Sec Data Acl 15 MT Book
Sec Data Acl 15 MT Book
15M&T
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version
of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
and coincidental.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http://
www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
iii
Contents
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
iv
Contents
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
v
Contents
CHAPTER 7 Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports 67
Finding Feature Information 67
Prerequisites for Creating an IP Access List to Filter IP Options TCP Flags Noncontiguous
Ports 68
Information About Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous
Ports 68
IP Options 68
Benefits of Filtering IP Options 68
Benefits of Filtering on TCP Flags 69
TCP Flags 69
Benefits of Using the Named ACL Support for Noncontiguous Ports on an Access Control
Entry Feature 70
How Filtering on TTL Value Works 70
Benefits of Filtering on TTL Value 71
How to Create an IP Access List to Filter IP Options TCP Flags Noncontiguous Ports 71
Filtering Packets That Contain IP Options 71
What to Do Next 73
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
vi
Contents
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
vii
Contents
CHAPTER 10 Displaying and Clearing IP Access List Data Using ACL Manageability 125
Finding Feature Information 125
Information About Displaying and Clearing IP Access List Data Using ACL
Manageability 126
Benefits of ACL Manageability 126
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
viii
Contents
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
ix
Contents
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
x
Contents
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
xi
Contents
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
xii
Contents
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
xiii
Contents
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
xiv
Contents
Example Monitoring Memory Limitations for Layer 2 or Layer 3 and Layer 4 ACL
Processing 233
Example Reserving a Set Amount of Memory for Layer 2 ACL Processing 235
Example Allowing All Available Memory to Be Used for Layer 2 ACL Processing 235
Example Restoring the Default Amount of Memory Reserved for Layer 2 ACL Processing 235
Example Reserving a Set Amount of Memory for Layer 3 and Layer 4 ACL Processing 235
Example Allowing All Available Memory to Be Used for Layer 3 and Layer 4 ACL
Processing 236
Example Restoring the Default Amount of Memory Reserved for Layer 3 and Layer 4 ACL
Processing 236
Example Verifying ACL Memory Limit Configurations 236
Additional References 237
Feature Information for Turbo ACL Scalability Enhancements 238
Glossary 239
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
xv
Contents
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
xvi
CHAPTER 1
IP Access List Overview
Access control lists (ACLs) perform packet filtering to control which packets move through the network
and where. Such control provides security by helping to limit network traffic, restrict the access of users and
devices to the network, and prevent traffic from leaving a network. IP access lists can reduce the chance of
spoofing and denial-of-service attacks and allow dynamic, temporary user access through a firewall.
IP access lists can also be used for purposes other than security, such as bandwidth control, restricting the
content of routing updates, redistributing routes, triggering dial-on-demand (DDR) calls, limiting debug
output, and identifying or classifying traffic for quality of service (QoS) features. This module provides an
overview of IP access lists.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
1
IP Access List Overview
Information About IP Access Lists
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
2
IP Access List Overview
Definition of an Access List
access lists on your router, all packets passing through the router could be allowed onto all parts of your
network.
An access list can allow one host to access a part of your network and prevent another host from accessing
the same area. In the figure below, by applying an appropriate access list to the interfaces of the router, Host
A is allowed to access the Human Resources network and Host B is prevented from accessing the Human
Resources network.
Access lists should be used in firewall routers, which are often positioned between your internal network and
an external network such as the Internet. You can also use access lists on a router positioned between two
parts of your network, to control traffic entering or exiting a specific part of your internal network.
To provide some security benefits of access lists, you should at least configure access lists on border
routers--routers located at the edges of your networks. Such an access list provides a basic buffer from the
outside network or from a less controlled area of your own network into a more sensitive area of your network.
On these border routers, you should configure access lists for each network protocol configured on the router
interfaces. You can configure access lists so that inbound traffic or outbound traffic or both are filtered on an
interface.
Access lists are defined on a per-protocol basis. In other words, you should define access lists for every
protocol enabled on an interface if you want to control traffic flow for that protocol.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
3
IP Access List Overview
Access List Rules
• The software receives an IP packet and tests parts of each packet being filtered against the conditions
in the access list, one condition (permit or deny statement) at a time. For example, the software tests
the source and destination addresses of the packet against the source and destination addresses in a
permit or denystatement.
• If a packet does not match an access list statement, the packet is then tested against the next statement
in the list.
• If a packet and an access list statement match, the rest of the statements in the list are skipped and the
packet is permitted or denied as specified in the matched statement. The first entry that the packet matches
determines whether the software permits or denies the packet. That is, after the first match, no subsequent
entries are considered.
• If the access list denies a packet, the software discards the packet and returns an ICMP Host Unreachable
message.
• If no conditions match, the software drops the packet. This is because each access list ends with an
unwritten, implicit deny statement. That is, if the packet has not been permitted by the time it was tested
against each statement, it is denied.
In later Cisco IOS releases such as Release 12.4, 12.2S, and 12.0S, by default, an access list that has more
than 13 access list entries is processed differently from one that has 13 or fewer entries. In order to be more
efficient, an access list with more than 13 entries is processed using a trie-based lookup algorithm. This process
will happen automatically; it does not need to be configured.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
4
IP Access List Overview
Helpful Hints for Creating IP Access Lists
• An access list can control traffic arriving at a device or leaving a device, but not traffic originating at a
device.
• In order to make the purpose of individual statements more scannable and easily understood at a glance,
you can write a helpful remark before or after any statement by using the remark command.
• If you want to deny access to a particular host or network and find out if someone from that network or
host is attempting to gain access, include the log keyword with the corresponding deny statement so
that the packets denied from that source are logged for you.
• This hint applies to the placement of your access list. When trying to save resources, remember that an
inbound access list applies the filter conditions before the routing table lookup. An outbound access list
applies the filter conditions after the routing table lookup.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
5
IP Access List Overview
Named or Numbered Access Lists
Not all commands that accept a numbered access list will accept a named access list. For example, virtual
terminal lines use only numbered access lists.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
6
IP Access List Overview
IP Packet Fields You Can Filter to Control Access
Note Packets that are subject to an extended access list will not be autonomous switched.
• IP options--Specifies IP options; one reason to filter on IP options is to prevent routers from being
saturated with spurious packets containing them.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
7
IP Access List Overview
Wildcard Mask for Addresses in an Access List
If you do not supply a wildcard mask with a source or destination address in an access list statement, the
software assumes an implicit wildcard mask of 0.0.0.0, meaning all values must match.
Unlike subnet masks, which require contiguous bits indicating network and subnet to be ones, wildcard masks
allow noncontiguous bits in the mask.
The table below shows examples of IP addresses and masks from an access list, along with the corresponding
addresses that are considered a match.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
8
IP Access List Overview
Access List Logging
an access list. If you wanted to insert an entry in the middle of an existing list, all of the entries after the desired
position had to be removed, then the new entry was added, and then all the removed entries had to be reentered.
This method was cumbersome and error prone.
This feature allows users to add sequence numbers to access list entries and resequence them. When you add
a new entry, you specify the sequence number so that it is in a desired position in the access list. If necessary,
entries currently in the access list can be resequenced to create room to insert the new entry.
Caution If you set the number-of-matches argument to 1, a log message is sent right away, rather than caching it;
every packet that matches an access list causes a log message. A setting of 1 is not recommended because
the volume of log messages could overwhelm the system.
Even if you use the ip access-list log-update command, the 5-minute timer remains in effect, so each cache
is emptied at the end of 5 minutes, regardless of the count of messages in each cache. Regardless of when the
log message is sent, the cache is flushed and the count reset to 0 for that message the same way it is when a
threshold is not specified.
Note The logging facility might drop some logging message packets if there are too many to be handled or if
there is more than one logging message to be handled in 1 second. This behavior prevents the router from
crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing
tool or an accurate source of the number of matches to an access list.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
9
IP Access List Overview
Additional IP Access List Features
Authentication Proxy
Authentication proxy provides dynamic, per-user authentication and authorization, authenticating users against
industry standard TACACS+ and RADIUS authentication protocols. Authenticating and authorizing connections
by users provides more robust protection against network attacks.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
10
IP Access List Overview
Where to Apply an Access List
Access lists can be used in ways other than applying them to interfaces. The following are additional places
to apply an access list.
• To restrict incoming and outgoing connections between a particular vty (into a Cisco device) and the
network devices at addresses in an access list, apply an access list to a line. See the “Controlling Access
to a Virtual Terminal Line” module.
• Referencing an access list from a debug command limits the amount of information displayed to only
the information permitted by the access list, such as sources, destinations, or protocols, for example.
• Access lists can be used to control routing updates, to control dial-on-demand routing (DDR), and to
control quality of service (QoS) features, for example. See the appropriate configuration chapters for
using access lists with these features.
Where to Go Next
You must first decide what you want to restrict, and then select the type of access list that achieves your goal.
Next, you will create an access list that permits or denies packets based on values in the fields you specify,
and finally, you will apply the access list (which determines its placement).
Assuming you have decided what you want to restrict and what type of access list you need, your next step
is to create an access list. Creating an access list based on source address, destination address, or protocol is
described in the “Creating an IP Access List and Applying It to an Interface” module. You could create an
access list that filters on other fields, as described in “Creating an IP Access List to Filter IP Options, TCP
Flags, Noncontiguous Ports, or TTL Values.” If you want to control access to a virtual line, see “Controlling
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
11
IP Access List Overview
Additional References
Access to a Virtual Terminal Line.” If the purpose of your access list is to control routing updates or QoS
features, for example, see the appropriate technology chapter.
Additional References
Related Documents
IP access list commands: complete command syntax, Cisco IOS IP Application Services Command
command mode, command history, defaults, usage Reference
guidelines, and examples
Filtering on source address, destination address, or “Creating an IP Access List and Applying It to an
protocol Interface”
Filtering on IP Options, TCP flags, noncontiguous “Creating an IP Access List to Filter IP Options, TCP
ports, or TTL Flags, Noncontiguous Ports, or TTL Values”
Standards
Standard Title
None --
MIBs
RFCs
RFC Title
None --
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
12
IP Access List Overview
Feature Information for IP Access List Overview
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
13
IP Access List Overview
Feature Information for IP Access List Overview
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
14
CHAPTER 2
Access Control List Overview and Guidelines
Cisco provides basic traffic filtering capabilities with access control lists (also referred to as access lists).
You can configure access control lists (ACLs) for all routed network protocols (IP, AppleTalk, and so on)
to filter protocol packets when these packets pass through a device. You can configure access lists on your
device to control access to a network; access lists can prevent certain traffic from entering or exiting a
network. This module provides an overview of access lists.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
15
Access Control List Overview and Guidelines
Functions of an Access Control List
Note Some users might successfully evade basic access lists because these lists require no authentication.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
16
Access Control List Overview and Guidelines
Access Control List Configuration
Note Some protocols refer to access lists as filters and to the act of applying the access lists to interfaces as
filtering.
You can specify access lists by numbers for the protocols listed in the table below.
Protocol Range
AppleTalk 300–399
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
17
Access Control List Overview and Guidelines
Access Control List Configuration
Protocol Range
DECnet and extended DECnet 600–699
IP 1–99, 1300–1999
IPX 800–899
XNS 400–499
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
18
Access Control List Overview and Guidelines
Access Control List Configuration
as many criteria statements as you want, limited only by the available memory of the device. The more
statements there are in an access list, the more difficult it will be to comprehend and manage an access list.
Note For most protocols, if you define an inbound access list for traffic filtering, you should include explicit
access list criteria statements to permit routing updates. If you do not, you might effectively lose
communication from the interface when routing updates are blocked by the “deny all traffic” statement at
the end of the access list.
Note The first command of an edited access list file should delete the previous access list (for example, use the
no access-list command at the beginning of the file). If you do not delete the previous version of the access
list, when you copy the edited file to your device you will merely be appending additional criteria statements
to the end of the existing access list.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
19
Access Control List Overview and Guidelines
Additional References
If the access list is inbound, when a device receives a packet, Cisco software checks the access list’s criteria
statements for a match. If the packet is permitted, the software continues to process the packet. If the packet
is denied, the software discards the packet.
If the access list is outbound, after receiving and routing a packet to the outbound interface, Cisco software
checks the access list’s criteria statements for a match. If the packet is permitted, the software transmits the
packet. If the packet is denied, the software discards the packet.
Note Access lists that are applied to interfaces on a device do not filter traffic that originates from that device.
The figure above shows that Device 2 is a bypass device that is connected to Device 1 and Device 3. An
outbound access list is applied to Gigabit Ethernet interface 0/0/0 on Device 1. When you ping Device 3 from
Device 1, the access list does not check for packets going outbound because the traffic is locally generated.
The access list check is bypassed for locally generated packets, which are always outbound.
By default, an access list that is applied to an outbound interface for matching locally generated traffic will
bypass the outbound access list check; but transit traffic is subjected to the outbound access list check.
Note The behavior described above applies to all single-CPU platforms that run Cisco software.
Additional References
Related Documents
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
20
Access Control List Overview and Guidelines
Additional References
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
21
Access Control List Overview and Guidelines
Additional References
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
22
CHAPTER 3
IPv6 Access Control Lists
Access lists determine what traffic is blocked and what traffic is forwarded at device interfaces and allow
filtering of traffic based on source and destination addresses, and inbound and outbound traffic to a specific
interface. Standard IPv6 ACL functionality was extended to support traffic filtering based on IPv6 option
headers and optional, upper-layer protocol type information for finer granularity of control. Standard IPv6
ACL functionality was extended to support traffic filtering based on IPv6 option headers and optional,
upper-layer protocol type information for finer granularity of control.
This module describes how to configure IPv6 traffic filtering and to control access to virtual terminal lines.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
23
IPv6 Access Control Lists
Information About IPv6 Access Control Lists
Note • Each IPv6 ACL contains implicit permit rules to enable IPv6 neighbor discovery. These rules can
be overridden by the user by placing a deny ipv6 any any statement within an ACL. The IPv6 neighbor
discovery process makes use of the IPv6 network layer service; therefore, by default, IPv6 ACLs
implicitly allow IPv6 neighbor discovery packets to be sent and received on an interface. In IPv4,
the Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery process,
makes use of a separate data link layer protocol; therefore, by default, IPv4 ACLs implicitly allow
ARP packets to be sent and received on an interface.
• Time-based and reflexive ACLs are not supported for IPv4 or IPv6 on the Cisco 12000 series platform.
The reflect, timeout, and time-range keywords of the permit command in IPv6 are excluded on
the Cisco 12000 series.
>
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
24
IPv6 Access Control Lists
Configuring IPv6 Traffic Filtering
SUMMARY STEPS
1. enable
2. configure terminal
3. ipv6 access-list access-list-name
4. Do one of the following:
• permit protocol {source-ipv6-prefix / prefix-length | any | host source-ipv6-address | auth} [operator
[port-number]] {destination-ipv6-prefix / prefix-length| any | host destination-ipv6-address| auth}
[operator [port-number]] [dest-option-type [doh-number| doh-type]] [dscp value] [flow-label value]
[fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [reflect name
[timeout value]] [routing] [routing-type routing-number] [sequence value] [time-range name]
•
•
• deny protocol {source-ipv6-prefix / prefix-length | any | host source-ipv6-address | auth} [operator
port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth}
[operator [port-number]] [dest-option-type [doh-number | doh-type]] [dscp value] [flow-label
value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [routing]
[routing-type routing-number] [sequence value] [time-range name] [undetermined-transport]
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ipv6 access-list access-list-name Defines an IPv6 ACL, and enters IPv6
access list configuration mode.
Example: • The access-list name argument
Router(config)# ipv6 access-list outbound specifies the name of the IPv6 ACL.
IPv6 ACL names cannot contain a
space or quotation mark, or begin
with a numeral.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
25
IPv6 Access Control Lists
Configuring IPv6 Traffic Filtering
Example:
Router(config-ipv6-acl)# permit tcp 2001:DB8:0300:0201::/32 eq
telnet any reflect reflectout
Example:
Example:
Example:
Router(config-ipv6-acl)# deny tcp host 2001:DB8:1::1 any log-input
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ipv6 traffic-filter access-list-name {in| out}
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
26
IPv6 Access Control Lists
Configuring IPv6 Traffic Filtering
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface type number Specifies the interface type and number, and enters
interface configuration mode.
Example:
Router(config)# interface ethernet 0
Step 4 ipv6 traffic-filter access-list-name {in| out} Applies the specified IPv6 access list to the interface
specified in the previous step.
Example:
Router(config-if)# ipv6 traffic-filter outbound
out
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
27
IPv6 Access Control Lists
Controlling Access to a vty
SUMMARY STEPS
1. enable
2. configure terminal
3. ipv6 access-list access-list-name
4. Do one of the following:
• permit protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator
[port-number]] {destination-ipv6-prefix / prefix-length | any | host destination-ipv6-address} [operator
[port-number]] [dest-option-type [doh-number | doh-type]] [dscp value] [flow-label value]
[fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [routing]
[routing-type routing-number] [sequence value] [time-range name
• deny protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator
port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address} [operator
[port-number]] [dest-option-type [doh-number | doh-type]] [dscp value] [flow-label value]
[fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [routing]
[routing-type routing-number] [sequence value] [time-range name] [undetermined-transport
DETAILED STEPS
Example:
Device# configure terminal
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
28
IPv6 Access Control Lists
Controlling Access to a vty
Example:
Device(config-ipv6-acl)# permit ipv6 host 2001:DB8:0:4::32 any
Example:
Device(config-ipv6-acl)# deny ipv6 host 2001:DB8:0:6::6 any
SUMMARY STEPS
1. enable
2. configure terminal
3. line [aux| console| tty| vty] line-number[ending-line-number]
4. ipv6 access-class ipv6-access-list-name {in| out}
DETAILED STEPS
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
29
IPv6 Access Control Lists
Configuration Examples for IPv6 Access Control Lists
Example:
Device# configure terminal
Step 3 line [aux| console| tty| vty] Identifies a specific line for configuration and enters line
line-number[ending-line-number] configuration mode.
• In this example, the vty keyword is used to specify the
Example: virtual terminal lines for remote console access.
Device(config)# line vty 0 4
Step 4 ipv6 access-class ipv6-access-list-name {in| out} Filters incoming and outgoing connections to and from the
device based on an IPv6 ACL.
Example:
Device(config-line)# ipv6 access-class cisco
in
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
30
IPv6 Access Control Lists
Example: Creating and Applying an IPv6 ACL
Additional References
Related Documents
Standard/RFC Title
RFCs for IPv6 IPv6 RFCs
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
31
IPv6 Access Control Lists
Feature Information for IPv6 Access Control Lists
MIBs
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
32
IPv6 Access Control Lists
Feature Information for IPv6 Access Control Lists
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
33
IPv6 Access Control Lists
Feature Information for IPv6 Access Control Lists
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
34
CHAPTER 4
IPv6 ACL Extensions for IPsec Authentication
Headers
The IPv6 ACL Extensions for IPsec Authentication Headers feature allows TCP or UDP parsing when an
IPv6 IPsec authentication header is present.
