ServerIron ADX Security Guide
12.0.00
June 10, 2009

Table of Contents Previous Next Print


Access Control List > Configuring Numbered and Named ACLs

Configuring Numbered and Named ACLs
When you configure ACLs, you can refer to the ACL by a numeric ID or by an alphanumeric name. The commands to configure numbered ACLs are different from the commands for named ACLs.
If you refer to the ACL by a numeric ID, you can use 1 – 99 for a standard ACL or 100 – 199 for an extended ACL. This document refers to this ACL as numbered ACL.
You can configure up to 100 standard numbered IP ACLs and 100 extended numbered IP ACLs. You also can configure up to 100 standard named ACLs and 100 extended named ACLs by number. Regardless of how many ACLs you have, the device can have a maximum of 1024 ACL entries, associated with the ACLs in any combination. (On ServerIron Chassis devices with Management 2 or Management 3 modules, the maximum is 2048.)
Configuring Standard Numbered ACLs
This section describes how to configure standard numbered ACLs with numeric IDs.
Standard ACLs permit or deny packets based on source IP address. You can configure up to 99 standard ACLs. There is no limit to the number of ACL entries an ACL can contain except for the system-wide limitation. For the number of ACL entries supported on a device, see “ACL IDs and Entries”.
To configure a standard ACL and apply it to outgoing traffic on port 1/1, enter the following commands.
ServerIron(config)# access-list 1 deny host 209.157.22.26 log
ServerIron(config)# access-list 1 deny 209.157.29.12 log
ServerIron(config)# access-list 1 deny host IPHost1 log
ServerIron(config)# access-list 1 permit any
ServerIron(config)# int eth 1/1
ServerIron(config-if-1/1)# ip access-group 1 out
ServerIron(config)# write memory
The commands in this example configure an ACL to deny packets from three source IP addresses from being forwarded on port 1/1. The last ACL entry in this ACL permits all packets that are not explicitly denied by the first three ACL entries.
Standard ACL Syntax
Syntax: [no] access-list <num> deny | permit <source-ip> | <hostname> <wildcard> [log]
or
Syntax: [no] access-list <num> deny | permit <source-ip>/<mask-bits> | <hostname> [log]
Syntax: [no] access-list <num> deny | permit host <source-ip> | <hostname> [log]
Syntax: [no] access-list <num> deny | permit any [log]
Syntax: [no] ip access-group <num> in | out
The <num> parameter is the access list number and can be from 1 – 99.
The deny | permit parameter indicates whether packets that match a policy in the access list are denied (dropped) or permitted (forwarded).
The <source-ip> parameter specifies the source IP address. Alternatively, you can specify the host name.
NOTE: To specify the host name instead of the IP address, the host name must be configured using the Brocade device’s DNS resolver. To configure the DNS resolver name, use the ip dns server-address… command at the global CONFIG level of the CLI.
The <wildcard> parameter specifies the mask value to compare against the host address specified by the <source-ip> parameter. The <wildcard> is a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros. Zeros in the mask mean the packet’s source address must match the <source-ip>. Ones mean any value matches. For example, the <source-ip> and <wildcard> values 209.157.22.26 0.0.0.255 mean that all hosts in the Class C sub-net 209.157.22.x match the policy.
If you prefer to specify the wildcard (mask value) in CIDR format, you can enter a forward slash after the IP address, then enter the number of significant bits in the mask. For example, you can enter the CIDR equivalent of “209.157.22.26 0.0.0.255” as “209.157.22.26/24”. The CLI automatically converts the CIDR number into the appropriate ACL mask (where zeros instead of ones are the significant bits) and changes the non-significant portion of the IP address into ones. For example, if you specify 209.157.22.26/24 or 209.157.22.26 0.0.0.255, then save the changes to the startup-config file, the value appears as 209.157.22.0/24 (if you have enabled display of sub-net lengths) or 209.157.22.0 0.0.0.255 in the startup-config file.
