The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes system support for access control lists and explains how they are configured. The product administration guides provide examples and procedures for configuration of basic services on the system. You should select the configuration example that best meets your service model before using the procedures described below.
 Important |
You do not require a license to configure ACLs. However, the number of ACLs configured may impact performance significantly. |
Important |
Not all commands and keywords/variables may be available. Availability depends on the platform type. |
This chapter contains the following sections:
An individual interface
All traffic facilitated by a context (known as a policy ACL)
An individual subscriber
All subscriber sessions facilitated by a specific context
Separate ACLs may be created for IPv4 and IPv6 access routes.
Important |
Refer to ACL Configuration Mode Commands and the IPv6 ACL Configuration Mode Commands chapter in the Command Line Interface Reference for the full command syntax. |
A single ACL consists of one or more ACL rules. Each rule is a filter configured to take a specific action when packets matching specific criteria. Up to 256 rules can be configured per ACL.
Important |
Configured ACLs consisting of no rules imply a "deny any" rule. The deny action and any criteria are discussed later in this section. This is the default behavior for an empty ACL. |
Each rule specifies the action to take when a packet matches the specifies criteria. This section discusses the rule actions and criteria supported by the system.
Permit: The packet is accepted and processed.
Deny: The packet is rejected.
Redirect: The packet is forwarded to the specified next-hop address through a specific system interface or to the specified context for processing.
Important |
Redirect rules are ignored for ACLs applied to specific subscribers or all subscribers facilitated by a specific context, or APN for UMTS subscribers. |
Each ACL consists of one or more rules specifying the criteria that packets will be compared against.
Any: Filters all packets
Host: Filters packets based on the source host IP address
ICMP: Filters Internet Control Message Protocol (ICMP) packets
IP: Filters Internet Protocol (IP) packets
Source IP Address: Filter packets based on one or more source IP addresses
TCP: Filters Transport Control Protocol (TCP) packets
UDP: Filters User Datagram Protocol (UDP) packets
Each of the above criteria are described in detail in the sections that follow.
Important |
The following sections contain basic ACL rule syntax information. Refer to the ACL Configuration Mode Commands and IPv6 ACL Configuration Mode Commands chapters in the Command Line Interface Reference for the full command syntax. |
Any: The rule applies to all packets.
Host: The rule applies to a specific host as determined by its IP address.
ICMP: The rule applies to specific Internet Control Message Protocol (ICMP) packets, Types, or Codes. ICMP type and code definitions can be found at www.iana.org (RFC 3232).
IP: The rule applies to specific Internet Protocol (IP) packets or fragments.
IP Packet Size Identification Algorithm: The rule applies to specific Internet Protocol (IP) packets identification for fragmentation during forwarding.
This configuration is related to the "IP Identification field" assignment algorithm used by the system, when subscriber packets are being encapsulated (such as Mobile IP and other tunneling encapsulation). Within the system, subscriber packet encapsulation is done in a distributed way and a 16-bit IP identification space is divided and distributed to each entity which does the encapsulation, so that unique IP identification value can be assigned for IP headers during encapsulation.
Since this distributed IP Identification space is small, a non-zero unique identification will be assigned only for those packets which may potentially be fragmented during forwarding (since the IP identification field is only used for reassembly of the fragmented packet). The total size of the IP packet is used to determine the possibility of that packet getting fragmented.
Source IP Address: The rule applies to specific packets originating from a specific source address or a group of source addresses.
TCP: The rule applies to any Transport Control Protocol (TCP) traffic and could be filtered on any combination of source/destination IP addresses, a specific port number, or a group of port numbers. TCP port numbers definitions can be found at www.iana.org
UDP: The rule applies to any User Datagram Protocol (UDP) traffic and could be filtered on any combination of source/destination IP addresses, a specific port number, or a group of port numbers. UDP port numbers definitions can be found at www.iana.org.
A single ACL can consist of multiple rules. Each packet is compared against each of the ACL rules, in the order in which they were entered, until a match is found. Once a match is identified, all subsequent rules are ignored.
Before
After
[ before | after ] { existing_rule } This section describes how to configure ACLs.