This module describes how to configure TCP or UDP matching regardless of whether an authentication
header (AH) is present or absent.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
35
IPv6 ACL Extensions for IPsec Authentication Headers
Information About IPv6 ACL Extensions for IPsec Authentication Header
SUMMARY STEPS
1. enable
2. configure terminal
3. ipv6 access-list access-list-name
4. permit icmp auth
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
36
IPv6 ACL Extensions for IPsec Authentication Headers
Configuring TCP or UDP Matching
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ipv6 access-list access-list-name Defines an IPv6 access list and places the router in IPv6
access list configuration mode.
Example:
Router(config)# ipv6 access-list list1
Step 4 permit icmp auth Specifies permit or deny conditions for an IPv6 ACL using
the auth keyword, which is used to match against the
Example: presence of the AH.
Example:
or
Example:
Example:
Router(config-ipv6-acl)# permit icmp auth
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
37
IPv6 ACL Extensions for IPsec Authentication Headers
Configuration Examples for IPv6 ACL Extensions for IPsec Authentication Header
Additional References
Related Documents
Standard/RFC Title
RFCs for IPv6 IPv6 RFCs
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
38
IPv6 ACL Extensions for IPsec Authentication Headers
Feature Information for IPv6 ACL Extensions for IPsec Authentication Header
MIBs
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
Table 5: Feature Information for IPv6 ACL Extensions for IPsec Authentication Header
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
39
IPv6 ACL Extensions for IPsec Authentication Headers
Feature Information for IPv6 ACL Extensions for IPsec Authentication Header
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
40
CHAPTER 5
IPv6 ACL Extensions for Hop by Hop Filtering
The IPv6 ACL Extensions for Hop by Hop Filtering feature allows you to control IPv6 traffic that might
contain hop-by-hop extension headers. You can configure an access control list (ACL) to deny all hop-by-hop
traffic or to selectively permit traffic based on protocol.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
41
IPv6 ACL Extensions for Hop by Hop Filtering
How to Configure IPv6 ACL Extensions for Hop by Hop Filtering
The IPv6 ACL Extensions for Hop by Hop Filtering feature implements RFC 2460 to support traffic filtering
in any upper-layer protocol type.
1. enable
2. configure terminal
3. ipv6 access-list access-list-name
4. permit protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | auth} [operator
[port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth} [operator
[port-number]] [dest-option-type [header-number | header-type]] [dscp value] [flow-label value]
[fragments] [hbh] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [reflect name
[timeout value]] [routing] [routing-type routing-number] [sequence value] [time-range name]
5. deny protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | auth} [operator
[port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth}
[operator [port-number]] [dest-option-type [header-number | header-type]] [dscp value] [flow-label
value] [fragments] [hbh] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [routing]
[routing-type routing-number] [sequence value] [time-range name] [undetermined-transport]
6. end
DETAILED STEPS
Example:
Device# configure terminal
Step 3 ipv6 access-list access-list-name Defines an IPv6 ACL and enters IPv6
access list configuration mode.
Example:
Device(config)# ipv6 access-list hbh-acl
Step 4 permit protocol {source-ipv6-prefix/prefix-length | any | host Sets permit conditions for the IPv6
source-ipv6-address | auth} [operator [port-number]] ACL.
{destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address |
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
42
IPv6 ACL Extensions for Hop by Hop Filtering
Configuration Example for IPv6 ACL Extensions for Hop by Hop Filtering
Example:
Device(config-ipv6-acl)# permit icmp any any dest-option-type
Step 5 deny protocol {source-ipv6-prefix/prefix-length | any | host Sets deny conditions for the IPv6 ACL.
source-ipv6-address | auth} [operator [port-number]]
{destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address |
auth} [operator [port-number]] [dest-option-type [header-number |
header-type]] [dscp value] [flow-label value] [fragments] [hbh] [log]
[log-input] [mobility] [mobility-type [mh-number | mh-type]] [routing]
[routing-type routing-number] [sequence value] [time-range name]
[undetermined-transport]
Example:
Device(config-ipv6-acl)# deny icmp any any dest-option-type
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
43
IPv6 ACL Extensions for Hop by Hop Filtering
Additional References
Building configuration...
Additional References
Related Documents
Security commands
• Cisco IOS Security Command Reference: Commands A to C
• Cisco IOS Security Command Reference: Commands D to L
• Cisco IOS Security Command Reference: Commands M to
R
• Cisco IOS Security Command Reference: Commands S to Z
IPv6 addressing and basic connectivity IPv6 Addressing and Basic Connectivity Configuration Guide
Standard/RFC Title
RFC 2460 Internet Protocol, Version 6 (IPv6)
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
44
IPv6 ACL Extensions for Hop by Hop Filtering
Feature Information for IPv6 ACL Extensions for Hop by Hop Filtering
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
Table 6: Feature Information for IPv6 ACL Extensions for Hop by Hop Filtering
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
45
IPv6 ACL Extensions for Hop by Hop Filtering
Feature Information for IPv6 ACL Extensions for Hop by Hop Filtering
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
46
CHAPTER 6
Creating an IP Access List and Applying It to an
Interface
IP access lists provide many benefits for securing a network and achieving nonsecurity goals, such as
determining quality of service (QoS) factors or limiting debug command output. This module describes how
to create standard, extended, named, and numbered IP access lists. An access list can be referenced by a
name or a number. Standard access lists filter on only the source address in IP packets. Extended access lists
can filter on source address, destination address, and other fields in an IP packet.
After you create an access list, you must apply it to something in order for it to have any effect. This module
describes how to apply an access list to an interface. However, there are many other uses for an access list,
which are referenced in this module and described in other modules and in other configuration guides for
various technologies.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
47
Creating an IP Access List and Applying It to an Interface
Prerequisites for Creating an IP Access List and Applying It to an Interface
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
48
Creating an IP Access List and Applying It to an Interface
Access List Remarks
• You can delete an entry from a named access list. Use the no permitor no deny command to delete
the appropriate entry.
• In order to make the purpose of individual statements more scannable and easily understood at a glance,
you can write a helpful remark before or after any statement by using the remark command.
• If you want to deny access to a particular host or network and find out if someone from that network or
host is attempting to gain access, include the log keyword with the corresponding deny statement so
that the packets denied from that source are logged for you.
• This hint applies to the placement of your access list. When trying to save resources, remember that an
inbound access list applies the filter conditions before the routing table lookup. An outbound access list
applies the filter conditions after the routing table lookup.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
49
Creating an IP Access List and Applying It to an Interface
Creating a Standard Access List to Filter on Source Address
Note The first two tasks in this module create an access list; you must apply the access list in order for it to
function. If you want to apply the access list to an interface, perform the task "Applying the Access List
to an Interface". If you don’t intend to apply the access list to an interface, see the "Where to Go Next"
for pointers to modules that describe other ways to apply access lists.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip access-list standard name
4. remark remark
5. deny {source [source-wildcard] | any} [log]
6. remark remark
7. permit {source [source-wildcard] | any} [log]
8. Repeat some combination of Steps 4 through 7 until you have specified the sources on which you want
to base your access list.
9. end
10. show ip access-list
DETAILED STEPS
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
50
Creating an IP Access List and Applying It to an Interface
Creating a Standard Access List to Filter on Source Address
Example:
Device# configure terminal
Step 3 ip access-list standard name Defines a standard IP access list using a name and enters standard named
access list configuration mode.
Example:
Device(config)# ip access-list
standard R&D
Step 4 remark remark (Optional) Adds a user-friendly comment about an access list entry.
• A remark can precede or follow an access list entry.
Example:
• In this example, the remark reminds the network administrator that
Device(config-std-nacl)# remark deny
Sales network the subsequent entry denies the Sales network access to the interface
(assuming this access list is later applied to an interface).
Step 5 deny {source [source-wildcard] | any} (Optional) Denies the specified source based on a source address and
[log] wildcard mask.
• If the source-wildcard is omitted, a wildcard mask of 0.0.0.0 is
Example: assumed, meaning match on all bits of the source address.
Device(config-std-nacl)# deny
172.16.0.0 0.0.255.255 log • Optionally use the keyword any as a substitute for the source
source-wildcard to specify the source and source wildcard of 0.0.0.0
255.255.255.255.
• In this example, all hosts on network 172.16.0.0 are denied passing
the access list.
• Because this example explicitly denies a source address and the log
keyword is specified, any packets from that source are logged when
they are denied. This is a way to be notified that someone on a network
or host is trying to gain access.
Step 6 remark remark (Optional) Adds a user-friendly comment about an access list entry.
• A remark can precede or follow an access list entry.
Example:
• This remark reminds the network administrator that the subsequent
Device(config-std-nacl)# remark Give
access to Tester’s host
entry allows the Tester’s host access to the interface.
Step 7 permit {source [source-wildcard] | any} Permits the specified source based on a source address and wildcard mask.
[log]
• Every access list needs at least one permit statement; it need not be
the first entry.
Example:
• If the source-wildcard is omitted, a wildcard mask of 0.0.0.0 is
Device(config-std-nacl)# permit
172.18.5.22 0.0.0.0 assumed, meaning match on all bits of the source address.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
51
Creating an IP Access List and Applying It to an Interface
Creating a Standard Access List to Filter on Source Address
Step 8 Repeat some combination of Steps 4 Remember that all sources not specifically permitted are denied by an
through 7 until you have specified the implicit deny statement at the end of the access list.
sources on which you want to base your
access list.
Step 9 end Exits standard named access list configuration mode and enters privileged
EXEC mode.
Example:
Device(config-std-nacl)# end
Step 10 show ip access-list (Optional) Displays the contents of all current IP access lists.
Example:
Device# show ip access-list
What to Do Next
The access list you created is not in effect until you apply it to an interface, a vty line, or reference it from a
command that uses an access list. See "Applying the Access List to an Interface" or "Where to Go Next" for
pointers to modules that describe other ways to use access lists.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
52
Creating an IP Access List and Applying It to an Interface
Creating a Standard Access List to Filter on Source Address
SUMMARY STEPS
1. enable
2. configure terminal
3. access-list access-list-number permit {source [source-wildcard] | any} [log]
4. access-list access-list-number deny {source [source-wildcard] | any} [log]
5. Repeat some combination of Steps 3 through 6 until you have specified the sources on which you want
to base your access list.
6. end
7. show ip access-list
DETAILED STEPS
Example:
Device# configure terminal
Step 3 access-list access-list-number permit {source Permits the specified source based on a source address and wildcard
[source-wildcard] | any} [log] mask.
• Every access list needs at least one permit statement; it need not
Example: be the first entry.
Device(config)# access-list 1 permit
172.16.5.22 0.0.0.0 • Standard IP access lists are numbered 1 to 99 or 1300 to 1999.
• If the source-wildcard is omitted, a wildcard mask of 0.0.0.0 is
assumed, meaning match on all bits of the source address.
• Optionally use the keyword any as a substitute for the source
source-wildcard to specify the source and source wildcard of
0.0.0.0 255.255.255.255.
• In this example, host 172.16.5.22 is allowed to pass the access list.
Step 4 access-list access-list-number deny {source Denies the specified source based on a source address and wildcard
[source-wildcard] | any} [log] mask.
• If the source-wildcard is omitted, a wildcard mask of 0.0.0.0 is
Example: assumed, meaning match on all bits of the source address.
Device(config)# access-list 1 deny
172.16.7.34 0.0.0.0
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
53
Creating an IP Access List and Applying It to an Interface
Creating an Extended Access List
Step 5 Repeat some combination of Steps 3 through Remember that all sources not specifically permitted are denied by an
6 until you have specified the sources on which implicit deny statement at the end of the access list.
you want to base your access list.
Step 6 end Exits global configuration mode and enters privileged EXEC mode.
Example:
Device(config)# end
Step 7 show ip access-list (Optional) Displays the contents of all current IP access lists.
Example:
Device# show ip access-list
What to Do Next
The access list you created is not in effect until you apply it to an interface, a vty line, or reference it from a
command that uses an access list. See "Applying the Access List to an Interface" or "Where to Go Next" for
pointers to modules that describe other ways to use access lists.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
54
Creating an IP Access List and Applying It to an Interface
Creating an Extended Access List
SUMMARY STEPS
1. enable
2. configure terminal
3. ip access-list extended name
4. remark remark
5. deny protocol source [source-wildcard] destination [destination-wildcard] [option option-name]
[precedence precedence] [tos tos] [established] [log | log-input] [time-range time-range-name]
[fragments]
6. remark remark
7. permit protocol source [source-wildcard] destination [destination-wildcard] [option option-name]
[precedence precedence] [tos tos] [established] [log | log-input] [time-range time-range-name]
[fragments]
8. Repeat some combination of Steps 4 through 7 until you have specified the fields and values on which
you want to base your access list.
9. end
10. show ip access-list
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ip access-list extended name Defines an extended IP access list using a name and enters extended
named access list configuration mode.
Example:
Router(config)# ip access-list extended
nomarketing
Step 4 remark remark (Optional) Adds a user-friendly comment about an access list entry.
• A remark can precede or follow an access list entry.
Example:
• In this example, the remark reminds the network administrator that
Router(config-ext-nacl)# remark protect
server by denying access from the the subsequent entry denies the Sales network access to the interface.
Marketing network
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
55
Creating an IP Access List and Applying It to an Interface
Creating an Extended Access List
Example: • Optionally use the keyword any as a substitute for the source
source-wildcardor destination destination-wildcardto specify the
Router(config-ext-nacl)# deny ip
172.18.0.0 0.0.255.255 host 172.16.40.10 address and wildcard of 0.0.0.0 255.255.255.255.
log
• Optionally use the keyword host source to indicate a source and
source wildcard of source 0.0.0.0 or the abbreviation host
destinationto indicate a destination and destination wildcard of
destination 0.0.0.0.
• In this example, packets from the source network 172.18.0.0 are
denied access to host 172.16.40.10. Logging messages about packets
permitted or denied by the access list are sent to the facility
configured by the logging facility command (for example, console,
terminal, or syslog). That is, any packet that matches the access list
will cause an informational logging message about the packet to be
sent to the configured facility. The level of messages logged to the
console is controlled by the logging console command.
Step 6 remark remark (Optional) Adds a user-friendly comment about an access list entry.
• A remark can precede or follow an access list entry.
Example:
Router(config-ext-nacl)# remark allow
TCP from any source to any destination
Step 7 permit protocol source [source-wildcard] Permits any packet that matches all of the conditions specified in the
destination [destination-wildcard] [option statement.
option-name] [precedence precedence] [tos
tos] [established] [log | log-input] [time-range • Every access list needs at least one permit statement.
time-range-name] [fragments] • If the source-wildcard or destination-wildcardisomitted, a wildcard
mask of 0.0.0.0 is assumed, meaning match on all bits of the source
Example: or destination address, respectively.
Router(config-ext-nacl)# permit tcp any • Optionally use the keyword any as a substitute for the source
any source-wildcardor destination destination-wildcardto specify the
address and wildcard of 0.0.0.0 255.255.255.255.
• In this example, TCP packets are allowed from any source to any
destination.
• The log-input keyword can be configured, but it is not supported,
and will not work as expected.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
56
Creating an IP Access List and Applying It to an Interface
Creating an Extended Access List
Step 10 show ip access-list (Optional) Displays the contents of all current IP access lists.
Example:
Router# show ip access-list
What to Do Next
The access list you created is not in effect until you apply it to an interface, a vty line, or reference it from a
command that uses an access list. See "Applying the Access List to an Interface" or the "Where to Go Next"
for pointers to modules that describe other ways to use access lists.
SUMMARY STEPS
1. enable
2. configure terminal
3. access-list access-list-number remark remark
4. access-list access-list-number permit protocol {source [source-wildcard] | any} {destination
[destination-wildcard] | any} [precedence precedence] [tos tos] [established] [log | log-input] [time-range
time-range-name] [fragments]
5. access-list access-list-number remark remark
6. access-list access-list-number deny protocol {source [source-wildcard] | any} {destination
[destination-wildcard] | any} [precedence precedence] [tos tos] [established] [log | log-input] [time-range
time-range-name] [fragments]
7. Repeat some combination of Steps 3 through 6 until you have specified the fields and values on which
you want to base your access list.
8. end
9. show ip access-list
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
57
Creating an IP Access List and Applying It to an Interface
Creating an Extended Access List
DETAILED STEPS
Example:
Router# configure terminal
Step 3 access-list access-list-number remark remark (Optional) Adds a user-friendly comment about an access list entry.
• A remark of up to 100 characters can precede or follow an
Example: access list entry.
Router(config)# access-list 107 remark allow
Telnet packets from any source to network
172.69.0.0 (headquarters)
Step 4 access-list access-list-number permit protocol Permits any packet that matches all of the conditions specified in
{source [source-wildcard] | any} {destination the statement.
[destination-wildcard] | any} [precedence
precedence] [tos tos] [established] [log | log-input] • Every access list needs at least one permit statement; it need
not be the first entry.
[time-range time-range-name] [fragments]
• Extended IP access lists are numbered 100 to 199 or 2000 to
Example: 2699.
Router(config)# access-list 107 permit tcp • If the source-wildcard or destination-wildcardisomitted, a
any 172.69.0.0 0.0.255.255 eq telnet wildcard mask of 0.0.0.0 is assumed, meaning match on all
bits of the source or destination address, respectively.
• Optionally use the keyword any as a substitute for the source
source-wildcardor destination destination-wildcardto specify
the address and wildcard of 0.0.0.0 255.255.255.255.
• TCP and other protocols have additional syntax available.
See the access-list command in the command reference for
complete syntax.
Step 5 access-list access-list-number remark remark (Optional) Adds a user-friendly comment about an access list entry.
• A remark of up to 100 characters can precede or follow an
Example: access list entry.
Router(config)# access-list 107 remark deny
all other TCP packets
Step 6 access-list access-list-number deny protocol Denies any packet that matches all of the conditions specified in
{source [source-wildcard] | any} {destination the statement.
[destination-wildcard] | any} [precedence
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
58
Creating an IP Access List and Applying It to an Interface
Applying the Access List to an Interface
Step 7 Repeat some combination of Steps 3 through 6 until Remember that all sources not specifically permitted are denied
you have specified the fields and values on which you by an implicit deny statement at the end of the access list.
want to base your access list.
Step 8 end Ends configuration mode and brings the system to privileged EXEC
mode.
Example:
Router(config)# end
Step 9 show ip access-list (Optional) Displays the contents of all current IP access lists.
Example:
Router# show ip access-list
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip access-group {access-list-number | access-list-name} {in | out}
DETAILED STEPS
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
59
Creating an IP Access List and Applying It to an Interface
Configuration Examples for Creating an IP Access List and Applying It to an Interface
Example:
Router# configure terminal
Step 3 interface type number Specifies an interface and enters interface configuration mode.
Example:
Router(config)# interface ethernet 0
Step 4 ip access-group {access-list-number | Applies the specified access list to the incoming or outgoing
access-list-name} {in | out} interface.
• When you are filtering on source addresses, you typically
Example: apply the access list to an incoming interface.
Router(config-if)# ip access-group noncorp
in • Filtering on source addresses is most efficient when applied
near the destination.