If you enable the software to display IP sub-net masks in CIDR format, the mask is saved in the file in
“/<mask-bits>” format. To enable the software to display the CIDR masks, enter the ip show-subnet-length command at the global CONFIG level of the CLI. You can use the CIDR format to configure the ACL entry regardless of whether the software is configured to display the masks in CIDR format.
NOTE: If you use the CIDR format, the ACL entries appear in this format in the running-config and startup-config files, but are shown with sub-net mask in the display produced by the show ip access-list command.
The host <source-ip> | <hostname> parameter lets you specify a host IP address or name. When you use this parameter, you do not need to specify the mask. A mask of all zeros (0.0.0.0) is implied.
The any parameter configures the policy to match on all host addresses.
The log argument configures the device to generate Syslog entries and SNMP traps for packets that are permitted or denied by the access policy. If you use the log argument, the ACL entry is sent to the CPU for processing.
NOTE: You can enable logging on ACLs and filters that support logging even when the ACLs and filters are already in use. To do so, re-enter the ACL or filter command and add the log parameter to the end of the ACL or filter. The software replaces the ACL or filter command with the new one. The new ACL or filter, with logging enabled, takes effect immediately.
The in | out parameter specifies whether the ACL applies to incoming traffic or outgoing traffic on the interface to which you apply the ACL. You can apply the ACL to an Ethernet port. Note that the out option is not supported in the rule-based ACL mode.
Configuring Extended Numbered ACLs
This section describes how to configure extended numbered ACLs.
Extended ACLs let you permit or deny packets based on the following information:
The IP protocol can be one of the following well-known names or any IP protocol number from 0 – 255:
For TCP and UDP, you also can specify a comparison operator and port name or number. For example, you can configure a policy to block web access to a specific website by denying all TCP port 80 (HTTP) packets from a specified source IP address to the website’s IP address.
To configure an extended access list that blocks all Telnet traffic received on port 1/1 from IP host 209.157.22.26, enter the following commands.
Here is another example of commands for configuring an extended ACL and applying it to an interface. These examples show many of the syntax choices. Notice that some of the entries are configured to generate log entries while other entries are not thus configured.
The first entry permits ICMP traffic from hosts in the 209.157.22.x network to hosts in the 209.157.21.x network.
The second entry denies IGMP traffic from the host device named “rkwong” to the 209.157.21.x network.
The third entry denies IGRP traffic from the 209.157.21.x network to the host device named “rkwong”.
The fourth entry denies all IP traffic from host 209.157.21.100to host 209.157.22.1 and generates Syslog entries for packets that are denied by this entry.
The fifth entry denies all OSPF traffic and generates Syslog entries for denied traffic.
The sixth entry permits all packets that are not explicitly denied by the other entries. Without this entry, the ACL would deny all incoming or outgoing IP traffic on the ports to which you assign the ACL.
The following commands apply ACL 102 to the incoming and outgoing traffic on port 1/2 and to the incoming traffic on port 4/3.
Here is another example of an extended ACL.
The first entry in this ACL denies TCP traffic from the 209.157.21.x network to the 209.157.22.x network.
The second entry denies all FTP traffic from the 209.157.21.x network to the 209.157.22.x network.
The third entry denies TCP traffic from the 209.157.21.x network to the 209.157.22.x network, if the TCP port number of the traffic is less than the well-known TCP port number for Telnet (23), and if the TCP port is not equal to 5. Thus, TCP packets whose TCP port numbers are 5 or are greater than 23 are allowed.
The fourth entry denies UDP packets from any source to the 209.157.22.x network, if the UDP port number from the source network is 5 or 6 and the destination UDP port is 7 or 8.
The fifth entry permits all packets that are not explicitly denied by the other entries. Without this entry, the ACL would deny all incoming or outgoing IP traffic on the ports to which you assign the ACL.
The following commands apply ACL 103 to the incoming and outgoing traffic on ports 2/1 and 2/2.
