IPv4 Access Control Lists (ACLs) > Configuring extended ACLs

  

 next

Configuring extended ACLs

Standard ACLs use only source IPv4 addresses for filtering criteria, extended ACLs use multiple filtering criteria. This enables you to more closely define your IPv4 packet-filtering.

Extended ACLs enable filtering on source and destination IPv4 addresses (required), in one of the following options:

  • Source and destination IPv4 addresses for filtering criteria, extended ACLs use multiple filtering criteria. This enables you to more closely define your IPv4 packet filtering. Extended ACLs enable filtering on the following:

    • specific host

    • subnet or group of addresses

    • any address

  • choice of any IPv4 protocol

  • optional packet-type criteria for IGMP and ICMP traffic

  • optional source and/or destination TCP or UDP port, with a further option for comparison operators and (for TCP) an option for establishing connections

HP Switches allow up to 2048 ACLs in any combination of IPv4 and IPv6 ACLs, and determine the total from the number of unique identifiers in the configuration. For example, configuring two ACLs results in an ACL total of two, even if neither is assigned to an interface. If you then assign a nonexistent ACL to an interface, the new ACL total is three, because the switch now has three unique ACL names in its configuration.

Configuring named, extended ACLs

For a match to occur with an ACE in an extended ACL, a packet must have the source and destination address criteria specified by the ACE, as well as any IPv4 protocol-specific criteria included in the command.

Use the following general steps to create or add to a named, extended ACL:

  1. Create and/or enter the context of a named, extended ACL.

  2. Enter the first ACE in a new, extended ACL or append an ACE to the end of an existing, extended ACL.

The following command is a prerequisite to entering or editing ACEs in a named, extended ACL.

Syntax:

ip access–list extended <name-str>

Places the CLI in the "Named ACL" (nacl) context specified by the <name-str> alphanumeric identifier. This enables entry of individual ACEs in the specified ACL. If the ACL does not already exist, this command creates it.

<name-str>

Specifies an alphanumeric identifier for the ACL. Consists of an alphanumeric string of up to 64 case-sensitive characters. Including spaces in the string requires that you enclose the string in single or double quotes. For example: accounting ACL. You can also use this command to access an existing, numbered ACL. See Using the CLI to edit ACLs.

Configuring ACEs in named, extended ACLs

Configuring ACEs is done after using the ip access-list standard <name-str> command described.

See the section “Standard ACL structure” for filtering criteria, extended ACLs use multiple filtering criteria. This enables you to more closely define your IPv4 packet-filtering.

Syntax: (nacl context)

<deny|permit> <ip|ip-protocol|ip-protocol-nbr>

<any|host> <SA>|SA|mask-length|SA <mask>>

<any|host> <DA>|DA|mask-length|DA <mask>>

[precedence] [tos] [log]

Appends an ACE to the end of the list of ACEs in the current ACL. In the default configuration, ACEs are automatically assigned consecutive sequence numbers in increments of 10 and can be renumbered using resequence, see Resequencing the ACEs in an ACL).
[NOTE: ]

NOTE: To insert a new ACE between two existing ACEs in an extended, named ACL, precede deny or permit with an appropriate sequence number along with the ACE keywords and variables you want. See Inserting an ACE in an existing ACL.

For a match to occur, a packet must have the source and destination addressing criteria specified in the ACE, as well as:

  • the protocol-specific criteria configured in the ACE, including any included, optional elements (described later in this section)

  • any (optional) precedence and/or ToS settings configured in the ACE (applies to the HP Switch 2620-series only)

<deny|permit>

For named ACLs, these keywords are used in the "Named ACL" (nacl) context to specify whether the ACE denies or permits a packet matching the criteria in the ACE, as described below.

<ip|ip-protocol|ip-protocol-nbr>

Used after deny or permit to specify the packet protocol type required for a match. An extended ACL must include one of the following:

  • ip – any IPv4 packet.

  • ip-protocol – any one of the following IPv4 protocol names:

    ip-in-ip ospf udp*
    ipv6-in-ip pim icmp*
    gre vrrp igmp*
    esp sctp  
    ah tcp*  

  • ip-protocol-nbr – the protocol number of an IPv4 packet type, such as "8" for Exterior Gateway Protocol or 121 for Simple Message Protocol. (For a listing of IPv4 protocol numbers and their corresponding protocol names, see theIANA "Protocol Number Assignment Services" at www.iana.com. (Range: 0–255)

*For TCP, UDP, ICMP, and IGMP, additional criteria can be specified (applies to the HP Switch 2620-series only).

<any|host <SA>|SA <mask>|SA/mask-length

This is the first instance of IPv4 addressing in an extended ACE. It follows the protocol specifier and defines the source address (SA) a packet must carry for a match with the ACE.