What to Do Next
The access list you created is not in effect until you apply it to an interface, a vty line, or reference it from a
command that uses an access list. See "Applying the Access List to an Interface" or "Where to Go Next" for
pointers to modules that describe other ways to use access lists.
interface ethernet 0
ip access-group workstations in
!
ip access-list standard workstations
remark Permit only Jones workstation through
permit 172.16.2.88
remark Do not allow Smith workstation through
deny 172.16.3.13
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
60
Creating an IP Access List and Applying It to an Interface
Example Filtering on Source Address (Subnet)
interface ethernet 0
ip access-group prevention in
!
ip access-list standard prevention
remark Do not allow Jones subnet through
deny 172.22.0.0 0.0.255.255
remark Allow Main subnet
permit 172.25.0.0 0.0.255.255
interface Ethernet0/5
ip address 172.20.5.1 255.255.255.0
ip access-group Internet_filter out
ip access-group marketing_group in
!
ip access-list standard Internet_filter
permit 172.16.3.4
ip access-list extended marketing_group
permit tcp any 172.26.0.0 0.0.255.255 eq telnet
deny tcp any any
permit icmp any any
deny udp any 172.26.0.0 0.0.255.255 lt 1024
deny ip any any
interface ethernet 0
ip access-group 2 in
!
access-list 2 permit 10.48.0.3
access-list 2 deny 10.48.0.0 0.0.255.255
access-list 2 permit 10.0.0.0 0.255.255.255
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
61
Creating an IP Access List and Applying It to an Interface
Example Preventing Telnet Access to a Subnet
interface ethernet 0
ip access-group telnetting out
!
ip access-list extended telnetting
remark Do not allow Jones subnet to telnet out
deny tcp 172.20.0.0 0.0.255.255 any eq telnet
remark Allow Top subnet to telnet out
permit tcp 172.33.0.0 0.0.255.255 any eq telnet
interface ethernet 0
ip access-group goodports in
!
ip access-list extended goodports
permit tcp any 172.28.0.0 0.0.255.255 gt 1023
permit tcp any host 172.28.1.2 eq 25
permit icmp any 172.28.0.0 255.255.255.255
interface ethernet 0
ip access-group 102 in
!
access-list 102 permit tcp any 172.18.0.0 0.0.255.255 established
access-list 102 permit tcp any host 172.18.1.2 eq 25
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
62
Creating an IP Access List and Applying It to an Interface
Example Preventing Access to the Web By Filtering on Port Name
interface ethernet 0
ip access-group no_web out
!
ip access-list extended no_web
remark Do not allow Winter to browse the web
deny host 172.20.3.85 any eq http
remark Do not allow Smith to browse the web
deny host 172.20.3.13 any eq http
remark Allow others on our network to browse the web
permit 172.20.0.0 0.0.255.255 any eq http
Example Filtering on Source Address and Logging the Packets Permitted and
Denied
The following example defines access lists 1 and 2, both of which have logging enabled:
interface ethernet 0
ip address 172.16.1.1 255.0.0.0
ip access-group 1 in
ip access-group 2 out
!
access-list 1 permit 172.25.0.0 0.0.255.255 log
access-list 1 deny 172.30.0.0 0.0.255.255 log
!
access-list 2 permit 172.27.3.4 log
access-list 2 deny 172.17.0.0 0.0.255.255 log
If the interface receives 10 packets from 172.25.7.7 and 14 packets from 172.17.23.21, the first log will look
like the following:
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
63
Creating an IP Access List and Applying It to an Interface
Where to Go Next
Where to Go Next
This module describes how to create an access list that permits or denies packets based on source or destination
address or protocol. However, there are other fields you could filter on, and other ways to use access lists. If
you want to create an access list that filters on other fields or if you want to apply an access list to something
other than an interface, you should decide what you want to restrict in your network and determine the type
of access list that achieves your goal.
See the following table for references to other fields to filter and other ways to use an IP access list.
Limit access list entries to a time of day or week "Refining an IP Access List” module
Restrict access to virtual terminal lines "Controlling Access to a Virtual Terminal Line”
Identify or classify traffic for features such as “Regulating Packet Flow on a Per-Interface
congestion avoidance, congestion management, and Basis--Using Generic Traffic Shaping” module in the
priority queuing Quality of Service Solutions Configuration Guide
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
64
Creating an IP Access List and Applying It to an Interface
Additional References for Creating an IP Access List to Filter TCP Flags
Access list entries based on time of day or week "Refining an IP Access List”
Filtering on IP Options, TCP flags, noncontiguous “Creating an IP Access List to Filter IP Options, TCP
ports, or TTL values Flags, Noncontiguous Ports, or TTL Values”
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
65
Creating an IP Access List and Applying It to an Interface
Feature Information for Creating an IP Access List and Applying It to an Interface
Table 7: Feature Information for Creating an IP Access List and Applying It to an Interface
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
66
CHAPTER 7
Creating an IP Access List to Filter IP Options,
TCP Flags, Noncontiguous Ports
This module describes how to use an IP access list to filter IP packets that contain certain IP Options, TCP
flags, noncontiguous ports.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
67
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
Prerequisites for Creating an IP Access List to Filter IP Options TCP Flags Noncontiguous Ports
IP Options
IP uses four key mechanisms in providing its service: Type of Service, Time to Live, Options, and Header
Checksum.
The Options, commonly referred to as IP Options, provide for control functions that are required in some
situations but unnecessary for the most common communications. IP Options include provisions for time
stamps, security, and special routing.
IP Options may or may not appear in datagrams. They must be implemented by all IP modules (host and
gateways). What is optional is their transmission in any particular datagram, not their implementation. In
some environments the security option may be required in all datagrams.
The option field is variable in length. There may be zero or more options. IP Options can have one of two
formats:
• Format 1: A single octet of option-type.
• Format 2: An option-type octet, an option-length octet, and the actual option-data octets.
The option-length octet counts the option-type octet, the option-length octet, and the option-data octets.
The option-type octet is viewed as having three fields: a 1-bit copied flag, a 2-bit option class, and a 5-bit
option number. These fields form an 8-bit value for the option type field. IP Options are commonly referred
to by their 8-bit value.
For a complete list and description of IP Options, refer to RFC 791, Internet Protocol at the following URL:
http://www.faqs.org/rfcs/rfc791.html
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
68
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
Benefits of Filtering on TCP Flags
• This feature also minimizes load to the Route Processor (RP) for packets with IP Options that require
RP processing on distributed systems. Previously, the packets were always routed to or processed by
the RP CPU. Filtering the packets prevents them from impacting the RP.
TCP Flags
The table below lists the TCP flags, which are further described in RFC 793, Transmission Control Protocol.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
69
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
Benefits of Using the Named ACL Support for Noncontiguous Ports on an Access Control Entry Feature
Special Handling for Packets with TTL Value of 0 or 1 Arriving at an Ingress Interface
The software switching paths—distributed Cisco Express Forwarding (dCEF), CEF, fast switching, and
process switching—will usually permit or discard the packets based on the access list statements. However,
when the TTL value of packets arriving at an ingress interface have a TTL of 0 or 1, special handling is
required. The packets with a TTL value of 0 or 1 get sent to the process level before the ingress access list is
checked in CEF, dCEF, or the fast switching paths. The ingress access list is applied to packets with TTL
values 2 through 255 and a permit or deny decision is made.
Packets with a TTL value of 0 or 1 are sent to the process level because they will never be forwarded out of
the device; the process level must check whether each packet is destined for the device and whether an Internet
Control Message Protocol (ICMP) TTL Expire message needs to be sent back. This means that even if an
ACL with TTL value 0 or 1 filtering is configured on the ingress interface with the intention to drop packets
with a TTL of 0 or 1, the dropping of the packets will not happen in the faster paths. It will instead happen in
the process level when the process applies the ACL. This is also true for hardware switching platforms. Packets
with TTL value of 0 or 1 are sent to the process level of the route processor (RP) or Multilayer Switch Feature
Card (MSFC).
On egress interfaces, access list filtering on TTL value works just like other access list features. The check
will happen in the fastest switching path enabled in the device. This is because the faster switching paths
handle all the TTL values (0 through 255) equally on the egress interface.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
70
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
Benefits of Filtering on TTL Value
Note • The ACL Support for Filtering IP Options feature can be used only with named, extended ACLs.
• Resource Reservation Protocol (RSVP) Multiprotocol Label Switching Traffic Engineering (MPLS
TE), Internet Group Management Protocol Version 2 (IGMPV2), and other protocols that use IP
options packets may not function in drop or ignore mode if this feature is configured.
• On most Cisco devices, a packet with IP options is not switched in hardware, but requires control
plane software processing (primarily because there is a need to process the options and rewrite the
IP header), so all IP packets with IP options will be filtered and switched in software.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
71
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
Filtering Packets That Contain IP Options
SUMMARY STEPS
1. enable
2. configure terminal
3. ip access-list extended access-list-name
4. [sequence-number] deny protocol source source-wildcard destination destination-wildcard [option
option-value] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
5. [sequence-number] permit protocol source source-wildcard destination destination-wildcard [option
option-value] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
6. Repeat Step 4 or Step 5 as necessary.
7. end
8. show ip access-lists access-list-name
DETAILED STEPS
Example:
Device# configure terminal
Step 3 ip access-list extended access-list-name Specifies the IP access list by name and enters named access
list configuration mode.
Example:
Device(config)# ip access-list extended mylist1
Step 4 [sequence-number] deny protocol source (Optional) Specifies a deny statement in named IP access list
source-wildcard destination destination-wildcard mode.
[option option-value] [precedence precedence] [tos
tos] [log] [time-range time-range-name] [fragments] • This access list happens to use a denystatement first, but
a permit statement could appear first, depending on the
order of statements you need.
Example:
Device(config-ext-nacl)# deny ip any any option • Use the option keyword and option-value argument to
traceroute
filter packets that contain a particular IP Option.
• In this example, any packet that contains the traceroute
IP option will be filtered out.
• Use the no sequence-number form of this command to
delete an entry.
Step 5 [sequence-number] permit protocol source Specifies a permit statement in named IP access list mode.
source-wildcard destination destination-wildcard
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
72
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
Filtering Packets That Contain TCP Flags
Step 6 Repeat Step 4 or Step 5 as necessary. Allows you to revise the access list.
Step 7 end (Optional) Exits named access list configuration mode and
returns to privileged EXEC mode.
Example:
Device(config-ext-nacl)# end
Step 8 show ip access-lists access-list-name (Optional) Displays the contents of the IP access list.
Example:
Device# show ip access-lists mylist1
What to Do Next
Apply the access list to an interface or reference it from a command that accepts an access list.
Note To effectively eliminate all packets that contain IP Options, we recommend that you configure the global
ip options drop command.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
73
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
Filtering Packets That Contain TCP Flags
Note • TCP flag filtering can be used only with named, extended ACLs.
• The ACL TCP Flags Filtering feature is supported only for Cisco ACLs.
• Previously, the following command-line interface (CLI) format could be used to configure a TCP
flag-checking mechanism:
permit tcp any any rst The following format that represents the same ACE can now be used: permit
tcp any any match-any +rst Both the CLI formats are accepted; however, if the new keywords match-all
or match-any are chosen, they must be followed by the new flags that are prefixed with “+” or “-”. It is
advisable to use only the old format or the new format in a single ACL. You cannot mix and match the
old and new CLI formats.
Caution If a device having ACEs with the new syntax format is reloaded with a previous version of the Cisco
software that does not support the ACL TCP Flags Filtering feature, the ACEs will not be applied, leading
to possible security loopholes.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip access-list extended access-list-name
4. [sequence-number] permit tcp source source-wildcard [operator [port]] destination destination-wildcard
[operator [port]] [established|{match-any | match-all} {+ | -} flag-name] [precedence precedence] [tos
tos] [log] [time-range time-range-name] [fragments]
5. [sequence-number] deny tcp source source-wildcard [operator [port]] destination destination-wildcard
[operator [port]] [established|{match-any | match-all} {+ | -} flag-name] [precedence precedence] [tos
tos] [log] [time-range time-range-name] [fragments]
6. Repeat Step 4 or Step 5 as necessary, adding statements by sequence number where you planned. Use the
no sequence-numbercommand to delete an entry.
7. end
8. show ip access-lists access-list-name
DETAILED STEPS
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
74
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
Filtering Packets That Contain TCP Flags
Example:
Device# configure terminal
Step 3 ip access-list extended access-list-name Specifies the IP access list by name and enters named access
list configuration mode.
Example:
Device(config)# ip access-list extended kmd1
Step 4 [sequence-number] permit tcp source source-wildcard Specifies a permit statement in named IP access list mode.
[operator [port]] destination destination-wildcard
[operator [port]] [established|{match-any | match-all} • This access list happens to use a permitstatement first,
but a deny statement could appear first, depending on the
{+ | -} flag-name] [precedence precedence] [tos tos]
order of statements you need.
[log] [time-range time-range-name] [fragments]
• Use the TCP command syntax of the permitcommand.
Example:
• Any packet with the RST TCP header flag set will be
Device(config-ext-nacl)# permit tcp any any matched and allowed to pass the named access list kmd1
match-any +rst in Step 3.
Step 5 [sequence-number] deny tcp source source-wildcard (Optional) Specifies a deny statement in named IP access list
[operator [port]] destination destination-wildcard mode.
[operator [port]] [established|{match-any | match-all}
{+ | -} flag-name] [precedence precedence] [tos tos] • This access list happens to use a permitstatement first,
but a deny statement could appear first, depending on the
[log] [time-range time-range-name] [fragments]
order of statements you need.
Example: • Use the TCP command syntax of the denycommand.
Device(config-ext-nacl)# deny tcp any any • Any packet that does not have the ACK flag set, and also
match-all -ack -fin does not have the FIN flag set, will not be allowed to pass
the named access list kmd1 in Step 3.
• See the deny(IP) command for additional command syntax
to permit upper-layer protocols (ICMP, IGMP, TCP, and
UDP).
Step 6 Repeat Step 4 or Step 5 as necessary, adding statements Allows you to revise the access list.
by sequence number where you planned. Use the no
sequence-numbercommand to delete an entry.
Step 7 end (Optional) Exits the configuration mode and returns to
privileged EXEC mode.
Example:
Device(config-ext-nacl)# end
Step 8 show ip access-lists access-list-name (Optional) Displays the contents of the IP access list.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
75
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
Configuring an Access Control Entry with Noncontiguous Ports
What to Do Next
Apply the access list to an interface or reference it from a command that accepts an access list.
Note The ACL—Named ACL Support for Noncontiguous Ports on an Access Control Entry feature can be
used only with named, extended ACLs.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip access-list extended access-list-name
4. [sequence-number] permit tcp source source-wildcard [operator port [port]] destination
destination-wildcard [operator [port]] [established {match-any | match-all} {+ | -} flag-name]
[precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
5. [sequence-number] deny tcp source source-wildcard [operator port [port]] destination destination-wildcard
[operator [port]] [established {match-any | match-all} {+ | -} flag-name] [precedence precedence] [tos
tos] [log] [time-range time-range-name] [fragments]
6. Repeat Step 4 or Step 5 as necessary, adding statements by sequence number where you planned. Use the
no sequence-number command to delete an entry.
7. end
8. show ip access-lists access-list-name
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
76
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
Configuring an Access Control Entry with Noncontiguous Ports
DETAILED STEPS
Example:
Device# configure terminal
Step 3 ip access-list extended access-list-name Specifies the IP access list by name and enters named access list
configuration mode.
Example:
Device(config)# ip access-list extended
acl-extd-1
Step 4 [sequence-number] permit tcp source source-wildcard Specifies a permit statement in named IP access list configuration
[operator port [port]] destination destination-wildcard mode.
[operator [port]] [established {match-any |
match-all} {+ | -} flag-name] [precedence • Operators include lt (less than), gt (greater than), eq (equal),
neq (not equal), and range (inclusive range).
precedence] [tos tos] [log] [time-range
time-range-name] [fragments] • If the operator is positioned after the source and
source-wildcard arguments, it must match the source port.
Example: If the operator is positioned after the destination and
Device(config-ext-nacl)# permit tcp any eq destination-wildcard arguments, it must match the destination
telnet ftp any eq 450 679
port.
• The range operator requires two port numbers. You can
configure up to 10 ports after the eq and neqoperators. All
other operators require one port number.
• To filter UDP ports, use the UDP syntax of this command.
Step 5 [sequence-number] deny tcp source source-wildcard (Optional) Specifies a deny statement in named access list
[operator port [port]] destination destination-wildcard configuration mode.
[operator [port]] [established {match-any |
match-all} {+ | -} flag-name] [precedence • Operators include lt (less than), gt (greater than), eq (equal),
neq (not equal), and range (inclusive range).
precedence] [tos tos] [log] [time-range
time-range-name] [fragments] • If the operator is positioned after the source and
source-wildcard arguments, it must match the source port.
Example: If the operator is positioned after the destination and
Device(config-ext-nacl)# deny tcp any neq 45 destination-wildcard arguments, it must match the destination
565 632
port.
• The range operator requires two port numbers. You can
configure up to 10 ports after the eq and neqoperators. All
other operators require one port number.
• To filter UDP ports, use the UDP syntax of this command.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
77
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
Consolidating Access List Entries with Noncontiguous Ports into One Access List Entry
Step 8 show ip access-lists access-list-name (Optional) Displays the contents of the access list.
Example:
Device# show ip access-lists kmd1
Consolidating Access List Entries with Noncontiguous Ports into One Access
List Entry
Perform this task to consolidate a group of access list entries with noncontiguous ports into one access list
entry.
Although this task uses TCP ports, you could use the UDP syntax of the permit and deny commands to filter
noncontiguous UDP ports.
Although this task uses a permit command first, use the permit and deny commands in the order that achieves
your filtering goals.
SUMMARY STEPS
1. enable
2. show ip access-lists access-list-name
3. configure terminal
4. ip access-list extended access-list-name
5. no [sequence-number] permit protocol source source-wildcard destination destination-wildcard[option
option-name] [precedence precedence][tos tos] [log] [time-range time-range-name] [fragments]
6. [sequence-number] permit protocol source source-wildcard[operator port[port]] destination
destination-wildcard[operator port[port]] [option option-name] [precedence precedence][tos tos] [log]
[time-range time-range-name] [fragments]
7. Repeat Steps 5 and 6 as necessary, adding permit or deny statements to consolidate access list entries
where possible. Use the no sequence-number command to delete an entry.
8. end
9. show ip access-lists access-list-name
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
78
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
Consolidating Access List Entries with Noncontiguous Ports into One Access List Entry
DETAILED STEPS
Step 2 show ip access-lists access-list-name (Optional) Displays the contents of the IP access list.
• Review the output to see if you can consolidate any
Example: access list entries.
Device# show ip access-lists mylist1
Example:
Device# configure terminal
Step 4 ip access-list extended access-list-name Specifies the IP access list by name and enters named access
list configuration mode.
Example:
Device(config)# ip access-list extended mylist1
Step 5 no [sequence-number] permit protocol source Removes the redundant access list entry that can be
source-wildcard destination destination-wildcard[option consolidated.
option-name] [precedence precedence][tos tos] [log]
[time-range time-range-name] [fragments] • Repeat this step to remove entries to be consolidated
because only the port numbers differ.
Step 6 [sequence-number] permit protocol source Specifies a permit statement in named access list
source-wildcard[operator port[port]] destination configuration mode.
destination-wildcard[operator port[port]] [option
option-name] [precedence precedence][tos tos] [log] • In this instance, a group of access list entries with
noncontiguous ports was consolidated into one permit
[time-range time-range-name] [fragments]
statement.