Extended ACL Syntax
Use the following syntax for configuring extended numbered ACLs:
Syntax: [no] access-list <num> deny | permit <ip-protocol> <source-ip> | <hostname> <wildcard> [<operator> <source-tcp/udp-port>] <destination-ip> | <hostname> [<icmp-type> | <icmp-num> | <icmp-type-number> <icmp-code-number>] <wildcard> [<operator> <destination-tcp/udp-port>] [established] [precedence <name> | <num>] [tos <name> | <num>] [ip-pkt-len <value>] [priority 0 | 1 | 2 | 3] [priority-force 0 | 1 | 2 | 3] [priority-mapping <8021p-value>] [dscp-mapping <dscp-value>] [dscp-marking <dscp-value>] [log]
Syntax: [no] access-list <num> deny | permit host <ip-protocol> any any [log]
Syntax: [no] ip access-group <num> in | out
The <num> parameter indicates the ACL number and be from 100 – 199 for an extended ACL.
The deny | permit parameter indicates whether packets that match the policy are dropped or forwarded.
The <ip-protocol> parameter indicates the type of IP packet you are filtering. You can specify a well-known name for any protocol whose number is less than 255. For other protocols, you must enter the number. Enter “?” instead of a protocol to list the well-known names recognized by the CLI.
The <source-ip> | <hostname> parameter specifies the source IP host for the policy. If you want the policy to match on all source addresses, enter any.
The <wildcard> parameter specifies the portion of the source IP host address to match against. The <wildcard> is a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros. Zeros in the mask mean the packet’s source address must match the <source-ip>. Ones mean any value matches. For example, the <source-ip> and <wildcard> values 209.157.22.26 0.0.0.255 mean that all hosts in the Class C sub-net 209.157.22.x match the policy.
If you prefer to specify the wildcard (mask value) in Classless Interdomain Routing (CIDR) format, you can enter a forward slash after the IP address, then enter the number of significant bits in the mask. For example, you can enter the CIDR equivalent of “209.157.22.26 0.0.0.255” as “209.157.22.26/24”. The CLI automatically converts the CIDR number into the appropriate ACL mask (where zeros instead of ones are the significant bits) and changes the non-significant portion of the IP address into zeros. For example, if you specify 209.157.22.26/24 or 209.157.22.26 0.0.0.255, then save the changes to the startup-config file, the value appears as 209.157.22.0/24 (if you have enabled display of sub-net lengths) or 209.157.22.0 0.0.0.255 in the startup-config file.
If you enable the software to display IP sub-net masks in CIDR format, the mask is saved in the file in “/<mask-bits>” format. To enable the software to display the CIDR masks, enter the ip show-subnet-length command at the global CONFIG level of the CLI. You can use the CIDR format to configure the ACL entry regardless of whether the software is configured to display the masks in CIDR format.
NOTE: If you use the CIDR format, the ACL entries appear in this format in the running-config and startup-config files, but are shown with sub-net mask in the display produced by the show ip access-list command.
The <destination-ip> | <hostname> parameter specifies the destination IP host for the policy. If you want the policy to match on all destination addresses, enter any.
The <icmp-type> | <icmp-num> parameter specifies the ICMP protocol type.
This parameter applies only if you specified icmp as the <ip-protocol> value.
The <icmp-num> parameter can be a value from 0 – 255.
The <icmp-type> parameter can have one of the following values, depending on the software version the device is running:
The <operator> parameter specifies a comparison operator for the TCP or UDP port number. This parameter applies only when you specify tcp or udp as the IP protocol. For example, if you are configuring an entry for HTTP, specify tcp eq http. You can enter one of the following operators:
eq – The policy applies to the TCP or UDP port name or number you enter after eq.
gt – The policy applies to TCP or UDP port numbers greater than the port number or the numeric equivalent of the port name you enter after gt.
lt – The policy applies to TCP or UDP port numbers that are less than the port number or the numeric equivalent of the port name you enter after lt.
neq – The policy applies to all TCP or UDP port numbers except the port number or port name you enter after neq.
range – The policy applies to all TCP or UDP port numbers that are between the first TCP or UDP port name or number and the second one you enter following the range parameter. The range includes the port names or numbers you enter. For example, to apply the policy to all ports between and including 23 (Telnet) and 53 (DNS), enter the following: range 23 53. The first port number in the range must be lower than the last number in the range.
established – This operator applies only to TCP packets. If you use this operator, the policy applies to TCP packets that have the ACK (Acknowledgment) or RST (Reset) bits set on (set to “1”) in the Control Bits field of the TCP packet header. Thus, the policy applies only to established TCP sessions, not to new sessions. See Section 3.1, “Header Format”, in RFC 793 for information about this field.