  • any

    Allows IPv4 packets from any SA.

  • host <SA>

    Specifies only packets having a single address as the SA. Use this criterion when you want to match only the IPv4 packets from a single SA.

  • SA <mask> or SA/mask-length

    Specifies packets received from an SA, where the SA is either a subnet or a group of addresses. The mask can be in either dotted-decimal format or CIDR format (number of significant bits).

    SA Mask application

    The mask is applied to the SA in the ACL to define which bits in a packet's SA must exactly match the SA configured in the ACL and which bits need not match.

    Example:

    10.10.10.1/24 and 10.10.10.1 0.0.0.255 both define any address in the range of 10.10.10.(1 - 255).

    Note: Specifying a group of contiguous addresses may require more than one ACE.

<any|host <DA>|DA/mask-length|DA/<mask>>

This is the second instance of IPv4 addressing in an extended ACE. It follows the first (SA) instance, described earlier, and defines the destination address (DA) that a packet must carry in order to have a match with the ACE.

  • any

    Allows routed IPv4 packets to any DA.

  • host <DA>

    Specifies only packets having DAas the destination address. Use this criterion when you want to match only the IPv4 packets for a single DA.

  • DA/mask-length or DA <mask>

    Specifies packets intended for a destination address, where the address is either a subnet or a group of addresses. The mask format can be in either dotted-decimal format or CIDR format (number of significant bits).

    DA Mask application

    The mask is applied to the DA in the ACL to define which bits in a packet's DA must exactly match the DA configured in the ACL and which bits need not match.

[log]

This option can be used after the DA to generate an Event Log message if:

  • The action is deny. Not applicable to permit.

  • There is a match.

  • ACL logging is enabled.

Including options for TCP and UDP traffic in extended ACLs

An ACE designed to permit or deny TCP or UDP traffic can optionally include port number criteria for either the source or destination, or both.

Syntax:

<deny|permit> tcp

<SA> [comparison-operator <tcp-src-port>]

<DA> [comparison-operator <tcp-dest-port>]

Syntax:

<deny|permit> udp

<SA> [comparison-operator <udp-src-port>]

<DA> [comparison-operator <udp-dest-port>]

In an extended ACL using either tcp or udp as the packet protocol type, you can optionally use TCP or UDP source and/or destination port numbers or ranges of numbers to further define the criteria for a match.

[comparison-operator <tcp/udp-src-port>]

To specify a TCP or UDP source port number in an ACE:

(1) Select a comparison operator from the following list

and

(2) Enter the port number or a well-known port name.

Comparison operators

  • eq <tcp/udp-port-nbr>

    "Equal To"; to have a match with the ACE entry, the TCP or UDP source port number in a packet must be equal to <tcp/udp-port-nbr>.

  • gt <tcp/udp-port-nbr>

    "Greater Than"; to have a match with the ACE entry, the TCP or UDP source port number in a packet must be greater than <tcp/udp-port-nbr>.

  • lt <tcp/udp-port-nbr>

    "Less Than"; to have a match with the ACE entry, the TCP or UDP source port number in a packet must be less than <tcp/udp-port-nbr>.

  • neq <tcp/udp-port-nbr>

    "Not Equal"; to have a match with the ACE entry, the TCP or UDP source port number in a packet must not be equal to <tcp/udp-port-nbr>.

  • range <start-port-nbr> <end-port-nbr>

    For a match with the ACE entry, the TCP or UDP source-port number in a packet must be in the range <start-port-nbr> <end-port-nbr>.

Port number or well-known port name:

Use the TCP or UDP port number required by your application.

The switch also accepts these well-known TCP or UDP port names as an alternative to their port numbers:

  • TCP – bgp, dns, ftp, http, imap4, ldap, nntp, pop2, pop3, smtp, ssl, telnet

  • UDP – bootpc, bootps, dns, ntp, radius, radius-old, rip, snmp, snmp-trap, tftp

To list the above names, press the [Shift] [?] key combination after entering an operator. For a comprehensive listing of port numbers, visit www.iana.org/assignments/port-numbers.

[comparison-operator <tcp-dest-port>]

[comparison-operator <udp-dest-port>]

This option, if used, is entered immediately after the <DA> entry.

To specify a TCP or UDP port number;

  1. select a comparison operator

  2. enter the port number or a well-known port name

Configuring numbered, extended ACLs

This section describes the commands for performing the following in a numbered, extended ACL:

  • Creating the ACL by entering the first ACE in the list

  • Appending a new ACE to the end of an existing ACL

Creating or adding to an extended, numbered ACL

This command is an alternative to using ip access-list extended <name-str> and does not use the nacl context.