Important |
This section provides the minimum instruction set for configuring access control list on the system. For more information on commands that configure additional parameters and options, refer to the ACL Configuration Mode Commands and IPv6 ACL Configuration Mode Commands chapters in the Command Line Interface Reference. |
To configure the system to provide an access control list facility to subscribers:
|
Step 1 |
Create the access control list by following the example configuration in Creating ACLs |
|
Step 2 |
Specify the rules and criteria for action in the ACL list by following the example configuration in Configuring Action and Criteria for Subscriber Traffic |
|
Step 3 |
Optional. The system provides an "undefined" ACL that acts as a default filter for all packets into the context. The default action is to "permit all". Modify the default configuration for "unidentified" ACLs for by following the example configuration in Configuring an Undefined ACL |
|
Step 4 |
Verify your ACL configuration by following the steps in Verifying the ACL Configuration |
|
Step 5 |
Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode save configuration command. For additional information refer to the Verifying and Saving Your Configuration chapter. |
To create an ACL, enter the following command sequence from the Exec mode of the system CLI:
configure
context acl_ctxt_name [ -noconfirm ]
{ ip | ipv6 } access-list acl_list_name
end The maximum number of ACLs that can be configured per context is limited by the amount of available memory in the VPN Manager software task. Typically, the maximum is less than 200.
To create rules to deny/permit the subscriber traffic and apply the rules after or before action, enter the following command sequence from the Exec mode of the system CLI:
configure
context acl_ctxt_name [ -noconfirm ]
{ ip | ipv6 } access-list acl_list_name
deny { ip_address | any | host | icmp | ip | log | tcp | udp }
permit { ip_address | any | host | icmp | ip | log | tcp | udp }
after { deny | permit | readdress | redirect }
before { deny | permit | readdress | redirect }
end Notes:
 Caution |
The system does not apply a "deny any" rule, unless it is specified in the ACL. This behavior can be changed by adding a "deny any" rule at the end of the ACL. |
The maximum number of rules that can be configured per ACL varies depending on how the ACL is to be used. For more information, refer to the Engineering Rules chapter.
Use the information provided in the Actions and Criteria to configure the rules that comprise the ACL. For more information, refer to the ACL Configuration Mode Commands and IPv6 ACL Configuration Mode Commands chapters in the Command Line Interface Reference.
As discussed previously the system uses an "undefined" ACL mechanism for filtering the packet(s) in the event that an ACL that has been applied is not present. This scenario is likely the result of a mis-configuration such as the ACL name being mis-typed during the configuration process.
For these scenarios, the system provides an "undefined" ACL that acts as a default filter for all packets into the context. The default action is to "permit all".
To modify the default behavior for unidentified ACLs, use the following configuration:
configure
context acl_ctxt_name [-noconfirm]
access-list undefined { deny-all | permit-all }
end Context name is the name of the context containing the "undefined" ACL to be modified. For more information, refer to the Context Configuration Mode Commands chapter in the Command Line Interface Reference.
To verify the ACL configuration, enter the Exec mode show { ip | ipv6 } access-list command.
The following is a sample output of this command. In this example, an ACL named acl_1 was configured.
ip access list acl_1
deny host 10.2.3.4
deny ip any host 10.2.3.4
permit any 10.2.4.4
1 ip access-lists are configured. Once an ACL is configured, it must be applied to take effect.
Important |
All ACLs should be configured and verified according to the instructions in the Configuring ACLs on the System prior to beginning these procedures. The procedures described below also assume that the subscribers have been previously configured. |
As discussed earlier, you can apply an ACL to any of the following:
Important |
ACLs must be configured in the same context in which the subscribers and/or interfaces to which they are to be applied. Similarly, ACLs to be applied to a context must be configured in that context. |
|
Packet coming from the mobile node to the packet data network (left to right) |
|
|
Order |
Description |
|
1 |
An inbound ACL configured for the receiving interface in the Source Context is applied to the tunneled data (such as the outer IP header). The packet is then forwarded to the Destination Context. |
|
2 |
An inbound ACL configured for the subscriber (either the specific subscriber or for any subscriber facilitated by the context) is applied. |
|
3 |
A context ACL (policy ACL) configured in the Destination Context is applied prior to forwarding. |
|
4 |
An outbound ACL configured on the interface in the Destination Context through which the packet is being forwarded, is applied. |
|
Packet coming from the packet data network to the mobile node (right to left) |
|
|
Order |
Description |
|
1 |
An inbound ACL configured for the receiving interface configured in the Destination Context is applied. |
|
2 |
An outbound ACL configured for the subscriber (either the specific subscriber or for any subscriber facilitated by the context) is applied. The packet is then forwarded to the Source Context. |
|
3 |
A context ACL (policy ACL) configured in the Source Context is applied prior to forwarding. |
|
4 |
An outbound ACL configured on the interface in the Source Context through which the packet is being forwarded, is applied to the tunneled data (such as the outer IP header). |
In the event that an IP ACL is applied that has not been configured (for example, the name of the applied ACL was configured incorrectly), the system uses an "undefined" ACL mechanism for filtering the packet(s).
