupportuptofourdifferentLayer4operationsforF1Seriesmodules. •Eachofthe16forwardingenginesinanF1Seriesmodulesupportsupto250IPv6addressesacross multipleACLs. •TheVTYACLfeaturerestrictsalltrafficforallVTYlines.Youcannotspecifydifferenttrafficrestrictions fordifferentVTYlines. •AnyrouterACLcanbeconfiguredasaVTYACL. •ACLpoliciesarenotsupportedontheFabricExtenderfabricportchannel. Default Settings for IP ACLs ThistableliststhedefaultsettingsforIPACLparameters. Table 2: Default IP ACL Parameters Parameters Default IPACLs NoIPACLsexistbydefault ACLrules ImplicitrulesapplytoallACLs Objectgroups Noobjectgroupsexistbydefault Timeranges Notimerangesexistbydefault Configuring IP ACLs Creating an IP ACL YoucancreateanIPv4ACLACLonthedeviceandaddrulestoit. Before You Begin WerecommendthatyouperformACLconfigurationusingtheSessionManager.Thisfeatureallowsyouto verifyACLconfigurationandconfirmthattheresourcesrequiredbytheconfigurationareavailablepriorto Cisco Nexus 3000 Series NX-OS Security Configuration Guide, Release 5.0(3)U2(2) 10 OL-25780-01