Syntax:

access-list <100-199> <deny|permit> <ip|ip-protocol|ip-protocol-nbr>

<any|host <SA>|SA/mask-length|SA <mask>>

<any|host <DA>|DA/mask-length|DA <mask>>

[log]

If the ACL does not already exist, this command creates the specified ACL and its first ACE. If the ACL already exists, the new ACE is appended to the end of the configured list of explicit ACEs. In the default configuration, the ACEs in an ACL will automatically be assigned consecutive sequence numbers in increments of 10 and can be renumbered with resequence see Resequencing the ACEs in an ACL.
[NOTE: ]

NOTE: To insert a new ACE between two existing ACEs in an extended, numbered ACL:

  1. Use ip access list extended <100-199> to open the ACL as a named ACL.

  2. Enter the desired sequence number along with the ACE statement you want.

For a match to occur, a packet must have the source and destination addressing criteria specified in the ACE, as well as:

  • The protocol-specific criteria configured in the ACE, including any included, optional elements (described later in this section.)

  • Any (optional) precedence and/or ToS settings configured in the ACE.

<100-199>

Specifies the ACL ID number. The switch interprets a numeric ACL with a value in this range as an extended ACL.

<deny|permit>

Specifies whether to deny (drop) or permit (forward) a packet that matches the criteria specified in the ACE, as described below.

<ip|ip-protocol|ip-protocol-nbr>

Specifies the packet protocol type required for a match. An extended ACL must include one of the following:

  • ip – any IPv4 packet.

  • ip-protocol – any one of the following IPv4 protocol names:

    ip-in-ip ospf udp*
    ipv6-in-ip pim icmp*
    gre vrrp igmp*
    esp sctp  
    ah tcp*  

    * For TCP, UDP, ICMP, and IGMP, additional criteria can be specified, as described later in this section.

  • ip-protocol-nbr – the protocol number of an IPv4 packet type, such as "8" for Exterior Gateway Protocol or 121 for Simple Message Protocol. (For a listing of IPv4 protocol numbers and their corresponding protocol names, see the IANA "Protocol Number Assignment Services" at www.iana.com.) (Range: 0-255).

<any|host <SA>|SA/mask-length|SA <mask>>

In an extended ACL, this parameter defines the source address (SA) that a packet must carry in order to have a match with the ACE.

  • any

    Specifies all inbound IPv4 packets.

  • host <SA>

    Specifies only inbound IPv4 packets from a single address. Use this option when you want to match only the IPv4 packets from a single source address.

  • SA/mask-length or SA <mask>

    Specifies packets received from an SA, where the SA is either a subnet or a group of IPv4 addresses. The mask can be in either dotted-decimal format or CIDR format with the number of significant bits.

    SA mask application

    The mask is applied to the SA in the ACL to define which bits in a packet's source SA must exactly match the address configured in the ACL and which bits need not match.

    Example:

    10.10.10.1/24 and 10.10.10.1 0.0.0.255 both define any IPv4 address in the range of 10.10.10. (1-255).
    [NOTE: ]

    NOTE: Specifying a group of contiguous IPv4 addresses may require more than one ACE. For more on how masks operate in ACLs.
Syntax:

<any|host <DA>|DA/mask-length>>

This is the second instance of addressing in an extended ACE. It follows the first (SA) instance, described earlier, and defines the destination address (DA) that a packet must carry in order to have a match with the ACE. The options are the same as shown for <SA>.

  • any

    Allows routed IPv4 packets to any DA.

  • host <DA>

    Specifies only the packets having DAas the destination address. Use this criterion when you want to match only the IPv4 packets for a single DA.

  • DA/mask-length or DA <mask>

    Specifies packets intended for a destination address, where the address is either a subnet or a group of IPv4 addresses. The mask format can be in either dotted-decimal format or CIDR format (number of significant bits).

    DA Mask application

    The mask is applied to the DA in the ACL to define which bits in a packet's DA must exactly match the DA configured in the ACL and which bits need not match. See also the above example and note.

[log]

Optional; generates an Event Log message if:

  • The action is deny. This option is not configurable for Permit.

  • There is a match.

  • ACL logging is enabled on the switch.

Controlling TCP and UDP traffic flow

An ACE designed to permit or deny TCP or UDP traffic can optionally include port number criteria for either the source or destination, or both.

Syntax:

access-list <100-199> <deny|permit> <tcp|udp>

<SA> [comparison-operator <tcp/udp-src-port>]

<DA> [comparison-operator <tcp-dest-port>]

<DA> [comparison-operator <udp-dest-port>]

This source-port and destination-port TCP/UDP criteria is identical to the criteria described for TCP/UDP use in named, extended ACLs.

prev

 

up

 next

Configuring standard ACLs 

home

 Adding or removing an ACL assignment on an interface

Copyright © 2015 Hewlett-Packard Development Company, L.P.