This section provides information and instructions for applying ACLs and for configuring an "undefined" ACL.
To apply the ACL to an interface, use the following configuration:
configure
context acl_ctxt_name [ -noconfirm ]
interface interface_name
{ ip | ipv6 } access-group acl_list_name { in | out } [ preference ]
end The context name is the name of the ACL context containing the interface to which the ACL is to be applied.
The ACL to be applied must be configured in the context specified by this command.
Up to 16 ACLs can be applied to a group provided that the number of rules configured within the ACL(s) does not exceed the 128-rule limit for the interface.
This section provides information and instructions for applying one or more ACLs to an individual interface configured on the system.
Important |
This section provides the minimum instruction set for applying the ACL list to an interface on the system. For more information on commands that configure additional parameters and options, refer to the Ethernet Interface Configuration Mode Commands chapter in the Command Line Interface Reference. |
To configure the system to provide ACL facility to subscribers:
|
Step 1 |
Apply the configured access control list by following the example configuration in Applying the ACL to an Interface |
|
Step 2 |
Verify that ACL is applied properly on interface by following the steps in Verifying the ACL Configuration on an Interface |
|
Step 3 |
Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode save configuration command. For additional information refer to the Verifying and Saving Your Configuration chapter. |
This section describes how to verify the ACL configuration.
|
In the Exec Mode, enter the following command: context_name is the name of the context containing the interface to which the ACL(s) was/were applied. The output of this command displays the configuration of the entire context. Examine the output for the commands pertaining to interface configuration. The commands display the ACL(s) applied using this procedure. |
To apply the ACLs to a context, use the following configuration:
configure
context acl_ctxt_name [ -noconfirm ]
{ ip | ipv6 } access-group acl_list_name [ in | out ] [ preference ]
end Notes:
The context name is the name of the ACL context containing the interface to which the ACL is to be applied.
The context-level ACL is applied to outgoing packets. This applies to incoming packets also if the flow match criteria fails and forwarded again.
The in and out keywords are deprecated and are only present for backward compatibility.
Context ACL will be applied in the following cases:
Outgoing packets to an external source.
Incoming packets that fail flow match and are forwarded again. In this case, the context ACL applies first and only if it passes are packets forwarded.
During forwarding, if an ACL rule is added with a destination address as a loopback address, the context ACL is also applied. This is because StarOS handles packets destined to the kernel by going through a forwarding lookup for them. To apply ACL rules to incoming packets, the interface ACL must be used instead of the context ACL.
The ACL to be applied must be configured in the context specified by this command.
Up to 16 ACLs can be applied to a group provided that the number of rules configured within the ACL(s) does not exceed the 256-rule limit for the interface.
This section provides information and instructions for applying one or more ACLs to a context configured within a specific context on the system. The applied ACLs, known as policy ACLs, contain rules that apply to all traffic facilitated by the context.
Important |
This section provides the minimum instruction set for applying the ACL list to all traffic within a context. For more information on commands that configure additional parameters and options, refer to the Context Configuration Mode Commands chapter in the Command Line Interface Reference. |
To configure the system to provide access control list facility to subscribers:
|
Step 1 |
Apply the configured ACL as described in Applying the ACL to a Context |
|
Step 2 |
Verify that ACL is applied properly on interface as described in Verifying the ACL Configuration in a Context |
|
Step 3 |
Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode save configuration command. For additional information refer to the Verifying and Saving Your Configuration chapter. |
To verify the ACL configuration:
|
Verify that your ACL lists were applied properly by entering the following command in Exec Mode: context_name is the name of the context to which the ACL(s) was/were applied. The output of this command displays the configuration of the entire context. Examine the output for the commands pertaining to interface configuration. The commands display the ACL(s) applied using this procedure. |
IP ACLs are applied to subscribers via attributes in their profile. The subscriber profile could be configured locally on the system or remotely on a RADIUS server.