NOTE: This operator applies only to destination TCP ports, not source TCP ports.
The <tcp/udp-port> parameter specifies the TCP or UDP port number or well-known name. You can specify a well-known name for any application port whose number is less than 1024. For other application ports, you must enter the number. Enter “?” instead of a port to list the well-known names recognized by the CLI.
The in | out parameter specifies whether the ACL applies to incoming traffic or outgoing traffic on the interface to which you apply the ACL. You can apply the ACL to an Ethernet port.
NOTE: The out option is not supported in the rule-based ACL mode.
The precedence <name> | <num> parameter of the ip access-list command specifies the IP precedence. The precedence option for of an IP packet is set in a three-bit field following the four-bit header-length field of the packet’s header. You can specify one of the following:
critical or 5 – The ACL matches packets that have the critical precedence. If you specify the option number instead of the name, specify number 5.
flash or 3 – The ACL matches packets that have the flash precedence. If you specify the option number instead of the name, specify number 3.
flash-override or 4 – The ACL matches packets that have the flash override precedence. If you specify the option number instead of the name, specify number 4.
immediate or 2 – The ACL matches packets that have the immediate precedence. If you specify the option number instead of the name, specify number 2.
internet or 6 – The ACL matches packets that have the internetwork control precedence. If you specify the option number instead of the name, specify number 6.
network or 7 – The ACL matches packets that have the network control precedence. If you specify the option number instead of the name, specify number 7.
priority or 1 – The ACL matches packets that have the priority precedence. If you specify the option number instead of the name, specify number 1.
routine or 0 – The ACL matches packets that have the routine precedence. If you specify the option number instead of the name, specify number 0.
The tos <name> | <num> parameter of the ip access-list command specifies the IP ToS. You can specify one of the following:
max-reliability or 2 – The ACL matches packets that have the maximum reliability ToS. The decimal value for this option is 2.
max-throughput or 4 – The ACL matches packets that have the maximum throughput ToS. The decimal value for this option is 4.
min-delay or 8 – The ACL matches packets that have the minimum delay ToS. The decimal value for this option is 8.
min-monetary-cost or 1 – The ACL matches packets that have the minimum monetary cost ToS. The decimal value for this option is 1.
NOTE: This value is not supported on 10 Gigabit Ethernet modules.
normal or 0 – The ACL matches packets that have the normal ToS. The decimal value for this option is 0.
<num> – A number from 0 – 15 that is the sum of the numeric values of the options you want. The ToS field is a four-bit field following the Precedence field in the IP header. You can specify one or more of the following. To select more than one option, enter the decimal value that is equivalent to the sum of the numeric values of all the ToS options you want to select. For example, to select the max-reliability and min-delay options, enter number 10. To select all options, select 15.
The ip-pkt-len <value> parameter filters ICMP packets based on the IP packet length. The device uses the <value> to match the total length field in the IP header of ICMP packets. You can specify a value from 1 – 65535.
NOTE: This parameter applies only if you specified icmp as the <ip-protocol> value.
The priority, priority-force, priority-mapping, dscp-mapping, and dscp-marking options are supported. See the section “QoS Options for IP ACLs (Rule-Based ACLs)”.
See the section “QoS Options for IP ACLs (Rule-Based ACLs)”.
The log parameter enables SNMP traps and Syslog messages for packets denied by the ACL.
You can enable logging on ACLs and filters that support logging even when the ACLs and filters are already in use. To do so, re-enter the ACL or filter command and add the log parameter to the end of the ACL or filter. The software replaces the ACL or filter command with the new one. The new ACL or filter, with logging enabled, takes effect immediately.
Configuring Standard or Extended Named ACLs
To configure a named IP ACL, use the following CLI method.
