- Read Me First
- IP Access List Overview
- Creating an IP Access List and Applying It to an Interface
- Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
- Configuring an FQDN ACL
- Refining an IP Access List
- IP Named Access Control Lists
- Commented IP Access List Entries
- Standard IP Access List Logging
- IP Access List Entry Sequence Numbering
- Configuring Lock-and-Key Security (Dynamic Access Lists)
- ACL IP Options Selective Drop
- Displaying and Clearing IP Access List Data Using ACL Manageability
- ACL Syslog Correlation
- IPv6 Access Control Lists
- IPv6 ACL Undetermined-Transport Support
- Configuring Template ACLs
- IPv6 Template ACL
- IPv4 ACL Chaining Support
- IPv6 ACL Chaining with a Common ACL
- IPv6 ACL Extensions for Hop by Hop Filtering
- Security (ACL) Enhancements
- Finding Feature Information
- Restrictions for IPv4 ACL Chaining Support
- Information About IPv4 ACL Chaining Support
- How to Configure IPv4 ACL Chaining Support
- Configuration Examples for IPv4 ACL Chaining Support
- Additional References for IPv4 ACL Chaining Support
- Feature Information for IPv4 ACL Chaining Support
IPv4 ACL Chaining Support
ACL Chaining, also known as Multi-Access Control List, allows you to split access control lists (ACLs). This module describes how with the IPv4 ACL Chaining Support feature, you can explicitly split ACLs into common and user-specific ACLs and bind both ACLs to a target for traffic filtering on a device. In this way, the common ACLs in Ternary Content Addressable Memory (TCAM) are shared by multiple targets, thereby reducing the resource usage.
- Finding Feature Information
- Restrictions for IPv4 ACL Chaining Support
- Information About IPv4 ACL Chaining Support
- How to Configure IPv4 ACL Chaining Support
- Configuration Examples for IPv4 ACL Chaining Support
- Additional References for IPv4 ACL Chaining Support
- Feature Information for IPv4 ACL Chaining Support
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for IPv4 ACL Chaining Support
A single access control List (ACL) cannot be used for both common and regular ACLs for the same target in the same direction.
ACL chaining applies to only security ACLs. It is not supported for feature policies, such as Quality of Service (QoS), Firewall Services Module (FW) and Policy Based Routing (PBR).
Per-target statistics are not supported for common ACLs.
Information About IPv4 ACL Chaining Support
ACL Chaining Overview
The packet filter process supports only a single Access control list (ACL) to be applied per direction and per protocol on an interface. This leads to manageability and scalability issues if there are common ACL entries needed on many interfaces. Duplicate Access control entries (ACEs) are configured for all those interfaces, and any modification to the common ACEs needs to be performed for all ACLs.
The purpose of these address blocks is to deny access to ISP's protected infrastructure networks and anti-spoofing protection by allowing only customer source address blocks. This results in configuring unique ACL per interface and most of the ACEs being common across all ACLs on a device. ACL provisioning and modification is very cumbersome, hence, any changes to the ACE impacts every target.
IPv4 ACL Chaining Support
IPv4 ACL Chaining Support allows you to split the Access control list (ACL) into common and customer-specific ACLs and attach both ACLs to a common session. In this way, only one copy of the common ACL is attached to Ternary Content Addressable Memory (TCAM) and shared by all users, thereby making it easier to maintain the common ACEs.
The IPv4 ACL Chaining feature allows two IPV4 ACLs to be active on an interface per direction:
Note | If you configure both common and regular ACLs on an interface, the common ACL is considered over a regular ACL. |
How to Configure IPv4 ACL Chaining Support
ACL chaining is supported by extending the ip traffic filter command.
The ip traffic filter command is not additive. When you use this command, it replaces earlier instances of the command.
For more information, refer to the IPv6 ACL Chaining with a Common ACL section in the Security Configuration Guide: Access Control Lists Configuration Guide.
Configuring an Interface to Accept Common ACL
Perform this task to configure the interface to accept a common Access control list (ACL) along with an interface-specific ACL:
1.
enable
2.
configure
terminal
3.
interface
type number}
4.
ip
access-group
{common {common-access-list-name {regular-access-list | acl}}{in | out}}
5.
end
DETAILED STEPS
Configuration Examples for IPv4 ACL Chaining Support
Example: Configuring an Interface to Accept a Common ACL
This example shows how to replace an Access Control List (ACL) configured on the interface without explicitly deleting the ACL:
interface gigabitethernet 0/0/0 ipv4 access-group common C_acl ACL1 in end replace interface acl ACL1 by ACL2 interface gigabitethernet 0/0/0 ipv4 access-group common C_acl ACL2 in end
This example shows how common ACL cannot be replaced on interfaces without deleting it explicitly from the interface:
interface gigabitethernet 0/0/0 ipv4 access-group common C_acl1 ACL1 in end change the common acl to C_acl2 interface gigabitethernet 0/0/0 no ipv4 access-group common C_acl1 ACL1 in end interface gigabitethernet 0/0/0 ipv4 access-group common C_acl2 ACL1 in end
Note | When reconfiguring a common ACL, you must ensure that no other interface on the line card is attached to the common ACL. |
Note | If both common ACL and interface ACL are attached to an interface and only one of the above is reconfigured on the interface, then the other is removed automatically. |
This example shows how the interface ACL is removed:
interface gigabitethernet 0/0/0 ipv4 access-group common C_acl1 ACL1 in end
Additional References for IPv4 ACL Chaining Support
Related Documents
Related Topic | Document Title |
---|---|
IPv6 ACL Chaining Support |
|
Cisco IOS commands |
|
Security commands |
Technical Assistance
Description | Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feature Information for IPv4 ACL Chaining Support
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
IPv4 ACL Chaining Support |
Cisco IOS XE Release 3.11S Cisco IOS XE Release 3.6E |
The IPv4 ACL Chaining Support feature describes how you can explicitly split Access control lists (ACLs) into common and user-specific ACLs and bind both ACLs to a session for traffic filtering on a device. In this way, the common ACLs in Ternary Content Addressable Memory (TCAM) are shared by multiple targets, thereby reducing the resource usage. The following commands were introduced or modified: ip access-group command. |