Example: • You can configure up to 10 ports after the eq and neq
Device(config-ext-nacl)# permit tcp any neq 45 operators.
565 632 any eq 23 45 34 43
Step 7 Repeat Steps 5 and 6 as necessary, adding permit or deny Allows you to revise the access list.
statements to consolidate access list entries where possible.
Use the no sequence-number command to delete an entry.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
79
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
Filtering Packets Based on TTL Value
Step 9 show ip access-lists access-list-name (Optional) Displays the contents of the access list.
Example:
Device# show ip access-lists mylist1
What To Do Next
Apply the access list to an interface or reference it from a command that accepts an access list.
Note When the access list specifies the operation EQ or NEQ, depending on the Cisco software release in use
on the device, the access lists can specify up to ten TTL values. The number of TTL values can vary by
the Cisco software release.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip access-list extended access-list-name
4. [sequence-number] permit protocol source source-wildcard destination destination-wildcard[option
option-name] [precedence precedence] [tos tos] [ttl operator value] [log] [time-range time-range-name]
[fragments]
5. Continue to add permit or deny statements to achieve the filtering you want.
6. exit
7. interface type number
8. ip access-group access-list-name {in | out}
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
80
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
Filtering Packets Based on TTL Value
DETAILED STEPS
Example:
Device# configure terminal
Step 4 [sequence-number] permit protocol source source-wildcard Sets conditions to allow a packet to pass a named IP
destination destination-wildcard[option option-name] access list.
[precedence precedence] [tos tos] [ttl operator value] [log]
[time-range time-range-name] [fragments] • Every access list must have at least one permit
statement.
Example: • This example permits packets from source
172.16.1.1 to any destination with a TTL value less
Device(config-ext-nacl)# permit ip host 172.16.1.1
any ttl lt 2 than 2.
Step 7 interface type number Configures an interface type and enters interface
configuration mode.
Example:
Device(config)# interface ethernet 0
Step 8 ip access-group access-list-name {in | out} Applies the access list to an interface.
Example:
Device(config-if)# ip access-group ttlfilter in
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
81
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
Enabling Control Plane Policing to Filter on TTL Values 0 and 1
SUMMARY STEPS
1. enable
2. configure terminal
3. ip access-list extended access-list-name
4. [sequence-number] permit protocol source source-wildcard destination destination-wildcard ttl operator
value
5. Continue to add permit or deny statements to achieve the filtering you want.
6. exit
7. class-map class-map-name [match-all | match-any]
8. match access-group {access-group | name access-group-name}
9. exit
10. policy-map policy-map-name
11. class {class-name | class-default}
12. drop
13. exit
14. exit
15. control-plane
16. service-policy {input | output} policy-map-name
DETAILED STEPS
Example:
Device# configure terminal
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
82
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
Enabling Control Plane Policing to Filter on TTL Values 0 and 1
Step 4 [sequence-number] permit protocol source Sets conditions to allow a packet to pass a named IP access
source-wildcard destination destination-wildcard ttl list.
operator value
• Every access list must have at least one permit
statement.
Example:
• This example permits packets from source 172.16.1.1
Device(config-ext-nacl)# permit ip host
172.16.1.1 any ttl lt 2 to any destination with a TTL value less than 2.
Step 5 Continue to add permit or deny statements to achieve The packets that pass the access list will be dropped.
the filtering you want.
Step 6 exit Exits any configuration mode to the next highest mode in the
CLI mode hierarchy.
Example:
Device(config-ext-nacl)# exit
Step 7 class-map class-map-name [match-all | Creates a class map to be used for matching packets to a
match-any] specified class.
Example:
Device(config)# class-map acl-filtering
Step 8 match access-group {access-group | name Configures the match criteria for a class map on the basis of
access-group-name} the specified access control list.
Example:
Device(config-cmap)# match access-group name
ttlfilter
Step 9 exit Exits any configuration mode to the next highest mode in the
CLI mode hierarchy.
Example:
Device(config-cmap)# exit
Step 10 policy-map policy-map-name Creates or modifies a policy map that can be attached to one
or more interface to specify a service policy.
Example:
Device(config)# policy-map acl-filter
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
83
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
Enabling Control Plane Policing to Filter on TTL Values 0 and 1
Step 13 exit Exits any configuration mode to the next highest mode in the
CLI mode hierarchy.
Example:
Device(config-pmap-c)# exit
Step 14 exit Exits any configuration mode to the next highest mode in the
CLI mode hierarchy.
Example:
Device(config-pmap)# exit
Step 16 service-policy {input | output} policy-map-name Attaches a policy map to a control plane for aggregate control
plane services.
Example:
Device(config-cp)# service-policy input
acl-filter
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
84
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
Configuration Examples for Filtering IP Options, TCP Flags, Noncontiguous Ports
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
85
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
Example: Consolidating Some Existing Access List Entries into One Access List Entry with Noncontiguous Ports
Example: Consolidating Some Existing Access List Entries into One Access
List Entry with Noncontiguous Ports
The show access-lists command is used to display a group of access list entries for the access list named abc:
ip access-group incomingfilter in
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
86
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
Example: Control Plane Policing to Filter on TTL Values 0 and 1
class-map acl-filter-class
policy-map acl-filter
class acl-filter-class
drop
control-plane
Additional References
Related Documents
Configuring the device to drop or ignore packets “ACL IP Options Selective Drop”
containing IP Options by using the no ip options
command.
Information about creating an IP access list and “Creating an IP Access List and Applying It to an
applying it to an interface Interface”
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
87
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
Feature Information for Creating an IP Access List to Filter
RFCs
RFC Title
RFC 791 Internet Protocol
http://www.faqs.org/rfcs/rfc791.html
http://www.faqs.org/rfcs/rfc791.html
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
88
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
Feature Information for Creating an IP Access List to Filter
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
89
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
Feature Information for Creating an IP Access List to Filter
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
90
CHAPTER 8
ACL Syslog Correlation
The Access Control List (ACL) Syslog Correlation feature appends a tag (either a user-defined cookie or a
device-generated MD5 hash value) to access control entry (ACE) syslog entries. This tag uniquely identifies
the ACE , within the ACL, that generated the syslog entry.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
91
ACL Syslog Correlation
Information About ACL Syslog Correlation
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
92
ACL Syslog Correlation
Enabling Hash Value Generation on a Device
When the hash value generation setting is enabled, the system checks all existing ACEs and generates a hash
value for each ACE that requires one. When the hash value generation setting is disabled, all previously
generated hash values are removed from the system.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip access-list logging hash-generation
4. end
5. Do one of the following:
• show ip access-list access-list-number
• show ip access-list access-list-name
DETAILED STEPS
Example:
Device# configure terminal
Step 3 ip access-list logging hash-generation Enables hash value generation on the device.
• If an ACE exists that is log enabled, and requires a hash
Example: value, the device automatically generates the value and
Device(config)# ip access-list logging displays the value on the console.
hash-generation
Step 5 Do one of the following: (Optional) Displays the contents of the numbered or named IP
access list.
• show ip access-list access-list-number
• Review the output to confirm that the access list for a
• show ip access-list access-list-name
log-enabled ACE includes the generated hash value.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
93
ACL Syslog Correlation
Disabling Hash Value Generation on a Device
Example:
Device# show ip access-list 101
Example:
Device# show ip access-list acl
SUMMARY STEPS
1. enable
2. configure terminal
3. no ip access-list logging hash-generation
4. end
5. Do one of the following:
• show ip access-list access-list-number
• show ip access-list access-list-name
DETAILED STEPS
Example:
Device# configure terminal
Step 3 no ip access-list logging hash-generation Disables hash value generation on the device.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
94
ACL Syslog Correlation
Configuring ACL Syslog Correlation Using a User-Defined Cookie
Step 5 Do one of the following: (Optional) Displays the contents of the IP access list.
• show ip access-list access-list-number • Review the output to confirm that the access list for a
log-enabled ACE does not have a generated hash value.
• show ip access-list access-list-name
Example:
Device# show ip access-list 101
Example:
Device# show ip access-list acl
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
95
ACL Syslog Correlation
Configuring ACL Syslog Correlation Using a User-Defined Cookie
Note The following restrictions apply when choosing the user-defined cookie value:
• The maximum number of characters is 64.
• The cookie cannot start with hexadecimal notation (such as 0x).
• The cookie cannot be the same as, or a subset of, the following keywords: reflect, fragment,
time-range. For example, reflect and ref are not valid values. However, the cookie can start with
the keywords. For example, reflectedACE and fragment_33 are valid values
• The cookie must contains only alphanumeric characters.
>
SUMMARY STEPS
1. enable
2. configure terminal
3. access-list access-list-number permit protocol source destination log word
4. end
5. show ip access-list access-list-number
DETAILED STEPS
Example:
Device# configure terminal
Step 3 access-list access-list-number permit protocol Defines an extended IP access list and a user-defined cookie
source destination log word value.
• Enter the cookie value as the wordargument.
Example:
Device(config)# access-list 101 permit tcp host
10.1.1.1 host 10.1.1.2 log UserDefinedValue
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
96
ACL Syslog Correlation
Configuring ACL Syslog Correlation Using a Hash Value
Examples
The following is sample output from the show ip access-list command for an access list with a user-defined
cookie value.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip access-list logging hash-generation
4. access-list access-list-number permit protocol source destination log
5. end
6. show ip access-list access-list-number
DETAILED STEPS
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
97
ACL Syslog Correlation
Changing the ACL Syslog Correlation Tag Value
Example:
Device# configure terminal
Step 3 ip access-list logging hash-generation Enables hash value generation on the device.
• If an ACE exists that is log enabled, and requires a hash
Example: value, the device automatically generates the value and
Device(config)# ip access-list logging displays the value on the console.
hash-generation
Step 6 show ip access-list access-list-number (Optional) Displays the contents of the IP access list.
• Review the output to confirm that the access list includes
Example: the router-generated hash value.
Device# show ip access-list 102
Examples
The following is sample output from the show ip access-list command for an access list with a device-generated
hash value.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
98
ACL Syslog Correlation
Changing the ACL Syslog Correlation Tag Value
The steps in this section shows how to change the ACL Syslog Correlation tag value on a numbered access
list. However, you can change the ACL Syslog Correlation tag value for both numbered and named access
lists, and for both standard and extended access lists.
SUMMARY STEPS
1. enable
2. show access-list
3. configure terminal
4. access-list access-list-number permit protocol source destination log word
5. end
6. show ip access-list access-list-number
DETAILED STEPS
Step 2 show access-list (Optional) Displays the contents of the access list.
Example:
Device(config)# show access-list
Example:
Device# configure terminal
Step 4 access-list access-list-number permit protocol source Modifies the cookie or changes the hash value to a cookie.
destination log word
• You must enter the entire access list configuration
command, replacing the previous tag value with the
Example: new tag value.
Device(config)# access-list 101 permit tcp host
10.1.1.1 host 10.1.1.2 log NewUDV
Example:
OR
Example:
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
99
ACL Syslog Correlation
Configuration Examples for ACL Syslog Correlation
Example:
Device(config)# access-list 101 permit tcp any
any log replacehash
Step 6 show ip access-list access-list-number (Optional) Displays the contents of the IP access list.
• Review the output to confirm the changes.
Example:
Device# show ip access-list 101
Troubleshooting Tips
Use the debug ip access-list hash-generation command to display access list debug information. The following
is an example of the debug command output:
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
100
ACL Syslog Correlation
Example: Disabling Hash Value Generation on a Device
Device#
Device# debug ip access-list hash-generation
Syslog MD5 hash code generation debugging is on
Device# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Device(config)# access-list 33 permit 10.10.10.6 log cook_33_std
Device(config)# do show ip access 33
Standard IP access list 33
10 permit 10.10.10.6 log (tag = cook_33_std)
Device(config)# end
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
101
ACL Syslog Correlation
Example: Changing the ACL Syslog Correlation Tag Value
ACL commands
• Cisco IOS Security Command Reference:
Commands A to C
• Cisco IOS Security Command Reference:
Commands D to L
• Cisco IOS Security Command Reference:
Commands M to R
• Cisco IOS Security Command Reference:
Commands S to Z
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
102
ACL Syslog Correlation
Feature Information for ACL Syslog Correlation
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
103
ACL Syslog Correlation
Feature Information for ACL Syslog Correlation
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
104
CHAPTER 9
Refining an IP Access List
There are several ways to refine an access list while or after you create it. You can change the order of the
entries in an access list or add entries to an access list. You can restrict access list entries to a certain time
of day or week, or achieve finer granularity when filtering packets by filtering noninitial fragments of packets.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
105
Refining an IP Access List
Benefits of Access List Sequence Numbers
position had to be removed, then the new entry was added, and then all the removed entries had to be reentered.
This method was cumbersome and error prone.
Sequence numbers allow users to add access list entries and resequence them. When you add a new entry,
you specify the sequence number so that it is in a desired position in the access list. If necessary, entries
currently in the access list can be resequenced to create room to insert the new entry.
• If the user enters an entry without a sequence number, it is assigned a sequence number that is 10 greater
than the last sequence number in that access list and is placed at the end of the list.
• If the user enters an entry that matches an already existing entry (except for the sequence number), then
no changes are made.
• If the user enters a sequence number that is already present, the following error message is generated:
• If a new access list is entered from global configuration mode, then sequence numbers for that access
list are generated automatically.
• Distributed support is provided so that the sequence numbers of entries in the Route Processor (RP) and
line card are in synchronization at all times.
• Sequence numbers are not nvgened. That is, the sequence numbers themselves are not saved. In the
event that the system is reloaded, the configured sequence numbers revert to the default sequence starting
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
106
Refining an IP Access List
Benefits of Time Ranges
number and increment. The function is provided for backward compatibility with software releases that
do not support sequence numbering.
• This feature works with named and numbered, standard and extended IP access lists.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
107
Refining an IP Access List
Benefits of Filtering Noninitial Fragments of Packets
Additional Security
You are able to block more of the traffic you intended to block, not just the initial fragment of such packets.
The unwanted fragments no longer linger at the receiver until the reassembly timeout is reached because they
are blocked before being sent to the receiver. Blocking a greater portion of unwanted traffic improves security
and reduces the risk from potential hackers.
Reduced Cost
By blocking unwanted noninitial fragments of packets, you are not paying for traffic you intended to block.
Reduced Storage
By blocking unwanted noninitial fragments of packets from ever reaching the receiver, that destination does
not have to store the fragments until the reassembly timeout period is reached.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
108
Refining an IP Access List
Access List Processing of Fragments
Be aware that you should not add the fragments keyword to every access list entry because the first fragment
of the IP packet is considered a nonfragment and is treated independently of the subsequent fragments. An
initial fragment will not match an access list permit or deny entry that contains the fragments keyword. The
packet is compared to the next access list entry, and so on, until it is either permitted or denied by an access
list entry that does not contain the fragments keyword. Therefore, you may need two access list entries for
every deny entry. The first deny entry of the pair will not include the fragments keyword and applies to the
initial fragment. The second deny entry of the pair will include the fragments keyword and applies to the
subsequent fragments. In the cases in which there are multiple deny entries for the same host but with different
Layer 4 ports, a single deny access list entry with the fragments keyword for that host is all that needs to be
added. Thus all the fragments of a packet are handled in the same manner by the access list.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
109
Refining an IP Access List
How to Refine an IP Access List
Packet fragments of IP datagrams are considered individual packets, and each counts individually as a packet
in access list accounting and access list violation counts.
Note Remember that if you want to delete an entry from an access list, you can simply use the no deny or no
permit form of the command, or the no sequence-number command if the statement already has a sequence
number.
Note Access list sequence numbers do not support dynamic, reflexive, or firewall access lists.
>
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
110
Refining an IP Access List
Revising an Access List Using Sequence Numbers
SUMMARY STEPS
1. enable
2. configure terminal
3. ip access-list resequence access-list-name starting-sequence-number increment
4. ip access-list {standard| extended} access-list-name
5. Do one of the following:
• sequence-number permit source source-wildcard
• sequence-number permit protocol source source-wildcard destination destination-wildcard
[precedence precedence][tos tos] [log] [time-range time-range-name] [fragments]
7. Repeat Step 5 and Step 6 as necessary, adding statements by sequence number where you planned. Use
the no sequence-number command to delete an entry.
8. end
9. show ip access-lists access-list-name
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ip access-list resequence access-list-name Resequences the specified IP access list using the starting sequence
starting-sequence-number increment number and the increment of sequence numbers.
• This example resequences an access list named kmd1. The
Example: starting sequence number is 100 and the increment is 15.
Router(config)# ip access-list resequence
kmd1 100 15
Step 4 ip access-list {standard| extended} Specifies the IP access list by name and enters named access list
access-list-name configuration mode.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
111
Refining an IP Access List
Revising an Access List Using Sequence Numbers
Step 5 Do one of the following: Specifies a permit statement in named IP access list mode.
• sequence-number permit source • This access list happens to use a permitstatement first, but a
source-wildcard deny statement could appear first, depending on the order of
statements you need.
• sequence-number permit protocol source
source-wildcard destination • See the permit (IP) command for additional command syntax
destination-wildcard [precedence to permit upper layer protocols (ICMP, IGMP, TCP, and UDP).
precedence][tos tos] [log] [time-range
• Use the no sequence-number command to delete an entry.
time-range-name] [fragments]
• As the prompt indicates, this access list was a standard access
list. If you had specified extended in Step 4, the prompt for
Example: this step would be Router(config-ext-nacl)# and you would use
the extended permit command syntax.
Router(config-std-nacl)# 105 permit 10.5.5.5
0.0.0.255
Step 6 Do one of the following: (Optional) Specifies a deny statement in named IP access list mode.
• sequence-number deny source • This access list happens to use a permitstatement first, but a
source-wildcard deny statement could appear first, depending on the order of
statements you need.
• sequence-number deny protocol source
source-wildcard destination • See the deny (IP) command for additional command syntax to
destination-wildcard [precedence permit upper layer protocols (ICMP, IGMP, TCP, and UDP).
precedence][tos tos] [log] [time-range
• Use the no sequence-number command to delete an entry.
time-range-name] [fragments]
• As the prompt indicates, this access list was a standard access
list. If you had specified extended in Step 4, the prompt for
Example: this step would be Router(config-ext-nacl)# and you would use
the extended deny command syntax.
Router(config-std-nacl)# 110 deny 10.6.6.7
0.0.0.255
Step 7 Repeat Step 5 and Step 6 as necessary, adding Allows you to revise the access list.
statements by sequence number where you planned.
Use the no sequence-number command to delete an
entry.
Step 8 end (Optional) Exits the configuration mode and returns to privileged
EXEC mode.
Example:
Router(config-std-nacl)# end
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
112
Refining an IP Access List
Restricting an Access List Entry to a Time of Day or Week
Examples
The following is sample output from the show ip access-lists command when the xyz123 access list is specified.
Note The Distributed Time-Based Access Lists feature is supported on Cisco 7500 series routers with a Versatile
Interface Processor (VIP) enabled.