The commands for configuring named ACL entries are different from the commands for configuring numbered ACL entries. The command to configure a numbered ACL is access-list. The command for configuring a named ACL is ip access-list. In addition, when you configure a numbered ACL entry, you specify all the command parameters on the same command. When you configure a named ACL, you specify the ACL type (standard or extended) and the ACL number with one command, which places you in the configuration level for that ACL. Once you enter the configuration level for the ACL, the command syntax is the same as the syntax for numbered ACLs.
The following examples show how to configure a named standard ACL entry and a named extended ACL entry.
Configuration Example for Standard ACL
To configure a named standard ACL entry, enter commands such as the following.
The commands in this example configure a standard ACL named “Net1”. The entries in this ACL deny packets from three source IP addresses from being forwarded on port 1/1. Since the implicit action for an ACL is “deny”, the last ACL entry in this ACL permits all packets that are not explicitly denied by the first three ACL entries. For an example of how to configure the same entries in a numbered ACL, see “Configuring Standard Numbered ACLs”.
Notice that the command prompt changes after you enter the ACL type and name. The “std” in the command prompt indicates that you are configuring entries for a standard ACL. For an extended ACL, this part of the command prompt is “ext“. The “nacl” indicates that are configuring a named ACL.
Syntax: ip access-list extended | standard <string> | <num>
The extended | standard parameter indicates the ACL type.
The <string> parameter is the ACL name. You can specify a string of up to 256 alphanumeric characters. You can use blanks in the ACL name if you enclose the name in quotation marks (for example, “ACL for Net1”). The <num> parameter allows you to specify an ACL number if you prefer. If you specify a number, you can specify from 1 – 99 for standard ACLs or 100 – 199 for extended ACLs.
NOTE: For convenience, the software allows you to configure numbered ACLs using the syntax for named ACLs. The software also still supports the older syntax for numbered ACLs. Although the software allows both methods for configuring numbered ACLs, numbered ACLs are always formatted in the startup-config and running-config files in using the older syntax, as follows.

access-list 1 deny host 209.157.22.26 log
access-list 1 deny 209.157.22.0 0.0.0.255 log
access-list 1 permit any
access-list 101 deny tcp any any eq http log
The options at the ACL configuration level and the syntax for the ip access-group command are the same for numbered and named ACLs and are described in “Configuring Standard Numbered ACLs”.
Configuration Example for Extended ACL
To configure a named extended ACL entry, enter commands such as the following.
The options at the ACL configuration level and the syntax for the ip access-group command are the same for numbered and named ACLs and are described in “Configuring Extended Numbered ACLs”.
Displaying ACL Definitions
To display the ACLs configured on a device, use the show ip access-lists command. Here is an example:
ServerIron(config)# show ip access-lists
Extended IP access list 101
deny tcp host 209.157.22.26 host 209.157.22.26 eq http log
Syntax: show ip access-lists [<num>]
The show access-list and show ip access-list commands have been updated to display ACL entries with line numbers.
Numbered ACL
For a numbered ACL, you can enter a command such as the following:
ServerIron(config)# show access-list 99 3
Standard IP access-list 99
deny 10.10.10.1
deny 192.168.1.13
permit any
Syntax: show access-list <acl-number> [<line-number>]
Enter the ACL’ number for the <acl-number> parameter.
Determine from which line you want the displayed information to begin and enter that number for the <line-number> parameter.
Named ACL
For a named ACL, enter a command such as the following:
ServerIron(config)# ip show access-list standard melon 3
Standard IP access-list melon
deny host 5.6.7.8
deny 192.168.12.3
permit any
Syntax: show ip access-list <acl-name> | <acl-number> [<line-number>]
Enter the ACL name for the <acl-name> parameter or the the ACL’s number for <acl-number>.
Determine from which line you want the displayed information to begin and enter that number for the <line-number> parameter.
Displaying ACLs Using Keywords
You limit the displayed ACL entries to those that contain a specified keyword.