To apply an ACL to a RADIUS-based subscriber, use the Filter-Id attribute.
For more details on this attribute, refer to the AAA Interface Administration and Reference.
This section provides information and instructions for applying an ACL to an individual subscriber whose profile is configured locally on the system.
Important |
This section provides the minimum instruction set for applying the ACL list to all traffic within a context. For more information on commands that configure additional parameters and options, refer to the Subscriber Configuration Mode Commands chapter in the Command Line Interface Reference. |
To configure the system to provide access control list facility to subscribers:
|
Step 1 |
Apply the configured access control list by following the example configuration in Applying an ACL to an Individual Subscriber |
|
Step 2 |
Verify that ACL is applied properly on interface by following the steps in Verifying the ACL Configuration to an Individual Subscriber |
|
Step 3 |
Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode save configuration command. For additional information refer to the Verifying and Saving Your Configuration chapter. |
To apply the ACL to an individual subscriber, use the following configuration:
configure
context acl_ctxt_name [ -noconfirm ]
subscriber name subs_name
{ ip | ipv6 } access-group acl_list_name [ in | out ]
end The context name is the name of the ACL context containing the interface to which the ACL is to be applied.
If neither the in nor the out keyword is specified, the ACL will be applied to all inbound and outbound packets.
The ACL to be applied must be configured in the context specified by this command.
Up to eight ACLs can be applied to a group provided that the number of rules configured within the ACL(s) does not exceed the 128-rule limit for the interface.
These instructions are used to verify the ACL configuration.
|
Verify that your ACL lists were applied properly by entering the following command in Exec Mode: context_name is the name of the context containing the subscriber subs1 to which the ACL(s) was/were applied. The output of this command displays the configuration of the entire context. Examine the output for the commands pertaining to interface configuration. The commands display the ACL(s) applied using this procedure. |
This section provides information and instructions for applying an ACL to the subscriber named default.
Important |
This section provides the minimum instruction set for applying the ACL list to all traffic within a context. For more information on commands that configure additional parameters and options, refer to Subscriber Configuration Mode Commands in the Command Line Interface Reference. |
To configure the system to provide access control list facility to subscribers:
|
Step 1 |
Apply the configured access control list by following the example configuration in Applying an ACL to the Subscriber Named default |
|
Step 2 |
Verify that ACL is applied properly on interface by following the steps in Verifying the ACL Configuration to the Subscriber Named default |
|
Step 3 |
Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode save configuration command. For additional information refer to the Verifying and Saving Your Configuration chapter. |
To apply the ACL to the subscriber named default, use the following configuration:
configure
context acl_ctxt_name [ -noconfirm ]
subscriber name subs_name
{ ip | ipv6 } access-group acl_list_name [ in | out ]
end Notes:
The context name is the name of the ACL context containing the interface to which the ACL is to be applied.
If neither the in nor the out keyword is specified, the ACL will be applied to all inbound and outbound packets.
The ACL to be applied must be configured in the context specified by this command.
Up to 16 ACLs can be applied to a group provided that the number of rules configured within the ACL(s) does not exceed the 256-rule limit for the interface.
These instructions are used to verify the ACL configuration.
|
Verify that your ACL lists were applied properly by entering the following command in Exec Mode: context_name is the name of the context containing the subscriber default to which the ACL(s) was/were applied. The output of this command displays the configuration of the entire context. Examine the output for the commands pertaining to interface configuration. The commands display the ACL(s) applied using this procedure. |
This section provides information and instructions for applying an ACL to the subscriber to be used as the "default" profile by various system services.