>
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
113
Refining an IP Access List
Restricting an Access List Entry to a Time of Day or Week
SUMMARY STEPS
1. enable
2. configure terminal
3. time-range time-range-name
4. periodic days-of-the-week hh : mm to [days-of-the-week] hh : mm
5. Repeat Step 4 if you want more than one period of time applied to an access list statement.
6. absolute [start time date] [end time date]
7. exit
8. Repeat Steps 3 through 7 if you want different time ranges to apply to permit or deny statements.
9. ip access-list extended name
10. deny protocol source [source-wildcard] destination[destination-wildcard] [option option-name]
[precedence precedence] [tos tos] [established] [log | log-input] time-range time-range-name
11. permit protocol source [source-wildcard] destination[destination-wildcard] [option option-name]
[precedence precedence] [tos tos] [established] [log | log-input] time-range time-range-name
12. Optionally repeat some combination of Steps 10 and 11 until you have specified the values on which you
want to base your access list.
13. end
14. show ip access-list
15. show time-range
16. show time-range ipc
17. clear time-range ipc
18. debug time-range ipc
DETAILED STEPS
Example:
Router# configure terminal
Step 3 time-range time-range-name Defines a time range and enters time-range configuration mode.
• The name cannot contain a space or quotation mark, and must
Example: begin with a letter.
Router(config)# time-range limit_http
• Multiple time ranges can occur in a single access list.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
114
Refining an IP Access List
Restricting an Access List Entry to a Time of Day or Week
• If the ending days of the week are the same as the starting days
of the week, they can be omitted.
• The first occurrence of hh:mm is the starting hours:minutes that
the associated time range is in effect. The second occurrence is
the ending hours:minutes the associated statement is in effect.
• The hours:minutes are expressed in a 24-hour clock. For example,
8:00 is 8:00 a.m. and 20:00 is 8:00 p.m.
Step 5 Repeat Step 4 if you want more than one period (Optional) Multiple periodic commands are allowed in a time range.
of time applied to an access list statement.
Step 6 absolute [start time date] [end time date] (Optional) Specifies an absolute time when a time range is in effect.
• Only one absolute command is allowed in a time range.
Example:
• The time is expressed in 24-hour notation, in the form of
Router(config-time-range)# absolute start
6:00 1 August 2005 end 18:00 31 October hours:minutes. For example, 8:00 is 8:00 a.m. and 20:00 is 8:00
2005 p.m. The date is expressed in the format day month year. The
minimum start is 00:00 1 January 1993. If no start time and date
are specified, the permit or deny statement is in effect
immediately.
• Absolute time and date that the permit or deny statement of the
associated access list is no longer in effect. Same time and date
format as described for the start keyword. The end time and date
must be after the start time and date. The maximum end time is
23:59 31 December 2035. If no end time and date are specified,
the associated permit or deny statement is in effect indefinitely.
Example:
Router(config-time-range)# exit
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
115
Refining an IP Access List
Restricting an Access List Entry to a Time of Day or Week
Step 10 deny protocol source [source-wildcard] (Optional) Denies any packet that matches all of the conditions
destination[destination-wildcard] [option specified in the statement.
option-name] [precedence precedence] [tos tos]
[established] [log | log-input] time-range • Specify the time range you created in Step 3.
time-range-name • In this example, one host is denied HTTP access during the time
defined by the time range called “limit_http.”
Example:
Router(config-ext-nacl)# deny tcp
172.16.22.23 any eq http time-range
limit_http
Step 11 permit protocol source [source-wildcard] Permits any packet that matches all of the conditions specified in the
destination[destination-wildcard] [option statement.
option-name] [precedence precedence] [tos tos]
[established] [log | log-input] time-range • You can specify the time range you created in Step 3 or in a
different instance of Step 3, depending on whether you want the
time-range-name
time ranges for your statements to be the same or different.
Example: • In this example, all other sources are given access to HTTP
during the time defined by the time range called “limit_http.”
Router(config-ext-nacl)# permit tcp any
any eq http time-range limit_http
Step 14 show ip access-list (Optional) Displays the contents of all current IP access lists.
Example:
Router# show ip access-list
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
116
Refining an IP Access List
Filtering Noninitial Fragments of Packets
Example:
Router# show time-range
Step 16 show time-range ipc (Optional) Displays the statistics about the time-range IPC messages
between the Route Processor and line card on the Cisco 7500 series
Example: router.
Step 17 clear time-range ipc (Optional) Clears the time-range IPC message statistics and counters
between the Route Processor and line card on the Cisco 7500 series
Example: router.
Step 18 debug time-range ipc (Optional) Enables debugging output for monitoring the time-range
IPC messages between the Route Processor and line card on the Cisco
Example: 7500 series router.
What to Do Next
Apply the access list to an interface or reference it from a command that accepts an access list.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
117
Refining an IP Access List
Filtering Noninitial Fragments of Packets
SUMMARY STEPS
1. enable
2. configure terminal
3. ip access-list extended name
4. [sequence-number] deny protocol source[source-wildcard] [operator port[port]]
destination[destination-wildcard] [operator port[port]]
5. [sequence-number] deny protocol source[source-wildcard][operator port[port]]
destination[destination-wildcard] [operator port[port]] fragments
6. [sequence-number] permit protocol source[source-wildcard] [operator port[port]]
destination[destination-wildcard] [operator port[port]]
7. Repeat some combination of Steps 4 through 6 until you have specified the values on which you want to
base your access list.
8. end
9. show ip access-list
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ip access-list extended name Defines an extended IP access list using a name and enters
extended named access list configuration mode.
Example:
Router(config)# ip access-list extended rstrct4
Step 4 [sequence-number] deny protocol (Optional) Denies any packet that matches all of the conditions
source[source-wildcard] [operator port[port]] specified in the statement.
destination[destination-wildcard] [operator port[port]]
• This statement will apply to nonfragmented packets and
initial fragments.
Example:
Router(config-ext-nacl)# deny ip any 172.20.1.1
Step 5 [sequence-number] deny protocol (Optional) Denies any packet that matches all of the conditions
source[source-wildcard][operator port[port]] specified in the statement
destination[destination-wildcard] [operator port[port]]
fragments • This statement will apply to noninitial fragments.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
118
Refining an IP Access List
Filtering Noninitial Fragments of Packets
Example:
Router(config-ext-nacl)# deny ip any 172.20.1.1
fragments
Step 6 [sequence-number] permit protocol Permits any packet that matches all of the conditions specified
source[source-wildcard] [operator port[port]] in the statement.
destination[destination-wildcard] [operator port[port]]
• Every access list needs at least one permit statement.
Example: • If the source-wildcard or destination-wildcardisomitted,
a wildcard mask of 0.0.0.0 is assumed, meaning match
Router(config-ext-nacl)# permit tcp any any
on all bits of the source or destination address,
respectively.
• Optionally use the keyword any as a substitute for the
source source-wildcardor destination
destination-wildcardto specify the address and wildcard
of 0.0.0.0 255.255.255.255.
Step 7 Repeat some combination of Steps 4 through 6 until Remember that all sources not specifically permitted are denied
you have specified the values on which you want to by an implicit deny statement at the end of the access list.
base your access list.
Step 8 end Ends configuration mode and returns the system to privileged
EXEC mode.
Example:
Router(config-ext-nacl)# end
Step 9 show ip access-list (Optional) Displays the contents of all current IP access lists.
Example:
Router# show ip access-list
What to Do Next
Apply the access list to an interface or reference it from a command that accepts an access list.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
119
Refining an IP Access List
Configuration Examples for Refining an IP Access List
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
120
Refining an IP Access List
Example Adding an Entry with No Sequence Number
time-range no-http
periodic weekdays 8:00 to 18:00
!
time-range udp-yes
periodic weekend 12:00 to 20:00
!
ip access-list extended strict
deny tcp any any eq http time-range no-http
permit udp any any time-range udp-yes
!
interface ethernet 0
ip access-group strict in
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
121
Refining an IP Access List
Additional References
172.16.1.1. That is, non-initial fragments will not contain Layer 4 port information, so, in order to block such
traffic for a given port, we have to block fragments for all ports.
Additional References
Related Documents
Using the time-range command to establish time “Performing Basic System Management” chapter in
ranges the Cisco IOS Network Management Configuration
Guide
Standards
Standard Title
None --
MIBs
RFCs
RFC Title
None --
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
122
Refining an IP Access List
Feature Information for Refining an IP Access List
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
123
Refining an IP Access List
Feature Information for Refining an IP Access List
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
124
CHAPTER 10
Displaying and Clearing IP Access List Data
Using ACL Manageability
This module describes how to display the entries in an IP access list and the number of packets that have
matched each entry. Users can get these statistics globally, or per interface and per incoming or outgoing
traffic direction, by using the ACL Manageability feature. Viewing details of incoming and outgoing traffic
patterns on various interfaces of a network device can help secure devices against attacks coming in on a
particular interface. This module also describes how to clear counters so that the count of packets matching
an access list entry will restart from zero.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
125
Displaying and Clearing IP Access List Data Using ACL Manageability
Information About Displaying and Clearing IP Access List Data Using ACL Manageability
Note If the same access-group ACL is also used by other features, the maintained interface statistics are not
updated when a packet match is detected by the other features. In this case, the sum of all the interface
level statistics that are maintained for an ACL may not add up to the global statistics for that ACL.
Note Alternatively, if you want to deny access to a particular host or network and find out if someone from that
network or host is attempting to gain access, include the log keyword with the corresponding deny statement
so that the packets denied from that source are logged for you. For more information, see the “IP Access
List Logging” section of the “IP Access List Overview.”
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
126
Displaying and Clearing IP Access List Data Using ACL Manageability
Displaying Interface-Level IP ACL Statistics
SUMMARY STEPS
1. enable
2. show ip access-list [access-list-number | access-list-name]
DETAILED STEPS
>
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
127
Displaying and Clearing IP Access List Data Using ACL Manageability
Clearing the Access List Counters
SUMMARY STEPS
1. enable
2. show ip access-list interface interface-name [in| out]
DETAILED STEPS
SUMMARY STEPS
1. enable
2. clear ip access-list counters {access-list-number | access-list-name}
DETAILED STEPS
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
128
Displaying and Clearing IP Access List Data Using ACL Manageability
Configuration Examples for Displaying and Clearing IP Access List Data Using ACL Manageability
Example:
Router# clear access-list counters corpmark
Router#
show ip access-list interface FastEthernet 0/1 in
Extended IP access list 150 in
10 permit ip host 10.1.1.1 any (3 matches)
30 permit ip host 10.2.2.2 any (12 matches)
Router#
show ip access-list interface FastEthernet 0/0 out
Extended IP access list myacl out
5 deny ip any 10.1.0.0 0.0.255.255
10 permit udp any any eq snmp (6 matches)
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
129
Displaying and Clearing IP Access List Data Using ACL Manageability
Example Displaying Input and Output Statistics
Note If no direction is specified, any input and output ACLs applied to that interface are displayed.
The following example displays input and output statistics gathered from the FastEthernet interface 0/0:
Router#
show ip access-list interface FastEthernet 0/0
Extended IP access list 150 in
10 permit ip host 10.1.1.1 any
30 permit ip host 10.2.2.2 any (15 matches)
Extended IP access list myacl out
5 deny ip any 10.1.0.0 0.0.255.255
10 permit udp any any eq snmp (6 matches)
Router#
clear ip access-list counters 150
Example Clearing Global and Interface Statistics for All IP Access Lists
The following example clears global and interface statistics for all IP ACLs:
Router#
clear ip access-list counters
Additional References
Related Documents
Standards
Standard Title
No new or modified standards are supported by this --
feature.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
130
Displaying and Clearing IP Access List Data Using ACL Manageability
Feature Information for Displaying IP Access List Information and Clearing Counters
MIBs
RFCs
RFC Title
No new or modified standards are supported by this --
feature, and support for existing standards has not
been modified by this feature.
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
131
Displaying and Clearing IP Access List Data Using ACL Manageability
Feature Information for Displaying IP Access List Information and Clearing Counters
Table 12: Feature Information for Displaying and Clearing IP Access List Data Using ACL Manageability
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
132
CHAPTER 11
Object Groups for ACLs
The Object Groups for ACLs feature lets you classify users, devices, or protocols into groups and apply
those groups to access control lists (ACLs) to create access control policies for those groups. This feature
lets you use object groups instead of individual IP addresses, protocols, and ports, which are used in
conventional ACLs. This feature allows multiple access control entries (ACEs), but now you can use each
ACE to allow an entire group of users to access a group of servers or services or to deny them from doing
so.
In large networks, the number of ACLs can be large (hundreds of lines) and difficult to configure and manage,
especially if the ACLs frequently change. Object group-based ACLs are smaller, more readable, and easier
to configure and manage than conventional ACLs, simplifying static and dynamic ACL deployments for
large user access environments on Cisco IOS routers.
Cisco IOS Firewall benefits from object groups, because they simplify policy creation (for example, group
A has access to group A services).
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
133
Object Groups for ACLs
Restrictions for Object Groups for ACLs
Object Groups
An object group can contain a single object (such as a single IP address, network, or subnet) or multiple objects
(such as a combination of multiple IP addresses, networks, or subnets).
A typical access control entry (ACE) allows a group of users to have access only to a specific group of servers.
In an object group-based access control list (ACL), you can create a single ACE that uses an object group
name instead of creating many ACEs (which requires each ACE to have a different IP address). A similar
object group (such as a protocol port group) can be extended to provide access only to a set of applications
for a user group. ACEs can have object groups for the source only, destination only, none, or both.
You can use object groups to separate the ownership of the components of an ACE. For example, each
department in an organization controls its group membership, and the administrator owns the ACE itself to
control which departments can contact one another.
You can use object groups in features that use Cisco Policy Language (CPL) class maps.
This feature supports two types of object groups for grouping ACL parameters: network object groups and
service object groups. Use these object groups to group IP addresses, protocols, protocol services (ports), and
Internet Control Message Protocol (ICMP) types.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
134
Object Groups for ACLs
ACLs Based on Object Groups
• Any IP address—includes a range from 0.0.0.0 to 255.255.255.255 (This is specified using the any
command.)
• Host IP addresses
• Hostnames
• Other network object groups
• Subnets
• Host IP addresses
• Network address of group members
• Nested object groups
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
135
Object Groups for ACLs
Creating a Network Object Group
SUMMARY STEPS
1. enable
2. configure terminal
3. object-group network object-group-name
4. description description-text
5. host {host-address | host-name}
6. network-address {/nn | network-mask}
7. group-object nested-object-group-name
8. Repeat the steps until you have specified objects on which you want to base your object group.
9. end
DETAILED STEPS
Example:
Device# configure terminal
Step 3 object-group network object-group-name Defines the object group name and enters network object-group
configuration mode.
Example:
Device(config)# object-group network
my-network-object-group
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
136
Object Groups for ACLs
Creating a Service Object Group
Step 7 group-object nested-object-group-name (Optional) Specifies a nested (child) object group to be included in
the current (parent) object group.
Example: • The type of child object group must match that of the parent
Device(config-network-group)# (for example, if you are creating a network object group, you
group-object my-nested-object-group must specify another network object group as the child).
• You can use duplicated objects in an object group only via
nesting of group objects. For example, if object 1 is in both
group A and group B, you can define a group C that includes
both A and B. However, you cannot include a group object that
causes the group hierarchy to become circular (for example,
you cannot include group A in group B and then also include
group B in group A).
• You can use an unlimited number of levels of nested object
groups (however, a maximum of two levels is recommended).
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
137
Object Groups for ACLs
Creating a Service Object Group
SUMMARY STEPS
1. enable
2. configure terminal
3. object-group service object-group-name
4. description description-text
5. protocol
6. {tcp | udp | tcp-udp} [source {{[eq] | lt | gt} port1 | range port1 port2}] [{[eq] | lt | gt} port1 | range
port1 port2]
7. icmp icmp-type
8. group-object nested-object-group-name
9. Repeat the steps to specify the objects on which you want to base your object group.
10. end
DETAILED STEPS
Example:
Device# configure terminal
Step 3 object-group service object-group-name Defines an object group name and enters service object-group
configuration mode.
Example:
Device(config)# object-group service
my-service-object-group
Example:
Device(config-service-group)# ahp
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
138
Object Groups for ACLs
Creating an Object-Group-Based ACL
Example:
Device(config-service-group)# tcp-udp range
2000 2005
Step 7 icmp icmp-type (Optional) Specifies the decimal number or name of an Internet
Control Message Protocol (ICMP) type.
Example:
Device(config-service-group)# icmp
conversion-error
Step 8 group-object nested-object-group-name (Optional) Specifies a nested (child) object group to be included
in the current (parent) object group.
Example: • The type of child object group must match that of the parent
Device(config-service-group)# group-object (for example, if you are creating a network object group, you
my-nested-object-group must specify another network object group as the child).
• You can use duplicated objects in an object group only via
nesting of group objects. For example, if object 1 is in both
group A and group B, you can define a group C that includes
both A and B. However, you cannot include a group object
that causes the group hierarchy to become circular (for
example, you cannot include group A in group B and then
also include group B in group A).
• You can use an unlimited number of levels of nested object
groups (however, a maximum of two levels is recommended).
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
139
Object Groups for ACLs
Creating an Object-Group-Based ACL
You can define multiple access control entries (ACEs) that reference object groups within the same
object-group-based ACL. You can also reuse a specific object group in multiple ACEs.
Perform this task to create an object-group-based ACL.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip access-list extended access-list-name
4. remark remark
5. deny protocol source [source-wildcard] destination [destination-wildcard] [option option-name]
[precedence precedence] [tos tos] [established] [log | log-input] [time-range time-range-name]
[fragments]
6. remark remark
7. permit protocol source [source-wildcard] destination [destination-wildcard] [option option-name]
[precedence precedence] [tos tos] [established] [log | log-input] [time-range time-range-name]
[fragments]
8. Repeat the steps to specify the fields and values on which you want to base your access list.
9. end
DETAILED STEPS
Example:
Device# configure terminal
Step 3 ip access-list extended access-list-name Defines an extended IP access list using a name and enters extended
access-list configuration mode.
Example:
Device(config)# ip access-list extended
nomarketing
Step 4 remark remark (Optional) Adds a comment about the configured access list entry.
• A remark can precede or follow an access list entry.
Example:
• In this example, the remark reminds the network administrator
Device(config-ext-nacl)# remark protect
that the subsequent entry denies the Marketing network access
to the interface.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
140
Object Groups for ACLs
Creating an Object-Group-Based ACL
Step 5 deny protocol source [source-wildcard] destination (Optional) Denies any packet that matches all conditions specified in
[destination-wildcard] [option option-name] the statement.
[precedence precedence] [tos tos] [established] [log
| log-input] [time-range time-range-name] • Optionally use the object-group service-object-group-name
keyword and argument as a substitute for the protocol. argument
[fragments]
• Optionally use the object-group
Example: source-network-object-group-name keyword and argument as
a substitute for the source source-wildcard. arguments
Device(config-ext-nacl)# deny ip
209.165.200.244 255.255.255.224 host • Optionally use the object-group
209.165.200.245 log
destination-network-object-group-name keyword and argument
Example based on object-group:
as a substitute for the destination destination-wildcard. arguments
Router(config)#object-group network
my_network_object_group • If the source-wildcard or destination-wildcardis omitted, a
Router(config-network-group)#209.165.200.224 wildcard mask of 0.0.0.0 is assumed, which matches all bits of
255.255.255.224
Router(config-network-group)#exit the source or destination address, respectively.