Numbered ACL
You may have the following numbered ACL:
ServerIron(config)# show access-list 99
Standard IP access-list 99
deny host 1.2.3.4
permit host 5.6.7.8
permit host 5.10.11.12
permit any
If you want to display ACL entries beginning with the entry that contains the keyword “5” enter the following command:
ServerIron(config)# show access-list 99 | begin 5
Standard IP access-list 99
permit host 5.6.7.8
permit host 5.10.11.12
permit any
Since the second entry is the first entry that contains the keyword “5”, the display begins with line 2.
If you want to display only the ACL entries that contain the keyword “5” enter the following command:
ServerIron(config)#show access-list 99 | include 5
Standard IP access-list 99
permit host 5.6.7.8
permit host 5.10.11.12
The second and third entries in the ACL contain the keyword “5” and are displayed in the show access-list.
If you want to exclude ACL entries that contain a keyword from the show access-list display, enter the following command:
ServerIron(config)# show access-list 99 | exclude 5
Standard IP access-list 99
deny host 1.2.3.4
permit any
The second and third ACL entries are left out from the display.
Syntax: show access-list <acl-number> | begin|exclude|include <keyword>
Enter the ACL number for the <acl-number> parameter.
Use the | operator to indicate a keyword.
Enter the begin <keyword> parameter to start the display beginning with the first line containing the text that matches the keyword. For example, if you enter begin Total, the displayed information begins with the line containing the word “Total”.
Enter the exclude <keyword> parameter to exclude any lines containing text that match the keyword. For example, if you enter exclude Total, any line containing the word “Total” is excluded from the display.
Enter the include <keyword> display only those lines containing text that match the keyword. For example, if you enter include Total, any line containing the word “Total” is included in the display.
Named ACLs
You may have the following numbered ACL:
ServerIron(config)# show access-list melon
Standard IP access-list melon
deny host 1.2.3.4
permit host 5.6.7.8
permit host 5.10.11.12
permit any
If you want to display ACL entries beginning with the entry that contains the keyword “5” enter the following command:
ServerIron(config)# show access-list melon | begin 5
Standard IP access-list melon
permit host 5.6.7.8
permit host 5.10.11.12
permit any
Since the second entry is the first entry that contains the keyword “5”, the display begins with line 2.
If you want to display only the ACL entries that contain the keyword “5” enter the following command:
ServerIron(config)# show access-list melon | include 5
Standard IP access-list melon
permit host 5.6.7.8
permit host 5.10.11.12
The second and third entries in the ACL contain the keyword “5” and are displayed in the show access-list.
If you want to exclude ACL entries that contain a keyword from the show access-list display, enter the following command:
The second and third ACL entries are left out from the display.
Syntax: show ip access-list <acl-number> | begin | exclude | include <keyword>
Enter the ACL’s number for the <acl-number> parameter.
Use the | operator to indicate a keyword.
Enter the begin <keyword> parameter to start the display beginning with the first line containing text that matches the keyword. For example, if you enter begin Total, the displayed information begins with the line containing the word “Total”.
Enter the exclude <keyword> parameter to exclude any lines containing text that match the keyword. For example, if you enter exclude Total, any line containing the word “Total” is excluded from the display.
Enter the include <keyword> display only those lines containing text that match the keyword. For example, if you enter include Total, any line containing the word “Total” is included in the display.
If ACL entries, for both numbered and named ACLs, have remarks, the display will also include the remarks if they contain characters that match the specified keywords. For example, ACL 99 might contain the following entries:

ServerIron(config)# show access-list 99
Standard IP access-list 99
ACL Remark: Deny Building A
deny host 1.2.3.4
Permit First Floor Users
permit host 5.6.7.8
deny host 5.10.11.12
permit any

To show all entries containing the keyword “deny” you obtain the following output:

ServerIron(config)#show access-list 99 | include deny
Standard IP access-list 99
ACL Remark: Deny Building A
deny host 1.2.3.4
deny host 5.10.11.12
All lines with the keyword “deny”, including remarks are included in the display.

Access Control List > Configuring Numbered and Named ACLs

Table of Contents Previous Next Print
Copyright © 2009 Brocade Communications Systems, Inc.