Important |
This section provides the minimum instruction set for applying the ACL list to all traffic within a context. For more information on commands that configure additional parameters and options, refer to the Subscriber Configuration Mode Commands chapter in the Command Line Interface Reference. |
To configure the system to provide access control list facility to subscribers:
|
Step 1 |
Apply the configured access control list by following the example configuration in Applying an ACL to the Subscriber Named default. |
|
Step 2 |
Verify that the ACL is applied properly on interface by following the steps in Verifying the ACL Configuration to Service-specified Default Subscriber. |
|
Step 3 |
Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode save configuration command. For additional information refer to the Verifying and Saving Your Configuration chapter. |
To apply the ACL to a service-specified Default subscriber, use the following configuration:
configure
context acl_ctxt_name [ -noconfirm ]
{ pdsn-service | fa-service | ha-service } service_name
default subscriber svc_default_subs_name
exit
subscriber name svc_default_subs_name
{ ip | ipv6 } access-group acl_list_name [ in | out ]
end The context name is the name of the ACL context containing the interface to which the ACL is to be applied.
If neither the in nor the out keyword is specified, the ACL will be applied to all inbound and outbound packets.
The ACL to be applied must be configured in the context specified by this command.
Up to eight ACLs can be applied to a group provided that the number of rules configured within the ACL(s) does not exceed the 128-rule limit for the interface.
To verify the ACL configuration.
|
Verify that your ACL lists were applied properly by entering the following command in Exec Mode: context_name is the name of the context containing the service with the default subscriber to which the ACL(s) was/were applied. The output of this command displays the configuration of the entire context. Examine the output for the commands pertaining to interface configuration. The commands display the ACL(s) applied using this procedure. |
As mentioned in the previous section, IP ACLs are applied to subscribers via attributes in their profile. The subscriber profile could be configured locally on the system or remotely on a RADIUS server.
| Function | Description |
|---|---|
|
Subscriber named default |
Within each context, the system creates a subscriber called default. The profile for the subscriber named default provides a configuration template of attribute values for subscribers authenticated in that context. Any subscriber attributes that are not included in a RADIUS-based subscriber profile is configured according to the values for those attributes as defined for the subscriber named default. NOTE: The profile for the subscriber named default is not used to provide missing information for subscribers configured locally. |
|
default subscriber |
This command allows multiple services to draw "default" subscriber information from multiple profiles. |
All subscribers facilitated within a specific context by applying the ACL to the profile of the subscriber named default.
All subscribers facilitated by specific services by applying the ACL to a subscriber profile and then using the default subscriber command to configure the service to use that subscriber as the "default" profile.
To apply the ACL to multiple subscribers via APN, use the following configuration:
configure
context dest_context_name [-noconfirm]
apn apn_name
{ ip | ipv6 } access-group acl_list_name [ in | out ]
end Notes:
The ACL to be applied must be in the destination context of the APN (which can be different from the context where the APN is configured).
If neither the in nor the out keyword is specified, the ACL will be applied to all inbound and outbound packets.
This command supports only one ACL. However, the ACL can have up to 256 rules.
Four access-groups can be applied for each APN, for example:
ip access-group acl_list_name_1 in
ip access-group acl_list_name_2 out
ipv6 access-group acl_list_name_3 in
ipv6 access-group acl_list_name_4 out
If IP ACLs are applied to subscribers via attributes in their profile, the subscriber profile could be configured locally on the system or remotely on a RADIUS server.
To reduce configuration time, ACLs can alternatively be applied to APN templates for GGSN subscribers. When configured, any subscriber packets facilitated by the APN template would then have the associated ACL applied.
This section provides information and instructions for applying an ACL to an APN template.
Important |
This section provides the minimum instruction set for applying the ACL list to all traffic within a context. For more information on commands that configure additional parameters and options, refer to the Subscriber Configuration Mode Commands chapter in the Command Line Interface Reference. |
To configure the system to provide access control list facility to subscribers:
|
Step 1 |
Apply the configured access control list by following the example configuration in Applying an ACL to Multiple Subscriber via APNs. |
|
Step 2 |
Verify that ACL is applied properly on interface by following the steps in Verifying the ACL Configuration to APNs. |
|
Step 3 |
Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode save configuration command. For additional information refer to the Verifying and Saving Your Configuration chapter. |
To verify the ACL configuration:
|
Verify that your ACL lists were applied properly by entering the following command in Exec Mode: context_name is the name of the context containing the APN apn1 having default subscriber to which the ACL(s) was/were applied. The output of this command displays the configuration of the entire context. Examine the output for the commands pertaining to interface configuration. The commands display the ACL(s) applied using this procedure. |
Feedback