Router(config)#object-group network
my_other_network_object_group • Optionally use the any keyword as a substitute for the source
Router(config-network-group)#host source-wildcard or destination destination-wildcard to specify
209.165.200.245
Router(config-network-group)#exit the address and wildcard of 0.0.0.0 255.255.255.255.
Router(config)#ip access-list extended
nomarketing • Optionally use the host source keyword and argument to indicate
Router(config-ext-nacl)#deny ip object-group a source and source wildcard of source 0.0.0.0 or the host
my_network_object_group object-group
my_other_network_object_group log destination keyword and argument to indicate a destination and
destination wildcard of destination 0.0.0.0.
• In this example, packets from all sources are denied access to
the destination network 209.165.200.244. Logging messages
about packets permitted or denied by the access list are sent to
the facility configured by the logging facility command (for
example, console, terminal, or syslog). That is, any packet that
matches the access list will cause an informational logging
message about the packet to be sent to the configured facility.
The level of messages logged to the console is controlled by the
logging console command.
•
Step 6 remark remark (Optional) Adds a comment about the configured access list entry.
• A remark can precede or follow an access list entry.
Example:
Device(config-ext-nacl)# remark allow TCP
from any source to any destination
Step 7 permit protocol source [source-wildcard] destination Permits any packet that matches all conditions specified in the
[destination-wildcard] [option option-name] statement.
[precedence precedence] [tos tos] [established] [log
• Every access list needs at least one permit statement.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
141
Object Groups for ACLs
Applying an Object Group-Based ACL to an Interface
Step 8 Repeat the steps to specify the fields and values on Remember that all sources not specifically permitted are denied by an
which you want to base your access list. implicit deny statement at the end of the access list.
Step 9 end Exits extended access-list configuration mode and returns to privileged
EXEC mode.
Example:
Device(config-ext-nacl)# end
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
142
Object Groups for ACLs
Applying an Object Group-Based ACL to an Interface
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip access-group {access-list-name | access-list-number} {in | out}
5. end
DETAILED STEPS
Example:
Device# configure terminal
Step 3 interface type number Specifies the interface and enters interface configuration
mode.
Example:
Device(config)# interface vlan 100
Step 4 ip access-group {access-list-name | access-list-number} Applies the ACL to the interface and specifies whether to
{in | out} filter inbound or outbound packets.
Example:
Device(config-if)# ip access-group
my-ogacl-policy in
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
143
Object Groups for ACLs
Verifying Object Groups for ACLs
1. enable
2. show object-group [object-group-name]
3. show ip access-list [access-list-name]
DETAILED STEPS
Step 2 show object-group [object-group-name] Displays the configuration in the named or numbered object group
(or in all object groups if no name is entered).
Example:
Device# show object-group my-object-group
Step 3 show ip access-list [access-list-name] Displays the contents of the named or numbered access list or
object group-based ACL (or for all access lists and object
Example: group-based ACLs if no name is entered).
Device> enable
Device# configure terminal
Device(config)# object-group network my-network-object-group
Device(config-network-group)# description test engineers
Device(config-network-group)# host 209.165.200.237
Device(config-network-group)# host 209.165.200.238
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
144
Object Groups for ACLs
Example: Creating a Service Object Group
The following example shows how to create a network object group named my-company-network, which
contains two hosts, a subnet, and an existing object group (child) named my-nested-object-group as objects:
Device> enable
Device# configure terminal
Device(config)# object-group network my-company-network
Device(config-network-group)# host host1
Device(config-network-group)# host 209.165.200.242
Device(config-network-group)# 209.165.200.225 255.255.255.224
Device(config-network-group)# group-object my-nested-object-group
Device(config-network-group)# end
Device> enable
Device# configure terminal
Device(config)# object-group service my-service-object-group
Device(config-service-group)# icmp echo
Device(config-service-group)# tcp smtp
Device(config-service-group)# tcp telnet
Device(config-service-group)# tcp source range 1 65535 telnet
Device(config-service-group)# tcp source 2000 ftp
Device(config-service-group)# udp domain
Device(config-service-group)# tcp-udp range 2000 2005
Device(config-service-group)# group-object my-nested-object-group
Device(config-service-group)# end
Device> enable
Device# configure terminal
Device(config)# ip access-list extended my-ogacl-policy
Device(config-ext-nacl)# permit object-group my-service-object-group object-group
my-network-object-group any
Device(config-ext-nacl)# deny tcp any any
Device(config-ext-nacl)# end
Device> enable
Device# configure terminal
Device(config)# interface vlan 100
Device(config-if)# ip access-group my-ogacl-policy in
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
145
Object Groups for ACLs
Example: Verifying Object Groups for ACLs
Device(config-if)# end
The following example shows how to display information about specific object-group-based ACLs:
Security commands
• Cisco IOS Security Command Reference:
Commands A to C
• Cisco IOS Security Command Reference:
Commands D to L
• Cisco IOS Security Command Reference:
Commands M to R
• Cisco IOS Security Command Reference:
Commands S to Z
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
146
Object Groups for ACLs
Feature Information for Object Groups for ACLs
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download
documentation, software, and tools. Use these
resources to install and configure the software and
to troubleshoot and resolve technical issues with
Cisco products and technologies. Access to most
tools on the Cisco Support and Documentation
website requires a Cisco.com user ID and
password.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
147
Object Groups for ACLs
Feature Information for Object Groups for ACLs
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
148
CHAPTER 12
Controlling Access to a Virtual Terminal Line
You can control who can access the virtual terminal lines (vtys) to a router by applying an access list to
inbound vtys. You can also control the destinations that the vtys from a router can reach by applying an
access list to outbound vtys.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
149
Controlling Access to a Virtual Terminal Line
Information About Controlling Access to a Virtual Terminal Line
SUMMARY STEPS
1. enable
2. configure terminal
3. access-list access-list-number deny {source [source-wildcard] | any} [log]
4. access-list access-list-number permit {source [source-wildcard] | any}[log]
5. line vty line-number [ending-line-number]
6. access-class access-list-number in [vrf-also]
7. exit
8. Repeat Steps 5 and 6 for each line to set identical restrictions on all the vtys because a user can connect
to any of them.
9. end
10. show line [line-number | summary]
DETAILED STEPS
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
150
Controlling Access to a Virtual Terminal Line
Controlling Inbound Access to a vty
Example:
Router# configure terminal
Step 3 access-list access-list-number deny (Optional) Denies the specified source based on a source address and
{source [source-wildcard] | any} [log] wildcard mask.
• If the source-wildcard is omitted, a wildcard mask of 0.0.0.0 is
Example: assumed, meaning match on all bits of the source address.
Router(config)# access-list 1 deny
172.16.7.34 • Optionally use the keyword any as a substitute for the source
source-wildcardto specify the source and source wildcard of 0.0.0.0
255.255.255.255.
• In this example, host 172.16.7.34 is denied passing the access list.
Step 4 access-list access-list-number permit Permits the specified source based on a source address and wildcard
{source [source-wildcard] | any}[log] mask.
• If the source-wildcard is omitted, a wildcard mask of 0.0.0.0 is
Example: assumed, meaning match on all bits of the source address.
Router(config)# access-list 1 permit
172.16.0.0 0.0.255.255 • Optionally use the keyword any as a substitute for the source
source-wildcardto specify the source and source wildcard of 0.0.0.0
255.255.255.255.
• In this example, hosts on network 172.16.0.0 (other than the host
denied in the prior step) pass the access list, meaning they can
access the vtys identified in the line command.
Step 5 line vty line-number [ending-line-number] Identifies a specific line for configuration and enters line configuration
mode.
Example: • Entering the line command with the optional line type vty
Router(config)# line vty 5 10 designates the line number as a relative line number.
• You also can use the line command without specifying a line type.
In this case, the line number is treated as an absolute line number.
Step 6 access-class access-list-number in Restricts incoming connections between a particular vty (into a Cisco
[vrf-also] device) and the networking devices associated with addresses in the
access list.
Example: • If you do not specify the vrf-also keyword, incoming Telnet
Router(config-line)# access-class 1 in connections from interfaces that are part of a VPN routing and
vrf-also forwarding (VRF) instance are rejected.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
151
Controlling Access to a Virtual Terminal Line
Controlling Outbound Access to a vty
Example:
Router(config-line)# exit
Step 8 Repeat Steps 5 and 6 for each line to set If you indicated the full range of vty lines in Step 5 with the line
identical restrictions on all the vtys because a command, you do not need to repeat Steps 5 and 6.
user can connect to any of them.
Step 9 end Returns the user to privileged EXEC mode.
Example:
Router(config-line)# end
Example:
Router# show line 5
SUMMARY STEPS
1. enable
2. configure terminal
3. access-list access-list-number deny {destination [destination-wildcard] | any} [log]
4. access-list access-list-number permit {source [source-wildcard] | any} [log]
5. line vty line-number [ending-line-number]
6. access-class access-list-number out
7. exit
8. Repeat Steps 5 and 6 for each line to set identical restrictions on all the vtys because a user can connect
to any of them.
9. end
10. show line [line-number | summary]
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
152
Controlling Access to a Virtual Terminal Line
Controlling Outbound Access to a vty
DETAILED STEPS
Example:
Router# configure terminal
Step 3 access-list access-list-number deny Denies line access to the specified destination based on a destination
{destination [destination-wildcard] | any} [log] address and wildcard mask.
• If the destination-wildcard is omitted, a wildcard mask of 0.0.0.0
Example: is assumed, meaning match on all bits of the source address.
Router(config)# access-list 2 deny
172.16.7.34 • Optionally use the keyword any as a substitute for the destination
destination-wildcardto specify the source and source wildcard of
0.0.0.0 255.255.255.255.
• In this example, host 172.16.7.34 is denied passing the access list,
meaning the line cannot connect to it.
Step 4 access-list access-list-number permit Permits the specified source based on a source address and wildcard
{source [source-wildcard] | any} [log] mask.
• If the source-wildcard is omitted, a wildcard mask of 0.0.0.0 is
Example: assumed, meaning match on all bits of the source address.
Router(config)# access-list 2 permit
172.16.0.0 0.0.255.255 • Optionally use the keyword any as a substitute for the source
source-wildcardto specify the source and source wildcard of 0.0.0.0
255.255.255.255.
• In this example, hosts on network 172.16.0.0 (other than the host
denied in the prior step) pass the access list, meaning they can be
connected to by the vtys identified in the line command.
Step 5 line vty line-number [ending-line-number] Identifies a specific line for configuration and enter line configuration
mode.
Example: • Entering the line command with the optional line type vty
Router(config)# line vty 5 10 designates the line number as a relative line number.
• You also can use the line command without specifying a line type.
In this case, the line number is treated as an absolute line number.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
153
Controlling Access to a Virtual Terminal Line
Configuration Examples for Controlling Access to a Virtual Terminal Line
Step 7 exit Returns the user to the next highest configuration mode.
Example:
Router(config-line)# exit
Step 8 Repeat Steps 5 and 6 for each line to set If you indicated the full range of vtys in Step 5 with the line command,
identical restrictions on all the vtys because a you do not need to repeat Steps 5 and 6.
user can connect to any of them.
Step 9 end Returns the user to privileged EXEC mode.
Example:
Router(config-line)# end
Example:
Router# show line 5
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
154
Controlling Access to a Virtual Terminal Line
Example Controlling Outbound Access on vtys
Where to Go Next
You can further secure a vty by configuring a password with the password line configuration command. See
the password (line configuration) command in the Cisco IOS Security Command Reference.
Additional References
Related Documents
Standards
Standard Title
None --
MIBs
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
155
Controlling Access to a Virtual Terminal Line
Feature Information for Controlling Access to a Virtual Terminal Line
RFCs
RFC Title
None --
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
Table 14: Feature Information for Controlling Access to a Virtual Terminal Line
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
156
CHAPTER 13
Access List-Based RBSCP
The Access List-Based Rate-Based Satellite Control Protocol (RBSCP) feature allows you to selectively
apply the TCP ACK splitting feature of RBSCP to any outgoing interface. The result is reduced effect of
long latencies over a satellite link. Access List-Based RBSCP has no tunneling or queueing overhead that
is associated with RBSCP tunnels. Additional benefits include more interoperability with other Cisco IOS
features (such as TCP/IP header compresssion, DMVPN, and QoS) because the TCP and Stream Control
Transmission Protocol (SCTP) packets are no longer encapsulated with an RBSCP/IP header. This feature
works on process switched forwarding, fast switching, or Cisco Express Forwarding (CEF).
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
157
Access List-Based RBSCP
Restrictions for Access List-Based RBSCP
• The Access List-Based RBSCP feature will process only IPv4 packets, not IPv6 packets.
• The feature will process only standalone TCP packets. Encapsulated (encrypted or tunneled) TCP packets
will be left unprocessed.
• This feature is available only on non-distributed platforms.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
158
Access List-Based RBSCP
TCP ACK Splitting
If n ACKs are configured and M is the cumulative ACK point of the original TCP ACK, the resulting TCP
ACKs exiting the router will have the following cumulative ACK points:
M-n+1, M-n+2, M-n+3,...M
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
159
Access List-Based RBSCP
Access List-Based RBSCP Functionality
For example, if the size argument is set to 5, and the access list permits a TCP ACK with a cumulative ACK
acknowledging bytes to 1000, then the resulting TCP ACKs exiting the router will have the following
cumulative ACK points:
TCP ACK (996) (1000-5+1)
TCP ACK (997) (1000-5+2)
TCP ACK (998) (1000-5+3)
TCP ACK (999) (1000-5+4)
TCP ACK (1000) (1000-5+5)
Tip The feature will try to process all the TCP flows as filtered by the access list. Try to make the access list
applied to RBSCP as precise as possible to avoid unnecessary processing.
Caution Plan your network carefully so that no more than one Cisco IOS router in a given routing path has this
feature enabled. You do not want to recursively ACK split traffic.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
160
Access List-Based RBSCP
Use RBSCP Selectively by Applying an Access List
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip rbscp ack-split size {access-list-name | access-list-number} out
5. Although it is not required, you should repeat this task on the router that is on the other side of the satellite,
on the outgoing interface facing the network, not the satellite. Use a different access list.
DETAILED STEPS
Example:
Router# configure terminal
Step 4 ip rbscp ack-split size {access-list-name | Configures RBSCP on the outgoing interface for packets that
access-list-number} out are permitted by the specified access list.
• The ACK split size determines the number of ACKs to
Example: send for every ACK received. An ACK split value of 0 or
Router(config-if)# ip rbscp ack-split 6 101 1 indicates that this feature is disabled (that is, no ACK
out split will be done). The range is 0 through 32. See "TCP
ACK Splitting".
• In this example, access list 101 determines which packets
are subject to TCP ACK splitting.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
161
Access List-Based RBSCP
Configuration Examples for Access List-Based RBSCP
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname IOSACL-72b
!
boot-start-marker
boot-end-marker
!
enable password lab
!
no aaa new-model
!
resource policy
!
ip cef
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
no cdp enable
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex full
speed 1000
media-type gbic
negotiation auto
no cdp enable
!
interface FastEthernet1/0
ip address 1.1.1.2 255.255.255.0
duplex half
no cdp enable
!
interface FastEthernet1/1
ip address 2.2.2.2 255.255.255.0
ip rbscp ack-split 4 101 out
duplex half
no cdp enable
!
interface FastEthernet2/0
no ip address
shutdown
duplex half
no cdp enable
!
interface Serial3/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/1
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
162
Access List-Based RBSCP
Additional References
no ip address
shutdown
serial restart-delay 0
no cdp enable
!
interface Serial3/2
no ip address
shutdown
serial restart-delay 0
no cdp enable
!
interface Serial3/3
no ip address
shutdown
serial restart-delay 0
no cdp enable
!
interface FastEthernet4/0
no ip address
shutdown
duplex auto
speed auto
no cdp enable
!
interface FastEthernet4/1
no ip address
shutdown
duplex auto
speed auto
no cdp enable
!
router eigrp 100
network 1.0.0.0
network 2.0.0.0
auto-summary
!
no ip http server
no ip http secure-server
!
logging alarm informational
access-list 101 permit tcp host 1.1.1.1 host 3.3.3.1
dialer-list 1 protocol ip permit
!
control-plane
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!
end
Additional References
Related Documents
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
163
Access List-Based RBSCP
Additional References
RBSCP commands: complete command syntax, Cisco IOS Interface and Hardware Component
command mode, command history, defaults, usage Command Reference
guidelines, and examples
Configuring Rate-Based Satellite Control Protocol “Implementing Tunnels” chapter in the Cisco IOS
(RBSCP) Interface and Hardware Component Configuration
Guide
Standards
Standard Title
None --
MIBs
RFCs
RFC Title
None --
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
164
Access List-Based RBSCP
Feature Information for Access List-Based RBSCP
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
165
Access List-Based RBSCP
Feature Information for Access List-Based RBSCP
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
166
CHAPTER 14
ACL IP Options Selective Drop
The ACL IP Options Selective Drop feature allows Cisco routers to filter packets containing IP options or
to mitigate the effects of IP options on a router or downstream routers by dropping these packets or ignoring
the processing of the IP options.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
167
ACL IP Options Selective Drop
Information About ACL IP Options Selective Drop
• The ip option ignore command (ignore mode) is supported only on the Cisco 12000 series router.
For many users, dropping the packets is the best solution. However, in environments in which some IP options
may be legitimate, reducing the load that the packets present on the routers is sufficient. Therefore, users may
prefer to skip options processing on the router and forward the packet as though it were pure IP.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip options {drop | ignore}
4. exit
5. show ip traffic
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
168
ACL IP Options Selective Drop
Configuring ACL IP Options Selective Drop
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ip options {drop | ignore} Drops or ignores IP options packets that are sent to the router.
Note On the Cisco 10720 Internet router, the ip option
Example: ignorecommand is not supported. Only drop mode (the
Router(config)# ip options drop ip option dropcommand) is supported.
Example:
Router(config)# exit
Example:
Router# show ip traffic
What to Do Next
If you are running Cisco IOS Release 12.3(4)T or a later release, you can also use the ACL Support for Filtering
IP Options feature to filter packets based on whether the packet contains specific IP options. For more
information, refer to the document "Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous
Ports, or TTL Values".
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
169
ACL IP Options Selective Drop
Configuration Example for ACL IP Options Selective Drop
Additional References
Related Documents
Using access lists for filtering IP options "Creating an IP Access List to Filter IP Options, TCP
Flags, Noncontiguous Ports, or TTL Values"
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
170
ACL IP Options Selective Drop
Feature Information for ACL IP Options Selective Drop
Standards
Standards Title
None --
MIBs
RFCs
RFCs Title
None --
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
171
ACL IP Options Selective Drop
Feature Information for ACL IP Options Selective Drop
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
172
CHAPTER 15
ACL Authentication of Incoming rsh and rcp
Requests
This document describes the ACL Authentication of Incoming RSH and RCP Requests feature in Cisco IOS
Release 12.2(8)T.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
173
ACL Authentication of Incoming rsh and rcp Requests
Supported Platforms
multiple hosts, multiple database authentication configuration entries must be used, one for each host, as
shown below.
Supported Platforms
• Cisco 805
• Cisco 806
• Cisco 828
• Cisco 1400 series
• Cisco 1600 series
• Cisco 1710
• Cisco 1720
• Cisco 1721
• Cisco 1750
• Cisco 1751
• Cisco 2420
• Cisco 3620
• Cisco 3631
• Cisco 3640
• Cisco 3660
• Cisco 3725
• Cisco 3745
• Cisco 2500 series
• Cisco 2600 series
• Cisco 7100 series
• Cisco 7200 series
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
174
ACL Authentication of Incoming rsh and rcp Requests
Additional References for Firewall TCP SYN Cookie
Security commands
• Security Command Reference: Commands A
to C
• Security Command Reference: Commands D
to L
• Security Command Reference: Commands M
to R
• Security Command Reference: Commands S to
Z
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
175
ACL Authentication of Incoming rsh and rcp Requests
Feature Information for ACL Authentication of Incoming rsh and rcp Requests
Table 17: Feature Information for ACL Authentication of Incoming rsh and rcp Requests
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
176
CHAPTER 16
Configuring Lock-and-Key Security (Dynamic
Access Lists)
Feature History
Release Modification
Cisco IOS For information about feature support in Cisco IOS
software, use Cisco Feature Navigator.
This chapter describes how to configure lock-and-key security at your router. Lock-and-key is a traffic
filtering security feature available for the IP protocol.
For a complete description of lock-and-key commands, refer to the Cisco IOS Security Command Reference
. To locate documentation of other commands that appear in this chapter, use the command reference master
index or search online.
To identify the hardware platform or software image information associated with a feature, use the Feature
Navigator on Cisco.com to search for information about the feature or refer to the software release notes for
a specific release.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
177
Configuring Lock-and-Key Security (Dynamic Access Lists)
Information About Configuring Lock-and-Key Security (Dynamic Access Lists)
and authorization before you configure lock-and-key. User authentication and authorization is explained in
the “Authentication, Authorization, and Accounting (AAA)” part of this document.
Lock-and-key uses the autocommand command, which you should understand. This command is described
in the Cisco IOSTerminal Services Command Reference.
About Lock-and-Key
Lock-and-key is a traffic filtering security feature that dynamically filters IP protocol traffic. Lock-and-key
is configured using IP dynamic extended access lists. Lock-and-key can be used in conjunction with other
standard access lists and static extended access lists.
When lock-and-key is configured, designated users whose IP traffic is normally blocked at a router can gain
temporary access through the router. When triggered, lock-and-key reconfigures the interface’s existing IP
access list to permit designated users to reach their designated host(s). Afterwards, lock-and-key reconfigures
the interface back to its original state.
For a user to gain access to a host through a router with lock-and-key configured, the user must first open a
Telnet session to the router. When a user initiates a standard Telnet session to the router, lock-and-key
automatically attempts to authenticate the user. If the user is authenticated, they will then gain temporary
access through the router and be able to reach their destination host.
Benefits of Lock-and-Key
Lock-and-key provides the same benefits as standard and static extended access lists (these benefits are
discussed in the chapter “Access Control Lists: Overview and Guidelines”). However, lock-and-key also has
the following security benefits over standard and static extended access lists:
• Lock-and-key uses a challenge mechanism to authenticate individual users.
• Lock-and-key provides simpler management in large internetworks.
• In many cases, lock-and-key reduces the amount of router processing required for access lists.
• Lock-and-key reduces the opportunity for network break-ins by network hackers.
With lock-and-key, you can specify which users are permitted access to which source and destination hosts.
These users must pass a user authentication process before they are permitted access to their designated hosts.
Lock-and-key creates dynamic user access through a firewall, without compromising other configured security
restrictions.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
178
Configuring Lock-and-Key Security (Dynamic Access Lists)
How Lock-and-Key Works
• When you want a specific remote user (or group of remote users) to be able to access a host within your
network, connecting from their remote hosts via the Internet. Lock-and-key authenticates the user, then
permits limited access through your firewall router for the individual’s host or subnet, for a finite period
of time.
• When you want a subset of hosts on a local network to access a host on a remote network protected by
a firewall. With lock-and-key, you can enable access to the remote host only for the desired set of local
user’s hosts. Lock-and-key require the users to authenticate through a TACACS+ server, or other security
server, before allowing their hosts to access the remote hosts.
Note The temporary access list entry is not automatically deleted when the user terminates a session. The
temporary access list entry remains until a configured timeout is reached or until it is cleared by the system
administrator.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
179
Configuring Lock-and-Key Security (Dynamic Access Lists)
Risk of Spoofing with Lock-and-Key
Caution Cisco IOS releases before Release 11.1 are not upwardly compatible with the lock-and-key access list
enhancements. Therefore, if you save an access list with software older than Release 11.1, and then use
this software, the resulting access list will not be interpreted correctly. This could cause you severe security
problems. You must save your old configuration files with Cisco IOS Release 11.1 or later software before
booting an image with these files.
Caution Lock-and-key access allows an external event (a Telnet session) to place an opening in the firewall. While
this opening exists, the router is susceptible to source address spoofing.
When lock-and-key is triggered, it creates a dynamic opening in the firewall by temporarily reconfiguring an
interface to allow user access. While this opening exists, another host might spoof the authenticated user’s
address to gain access behind the firewall. Lock-and-key does not cause the address spoofing problem; the
problem is only identified here as a concern to the user. Spoofing is a problem inherent to all access lists, and
lock-and-key does not specifically address this problem.
To prevent spoofing, configure encryption so that traffic from the remote host is encrypted at a secured remote
router, and decrypted locally at the router interface providing lock-and-key. You want to ensure that all traffic
using lock-and-key will be encrypted when entering the router; this way no hackers can spoof the source
address, because they will be unable to duplicate the encryption or to be authenticated as is a required part of
the encryption setup process.
Maintaining Lock-and-Key
When lock-and-key is in use, dynamic access lists will dynamically grow and shrink as entries are added and
deleted. You need to make sure that entries are being deleted in a timely way, because while entries exist, the
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
180
Configuring Lock-and-Key Security (Dynamic Access Lists)
Dynamic Access Lists
risk of a spoofing attack is present. Also, the more entries there are, the bigger the router performance impact
will be.
If you do not have an idle or absolute timeout configured, entries will remain in the dynamic access list until
you manually remove them. If this is the case, make sure that you are extremely vigilant about removing
entries.
Lock-and-Key Authentication
There are three possible methods to configure an authentication query process. These three methods are
described in this section.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
181
Configuring Lock-and-Key Security (Dynamic Access Lists)
The autocommand Command
Note Cisco recommends that you use the TACACS+ server for your authentication query process. TACACS+
provides authentication, authorization, and accounting services. It also provides protocol support, protocol
specification, and a centralized security database. Using a TACACS+ server is described in the next
section, “Method 1--Configuring a Security Server.”
Use a network access security server such as TACACS+ server. This method requires additional configuration
steps on the TACACS+ server but allows for stricter authentication queries and more sophisticated tracking
capabilities.
Router(config)# username
name
{nopassword
|
password
{
mutual-password
|
encryption-type
encryption-password
}}
Use the password and login commands. This method is less effective because the password is configured for
the port, not for the user. Therefore, any user who knows the password can authenticate successfully.
R
outer(config-line)# password
password
Router(config-line)# login local
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
182
Configuring Lock-and-Key Security (Dynamic Access Lists)
How to Configure Lock-and-Key Security (Dynamic Access Lists)
• If you configure both idle and absolute timeouts, the absolute timeout value must be greater than the
idle timeout value.
Configuring Lock-and-Key
To configure lock-and-key, use the following commands beginning in global configuration mode. While
completing these steps, be sure to follow the guidelines listed in the “Lock-and-Key Configuration Guidelines”
section of this chapter.
SUMMARY STEPS
DETAILED STEPS
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
183
Configuring Lock-and-Key Security (Dynamic Access Lists)
Configuring Lock-and-Key
Step 3 Router(config)# interface type number Configures an interface and enters interface configuration mode.
Step 6 Router(config)# line vty line-number Defines one or more virtual terminal (VTY) ports and enters line
[ending-line-number] configuration mode. If you specify multiple VTY ports, they must all
be configured identically because the software hunts for available
VTY ports on a round-robin basis. If you do not want to configure all
your VTY ports for lock-and-key access, you can specify a group of
VTY ports for lock-and-key support only.
Step 7 Do one of the following: Configures user authentication in line or global configuration mode.
• Router(config-line)# login tacacs
•
• Router(config-line)# password password
Example:
Example:
Router(config-line)# exit
Example:
then
Example:
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
184
Configuring Lock-and-Key Security (Dynamic Access Lists)
Verifying Lock-and-Key Configuration
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
185
Configuring Lock-and-Key Security (Dynamic Access Lists)
Manually Deleting Dynamic Access List Entries
To view dynamic access lists and any temporary access list entries that are currently established, use the
following command in privileged EXEC mode:
Command Purpose
Displays dynamic access lists and temporary access
Router# show access-lists [access-list-number] list entries.
Command Purpose
Deletes a dynamic access list.
Router# clear access-template [access-list-number
| name] [dynamic-name] [source] [destination]
interface ethernet0
ip address 172.18.23.9 255.255.255.0
ip access-group 101 in
access-list 101 permit tcp any host 172.18.21.2 eq telnet
access-list 101 dynamic mytestlist timeout 120 permit ip any any
line vty 0
login local
autocommand access-enable timeout 5
The first access-list entry allows only Telnet into the router. The second access-list entry is always ignored
until lock-and-key is triggered.
In the access-list command, the timeout is the absolute timeout. In this example, the lifetime of the mytestlist
ACL is 120 minutes; that is, when a user logs in and enable the access-enable command, a dynamic ACL is
created for 120 minutes (the maximum absolute time). The session is closed after 120 minutes, whether or
not anyone is using it.
In the access-enablecommand, the timeout is the idle timeout. In this example, each time the user logs in or
authenticates there is a 5-minute session. If there is no activity, the session closes in 5 minutes and the user
has to reauthenticate. If the user uses the connection, the absolute time takes affect and the session closes in
120 minutes.
After a user opens a Telnet session into the router, the router will attempt to authenticate the user. If
authentication is successful, the autocommand executes and the Telnet session terminates. The autocommand
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
186
Configuring Lock-and-Key Security (Dynamic Access Lists)
Example Lock-and-Key with TACACS+ Authentication
creates a temporary inbound access list entry at the Ethernet 0 interface, based on the second access-list entry
(mytestlist). If there is no activity, this temporary entry will expire after 5 minutes, as specified by the timeout.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
187
Configuring Lock-and-Key Security (Dynamic Access Lists)
Example Lock-and-Key with TACACS+ Authentication
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
188
CHAPTER 17
Configuring IP Session Filtering (Reflexive
Access Lists)
This chapter describes how to configure reflexive access lists on your router. Reflexive access lists provide
the ability to filter network traffic at a router, based on IP upper-layer protocol “session” information.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
189
Configuring IP Session Filtering (Reflexive Access Lists)
Benefits of Reflexive Access Lists
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
190
Configuring IP Session Filtering (Reflexive Access Lists)
Where to Configure Reflexive Access Lists
Note In this chapter, the words “within your network” and “internal network” refer to a network that is controlled
(secured), such as your organization’s intranet, or to a part of your organization’s internal network that
has higher security requirements than another part. “Outside your network” and “external network” refer
to a network that is uncontrolled (unsecured) such as the Internet or to a part of your organization’s network
that is not as highly secured.
(This entry characteristic applies only for TCP and UDP packets. Other protocols, such as ICMP and IGMP,
do not have port numbers, and other criteria are specified. For example, for ICMP, type numbers are used
instead.)
• Inbound TCP traffic will be evaluated against the entry, until the entry expires. If an inbound TCP packet
matches the entry, the inbound packet will be forwarded into your network.
• The entry will expire (be removed) after the last packet of the session passes through the interface.
• If no packets belonging to the session are detected for a configurable length of time (the timeout period),
the entry will expire.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
191
Configuring IP Session Filtering (Reflexive Access Lists)
Choosing an Interface Internal or External
These tasks are described in the sections following the "Defining the Reflexive Access List(s)” section.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
192
Configuring IP Session Filtering (Reflexive Access Lists)
Internal Interface Configuration Task List
Note The defined (outbound) reflexive access list evaluates traffic traveling out of your network: if the defined
reflexive access list is matched, temporary entries are created in the nested (inbound) reflexive access list.
These temporary entries will then be applied to traffic traveling into your network.
Note The defined (inbound) reflexive access list is used to evaluate traffic traveling out of your network: if the
defined reflexive access list is matched, temporary entries are created in the nested (outbound) reflexive
access list. These temporary entries will then be applied to traffic traveling into your network.
Mixing Reflexive Access List Statements with Other Permit and Deny Entries
The extended IP access list that contains the reflexive access list permit statement can also contain other
normal permit and deny statements (entries). However, as with all access lists, the order of entries is important,
as explained in the next few paragraphs.
If you configure reflexive access lists for an external interface, when an outbound IP packet reaches the
interface, the packet will be evaluated sequentially by each entry in the outbound access list until a match
occurs.
If the packet matches an entry prior to the reflexive permit entry, the packet will not be evaluated by the
reflexive permit entry, and no temporary entry will be created for the reflexive access list (reflexive filtering
will not be triggered).
The outbound packet will be evaluated by the reflexive permit entry only if no other match occurs first. Then,
if the packet matches the protocol specified in the reflexive permit entry, the packet is forwarded out of the
interface and a corresponding temporary entry is created in the inbound reflexive access list (unless the
corresponding entry already exists, indicating the outbound packet belongs to a session in progress). The
temporary entry specifies criteria that permits inbound traffic only for the same session.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
193
Configuring IP Session Filtering (Reflexive Access Lists)
How to Configure Reflexive Access Lists
SUMMARY STEPS
DETAILED STEPS
Step 2 Router(config-ext-nacl)# permit protocol Defines the reflexive access list using the reflexive permit entry.
any any reflect name [timeout seconds]
• Repeat this step for each IP upper-layer protocol; for example, you can
define reflexive filtering for TCP sessions and also for UDP sessions.
You can use the same name for multiple protocols.
Note The reflexive list is not limited to one per ACL. It is related to each
item in the ACL. You can have several reflexive lists that can be
tied in to any number of items in the ACL, that are common to one
input interface(or many) and evaluated on different output interface.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
194
Configuring IP Session Filtering (Reflexive Access Lists)
Nesting the Reflexive Access List(s)
Step 3 Router(config-ext-nacl)# exit Exits access-list configuration mode and enters global configuration mode.
Step 4 Router(config)# interface type number Configures an interface and enters interface configuration mode.
Step 5 Do one of the following: External interface: Applies the extended access list to the interface’s outbound
traffic.
• Router(config-if)# ip access-group
name out Internal interface: Applies the extended access list to the interface’s inbound
traffic.
• Router(config-if)# ip access-group
name in
After you nest a reflexive access list, packets heading into your internal network can be evaluated against any
reflexive access list temporary entries, along with the other entries in the extended named IP access list.
Again, the order of entries is important. Normally, when a packet is evaluated against entries in an access list,
the entries are evaluated in sequential order, and when a match occurs, no more entries are evaluated. With a
reflexive access list nested in an extended access list, the extended access list entries are evaluated sequentially
up to the nested entry, then the reflexive access list entries are evaluated sequentially, and then the remaining
entries in the extended access list are evaluated sequentially. As usual, after a packet matches any of these
entries, no more entries will be evaluated.
If the extended named IP access list you just specified has never been applied to the interface, you must also
apply the extended named IP access list to the interface.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
195
Configuring IP Session Filtering (Reflexive Access Lists)
Setting a Global Timeout Value
SUMMARY STEPS
DETAILED STEPS
Step 2 Router(config-ext-nacl)# evaluate name Adds an entry that “points” to the reflexive access list. Adds an entry
for each reflexive access list name previously defined.
Step 3 Router(config-ext-nacl)# exit Exits access-list configuration mode and enters global configuration
mode.
Step 4 Router(config)# interface type number Configures an interface and enters interface configuration mode.
Step 5 Do one of the following: External interface: Applies the extended access list to the interface’s
inbound traffic.
• Router(config-if)# ip access-group name
in Internal interface: Applies the extended access list to the interface’s
outbound traffic.
• Router(config-if)# ip access-group name
out
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
196
Configuring IP Session Filtering (Reflexive Access Lists)
Configuration Examples for Reflexive Access List
To change the global timeout value, use the following command in global configuration mode:
Command Purpose
Changes the global timeout value for temporary
Router(config)# ip reflexive-list timeout seconds reflexive access list entries. Use a positive integer
from 0 to 2,147,483.
interface serial 1
description Access to the Internet via this interface
Apply access lists to the interface, for inbound traffic and for outbound traffic:
ip access-group inboundfilters in
ip access-group outboundfilters out
Define the outbound access list. This is the access list that evaluates all outbound traffic on interface Serial
1.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
197
Configuring IP Session Filtering (Reflexive Access Lists)
Example Internal Interface Configuration
interface Serial 1
description Access to the Internet via this interface
ip access-group inboundfilters in
ip access-group outboundfilters out
!
ip reflexive-list timeout 120
!
ip access-list extended outboundfilters
permit tcp any any reflect tcptraffic
!
ip access-list extended inboundfilters
permit eigrp any any
deny icmp any any
evaluate tcptraffic
With this configuration, before any TCP sessions have been initiated the show access-list EXEC command
displays the following:
interface Ethernet 0
description Access from the I-net to our Internal Network via this interface
ip access-group inboundfilters in
ip access-group outboundfilters out
!
ip reflexive-list timeout 120
!
ip access-list extended outboundfilters
permit eigrp any any
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
198
Configuring IP Session Filtering (Reflexive Access Lists)
Example Internal Interface Configuration
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
199
Configuring IP Session Filtering (Reflexive Access Lists)
Example Internal Interface Configuration
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
200
CHAPTER 18
IP Access List Entry Sequence Numbering
Users can apply sequence numbers to permit or deny statements and also reorder, add, or remove such
statements from a named IP access list. This feature makes revising IP access lists much easier. Prior to this
feature, users could add access list entries to the end of an access list only; therefore needing to add statements
anywhere except the end required reconfiguring the access list entirely.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
201
IP Access List Entry Sequence Numbering
Information About IP Access List Entry Sequence Numbering
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
202
IP Access List Entry Sequence Numbering
How an IP Access List Works
• If no conditions match, the software drops the packet. This is because each access list ends with an
unwritten or implicit deny statement. That is, if the packet has not been permitted by the time it was
tested against each statement, it is denied.
• The access list must contain at least one permit statement or else all packets are denied.
• Because the software stops testing conditions after the first match, the order of the conditions is critical.
The same permit or deny statements specified in a different order could result in a packet being passed
under one circumstance and denied in another circumstance.
• If an access list is referenced by name in a command, but the access list does not exist, all packets pass.
• Only one access list per interface, per protocol, per direction is allowed.
• Inbound access lists process packets arriving at the device. Incoming packets are processed before being
routed to an outbound interface. An inbound access list is efficient because it saves the overhead of
routing lookups if the packet is to be discarded because it is denied by the filtering tests. If the packet
is permitted by the tests, it is then processed for routing. For inbound lists, permit means continue to
process the packet after receiving it on an inbound interface; deny means discard the packet.
• Outbound access lists process packets before they leave the device. Incoming packets are routed to the
outbound interface and then processed through the outbound access list. For outbound lists, permit
means send it to the output buffer; deny means discard the packet.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
203
IP Access List Entry Sequence Numbering
IP Access List Entry Sequence Numbering
If you do not supply a wildcard mask with a source or destination address in an access list statement, the
software assumes a default wildcard mask of 0.0.0.0.
Unlike subnet masks, which require contiguous bits indicating network and subnet to be ones, wildcard masks
allow noncontiguous bits in the mask.
Benefits
The ability to apply sequence numbers to IP access list entries simplifies access list changes. Prior to the IP
Access List Entry Sequence Numbering feature, there was no way to specify the position of an entry within
an access list. If a user wanted to insert an entry (statement) in the middle of an existing list, all of the entries
after the desired position had to be removed, then the new entry was added, and then all the removed entries
had to be reentered. This method was cumbersome and error prone.
This feature allows users to add sequence numbers to access list entries and resequence them. When a user
adds a new entry, the user chooses the sequence number so that it is in a desired position in the access list. If
necessary, entries currently in the access list can be resequenced to create room to insert the new entry.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
204
IP Access List Entry Sequence Numbering
How to Use Sequence Numbers in an IP Access List
• If you enter an entry without a sequence number, it is assigned a sequence number that is 10 greater than
the last sequence number in that access list and is placed at the end of the list.
• If you enter an entry that matches an already existing entry (except for the sequence number), then no
changes are made.
• If you enter a sequence number that is already present, the following error message is generated:
• If a new access list is entered from global configuration mode, then sequence numbers for that access
list are generated automatically.
• Distributed support is provided so that the sequence numbers of entries in the Route Processor (RP) and
line card (LC) are always synchronized.
• Sequence numbers are not nvgened. That is, the sequence numbers themselves are not saved. In the
event that the system is reloaded, the configured sequence numbers revert to the default sequence starting
number and increment from that number. The function is provided for backward compatibility with
software releases that do not support sequence numbering.
• The IP Access List Entry Sequence Numbering feature works with named standard and extended IP
access lists. Because the name of an access list can be designated as a number, numbers are acceptable.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
205
IP Access List Entry Sequence Numbering
Sequencing Access-List Entries and Revising the Access List
SUMMARY STEPS
1. enable
2. configure terminal
3. ip access-list resequence access-list-name starting-sequence-number increment
4. ip access-list {standard| extended} access-list-name
5. Do one of the following:
• sequence-number permit source source-wildcard
• sequence-number permit protocol source source-wildcard destination destination-wildcard
[precedence precedence][tos tos] [log] [time-range time-range-name] [fragments]
7. Repeat Step 5 and/or Step 6 as necessary, adding statements by sequence number where you planned. Use
the no sequence-number command to delete an entry.
8. end
9. show ip access-lists access-list-name
DETAILED STEPS
Example:
Device> enable
Example:
Device# configure terminal
Step 3 ip access-list resequence access-list-name Resequences the specified IP access list using the starting sequence
starting-sequence-number increment number and the increment of sequence numbers.
• This example resequences an access list named kmd1. The
Example: starting sequence number is 100 and the increment is 15.
Device(config)# ip access-list resequence
kmd1 100 15
Step 4 ip access-list {standard| extended} Specifies the IP access list by name and enters named access list
access-list-name configuration mode.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
206
IP Access List Entry Sequence Numbering
Sequencing Access-List Entries and Revising the Access List
Step 5 Do one of the following: Specifies a permit statement in named IP access list mode.
• sequence-number permit source • This access list happens to use a permitstatement first, but a
source-wildcard deny statement could appear first, depending on the order of
statements you need.
• sequence-number permit protocol source
source-wildcard destination • See the permit (IP) command for additional command syntax to
destination-wildcard [precedence permit upper layer protocols (ICMP, IGMP, TCP, and UDP).
precedence][tos tos] [log] [time-range
• Use the no sequence-number command to delete an entry.
time-range-name] [fragments]
• As the prompt indicates, this access list was a standard access
list. If you had specified extended in Step 4, the prompt for this
Example: step would be Device(config-ext-nacl) and you would use the
extended permit command syntax.
Device(config-std-nacl)# 105 permit
10.5.5.5 0.0.0 255
Step 6 Do one of the following: (Optional) Specifies a deny statement in named IP access list mode.
• sequence-number deny source • This access list happens to use a permitstatement first, but a
source-wildcard deny statement could appear first, depending on the order of
statements you need.
• sequence-number deny protocol source
source-wildcard destination • See the deny (IP) command for additional command syntax to
destination-wildcard [precedence permit upper layer protocols (ICMP, IGMP, TCP, and UDP).
precedence][tos tos] [log] [time-range
• Use the no sequence-number command to delete an entry.
time-range-name] [fragments]
• As the prompt indicates, this access list was a standard access
list. If you had specified extended in Step 4, the prompt for this
Example: step would be Device(config-ext-nacl) and you would use the
extended deny command syntax.
Device(config-std-nacl)# 105 deny 10.6.6.7
0.0.0 255
Step 7 Repeat Step 5 and/or Step 6 as necessary, adding Allows you to revise the access list.
statements by sequence number where you planned.
Use the no sequence-number command to delete
an entry.
Step 8 end (Optional) Exits the configuration mode and returns to privileged
EXEC mode.
Example:
Device(config-std-nacl)# end
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
207
IP Access List Entry Sequence Numbering
Configuration Examples for IP Access List Entry Sequence Numbering
What to Do Next
If your access list is not already applied to an interface or line or otherwise referenced, apply the access list.
Refer to the “Configuring IP Services” chapter of the Cisco IOS IP Configuration Guide for information about
how to apply an IP access list.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
208
IP Access List Entry Sequence Numbering
Example: Adding Entries with Sequence Numbers
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
209
IP Access List Entry Sequence Numbering
Additional References for IP Access List Entry Sequence Numbering
Related Documents
Cisco IOS commands Cisco IOS Master Command List, All Releases
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/techsupport
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
210
IP Access List Entry Sequence Numbering
Feature Information for IP Access List Entry Sequence Numbering
Table 18: Feature Information for IP Access List Entry Sequence Numbering
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
211
IP Access List Entry Sequence Numbering
Feature Information for IP Access List Entry Sequence Numbering
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
212
CHAPTER 19
Configuring Template ACLs
When user profiles are configured using RADIUS Attribute 242 or vendor-specific attribute (VSA)
Cisco-AVPairs, similar per-user access control lists (ACLs) may be replaced by a single template ACL. That
is, one ACL represents many similar ACLs. By using template ACLs, you can increase the total number of
per-user ACLs while minimizing the memory and Ternary Content Addressable Memory (TCAM) resources
needed to support the ACLs.
In networks where each subscriber has its own ACL, it is common for the ACL to be the same for each user
except for the user’s IP address. The Template ACLs feature groups ACLs with many common access control
elements (ACEs) into a single ACL that saves system resources.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
213
Configuring Template ACLs
Prerequisites for Template ACLs
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
214
Configuring Template ACLs
Multiple ACLs
Multiple ACLs
When the Template ACL feature is enabled, the system can identify when two per-user ACLS are similar,
and the system consolidates the two per-user ACLs into one template ACL.
For example, the following example shows two ACLs for two separate users:
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
215
Configuring Template ACLs
VSA Cisco-AVPairs
The two ACLs are consolidated into one template ACL and are referenced as follows:
Virtual-Access1.1#1 maps to Template_1(10.1.1.1)
Virtual-Access1.1#2 maps to Template_1(10.13.11.2)
VSA Cisco-AVPairs
Template ACL processing occurs for ACLs that are configured using Cisco-AVPairs. Only AVPairs that are
defined using the ACL number are considered for the templating process.
To be considered for templating, AVPairs for incoming ACLs must conform to the following format:
ip:inacl#number={standard-access-control-list | extended-access-control-list}
For example: ip:inacl#10=deny ip any 10.13.16.0 0.0.0.255
To be considered for templating, AVPairs for outgoing ACLs must conform to the following format:
ip:outacl#number={standard-access-control-list | extended-access-control-list}
For example: ip:outacl#200=permit ip any any
For more information on Cisco-AVPairs, see the Cisco Vendor-Specific AVPair Attributes section of the
Cisco IOS ISG RADIUS CoA Interface Guide.
Element Description
ip Specifies an IP filter.
<action> Specifies the action the router should take with a packet that
matches the filter. Possible values are forward or drop.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
216
Configuring Template ACLs
RADIUS Attribute 242
Element Description
dstip <dest_ipaddr\subnet_mask> Enables destination-IP-address filtering. Applies to packets whose
destination address matches the value of <dest_ipaddr>. If a
subnet mask portion of the address is present, the router compares
only the masked bits. If you set <dest_ipaddr> to 0.0.0.0, or if
this keyword is not present, the filter matches all IP packets.
dstport <cmp> <value> Enables destination-port filtering. This keyword is valid only
when <proto> is set to tcp (6) or udp (17). If you do not specify
a destination port, the filter matches any port.
<cmp> defines how to compare the specified <value> to the
actual destination port. This value can be <, =, >, or !.
<value> can be a name or a number. Possible names and numbers
are ftp-data (20), ftp (21), telnet (23), nameserver (42), domain
(53), tftp (69), gopher (70), finger (79), www (80), kerberos
(88), hostname (101), nntp (119), ntp (123), exec (512), login
(513), cmd (514), and talk (517).
srcport <cmp> <value> Enables source-port filtering. This keyword is valid only when
<proto> is set to tcp(6)or udp (17). If you do not specify a source
port, the filter matches any port.
<cmp> defines how to compare the specified <value> to the
actual destination port. This value can be <, =, >, or !.
<value> can be a name or a number. Possible names and numbers
are ftp-data (20), ftp (21), telnet(23), nameserver(42),
domain(53), tftp(69), gopher(70), finger(79), www(80),
kerberos (88), hostname (101), nntp (119), ntp(123), exec (512),
login (513), cmd (514), and talk (517).
<est> When set to 1, specifies that the filter matches a packet only if a
TCP session is already established. This argument is valid only
when <proto> is set to tcp (6).
"RADIUS Attribute 242 IP Data Filter Entries" shows four attribute 242 IP data filter entries.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
217
Configuring Template ACLs
How to Configure Template ACLs
Ascend-Data-Filter=”ip in drop”
Ascend-Data-Filter=”ip out forward tcp”
Ascend-Data-Filter=”ip out forward tcp dstip 10.0.200.3/16 srcip 10.0.200.25/16
dstport!=telnet”
Ascend-Data-Filter=”ip out forward tcp dstip 10.0.200.3/16 srcip 10.0.200.25/16 icmp”
SUMMARY STEPS
1. enable
2. configure terminal
3. access-list template number
4. exit
5. show access-list template summary
DETAILED STEPS
Example:
Router# configure terminal
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
218
Configuring Template ACLs
Configuration Examples for Template ACLs
Example:
Router(config)# exit
Step 5 show access-list template summary (Optional) Displays summary information about template
ACLs.
Example:
Router# show access-list template summary
Troubleshooting Tips
The following commands can be used to troubleshoot the Template ACL feature:
• show access-list template
• show platform hardware qfp active classification class-group-manager class-group client acl all
• show platform hardware qfp active feature acl {control | node acl-node-id}
• show platform software access-list
Router> enable
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
219
Configuring Template ACLs
Example Showing ACL Template Tree Information
Additional References
Related Documents
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
220
Configuring Template ACLs
Feature Information for ACL Template
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
221
Configuring Template ACLs
Feature Information for ACL Template
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
222
CHAPTER 20
Turbo Access Control List Scalability
Enhancements
The Turbo Access Control List (ACL) Scalability Enhancements feature improves overall performance on
the Cisco 7304 device using a Network Services Engine (NSE) by allowing Turbo ACLs to be processed in
PXF using less memory, thereby allowing more traffic traversing the Cisco 7304 device using an NSE to be
PXF-accelerated. This feature also introduces user-configuration options that allow users to define the amount
of memory used for Turbo ACL purposes in the Route Processor (RP) processing path.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
223
Turbo Access Control List Scalability Enhancements
Prerequisites for Turbo Access Control List Scalability Enhancements
How Turbo ACL on the Cisco 7304 Router Using an NSE Works
With the exception that most Turbo ACL classification is PXF-accelerated on a Cisco 7304 router using an
NSE-100 or an NSE-150, Turbo ACL classification on the Cisco 7304 router using an NSE-100 or NSE-150
is similar in behavior to Turbo ACL on other platforms. For information on Turbo ACL, see Turbo Access
Control Lists .
For information on PXF on Cisco 7304 routers using an NSE-100 or an NSE-150, including the Turbo ACL
features that are PXF-accelerated, see PXF Information for the Cisco 7304 Router .
How Turbo ACL Scalability Enhancements on the NSEs Improves Overall PXF
Performance
The memory allocated in PXF for Turbo Access Control Lists (ACLs) on the NSE-100 especially is limited
to the point where even modestly-sized ACL configurations cause a large amount of PXF memory to be used
for Turbo ACL processing. As a result, a large amount of network traffic that should be processed through
the PXF processing path is instead processed through the RP path.
This enhancement is part of a series of enhancements to improve Turbo ACL functionality on the Cisco 7304
router using the NSE-100. Specifically, this feature keeps the entries for PXF-based Turbo ACL classification
current by more actively removing older entries. The older entries, which are no longer used for current traffic
flows, still consume memory and, therefore, cause traffic that would normally be PXF-accelerated to instead
be punted to the RP. This portion of the feature, which does not require user configuration, improves overall
traffic flow on the Cisco 7304 router using an NSE by allowing more network traffic to be PXF-accelerated.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
224
Turbo Access Control List Scalability Enhancements
How Turbo ACL Scalability Enhancements on the NSEs Improves Overall Route Processing Performance
How Turbo ACL Scalability Enhancements on the NSEs Improves Overall Route
Processing Performance
These Turbo ACL scalability enhancements also introduce an enhancement that allows users, via configuration
commands, to configure the amount of memory reserved for ACL processing on the RP. The ability to configure
the amount of memory reserved for ACL processing in the RP path gives users the option either to improve
ACL processing performance in the RP path by reserving more memory for ACL processing, or to improve
all other RP path functionality by reserving less memory for ACL processing.
In Cisco IOS releases not containing this feature, the amount of memory reserved for RP ACL handling is
fixed.
Understanding Memory Limits for Turbo ACL Processes on the Route Processor
An NSE-150 has 2 GB of DRAM. NSE-100 RAM is user-configurable using an SDRAM SODIMM. While
most NSE-100s have 512 MB of RAM, 256-MB and 128-MB SDRAM SODIMMs for the NSE-100 exist.
On a Cisco 7304 router using an NSE-150, the default memory limit for Turbo ACL processes (such as
classification, compilation, and table storage) of Layer 3 and Layer 4 data in the RP path is always 256 MB.
The default memory limit for Turbo ACL processes for Layer 2 data in the RP path for a Cisco 7304 router
using an NSE-150 is always 128 MB.
On a Cisco 7304 router using an NSE-100, the default amount of memory reserved for Turbo ACL processes
in the RP path is dependant upon the amount of SDRAM configured on the NSE-100. If the NSE has 512
MB of SDRAM or more, the default memory limit for Turbo ACL processes for Layer 3 and Layer 4 traffic
processing is 256 MB. If the processor has less than 512 MB of SDRAM, the default memory limit for Turbo
ACL processes for Layer 3 and Layer 4 traffic is 128 MB.
The default amount of memory reserved for Layer 2 Turbo ACL processes for a Cisco 7304 router using an
NSE-100 is always 128 MB, regardless of the amount of memory configured on the processor.
To see the default amount of memory reserved for Layer 2 or for Layer 3 and Layer 4 Turbo ACL processing
on your Cisco 7304 router, enter the show access-list compiled command. The “Mb default limit” output,
which appears in both the “Compiled ACL statistics for IPv4” and “Compiled ACL statistics for Data-Link”
sections of the output, shows you the default memory reservations for either Layer 2 or Layer 3 and Layer 4
Turbo ACL processing. See "Monitoring Turbo ACL Memory Usage in the Route Processing Path" for a
more detailed explanation of this procedure.
To change the default amount of memory reserved for Layer 2 or Layer 3 and Layer 4 Turbo ACL processing
on your Cisco 7304 router, enter the access-list compiled [ipv4 | data-link] limit memory numbercommand.
To restore the default amount of memory reserved for Layer 2 or Layer 3 and Layer 4 Turbo ACL processing
on your Cisco 7304 router, enter the default access-list compiled [ipv4 | data-link] limit memorycommand.
To learn more about the SDRAM SODIMMs that determine the amount of SDRAM available for Cisco 7304
routers using an NSE-100, see NSE-100 Memory Information.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
225
Turbo Access Control List Scalability Enhancements
Benefits
Benefits
Improved Traffic Flow
This feature improves the Turbo ACL processing process in PXF by more expediently removing older entries.
As a result, more Turbo ACL processing can be done in the PXF processing path, thereby allowing more
router traffic to be accelerated using the PXF processing path.
SUMMARY STEPS
1. enable
2. show access-list compiled
DETAILED STEPS
Step 2 show access-list compiled Displays the status and condition of the Turbo ACL tables associated with each access list.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
226
Turbo Access Control List Scalability Enhancements
Configuring a User-Defined Memory Limitations for Turbo ACL Processing Path
Router# show access-list • The output for show access-list compiled is separated for Layer 2 and for Layer 3 and
compiled Layer 4 data. Layer 3 and Layer 4 ACL compilation tables and information can be seen
in the “Compiled ACL statistics for IPv4” section of the output, while Layer 2 ACL
compilation tables and information can be seen in the “Compiled ACL statistics for
Data-Link” section.
• The “mem limits” output that shows the number of times a compile has occurred and
the ACL has reached its configured limit.
• The “Mb limit” output that shows the current memory limit setting.
• The “Mb max memory” output that shows the maximum amount of memory the current
ACL configuration could actually consume under maximum usage conditions.
For additional information and an example, see "Monitoring Memory Limitations for Layer
2 or Layer 3 and Layer 4 ACL Processing".
SUMMARY STEPS
1. enable
2. configure terminal
3. access-list compiled ipv4 limit memory number
DETAILED STEPS
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
227
Turbo Access Control List Scalability Enhancements
Removing Memory Limits for Turbo ACL Processing of Layer 3 and Layer 4 Data in the Route Processing Path
Example:
Router# configure terminal
Step 3 access-list compiled ipv4 limit memory number Specifies the limit, in megabytes, reserved for Turbo ACL
instance 0, which is used for processing Layer 3 and Layer
Example: 4 data.
Removing Memory Limits for Turbo ACL Processing of Layer 3 and Layer 4 Data
in the Route Processing Path
Removing all memory limits for Turbo ACL processes in the Route Processor allows all route processing
memory to be used for Turbo ACL processing of Layer 3 and Layer 4 data, if necessary. It is important to
note that this functionality is not used to remove a previously configured limit, even though it is a no form of
a command.
To remove all memory limits for Turbo ACL processing for Layer 3 and Layer 4 data and to allow as much
memory as needed for Layer 3 and Layer 4 Turbo ACL processing in the RP path, you must complete the
following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. no access-list compiled ipv4 limit memory
DETAILED STEPS
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
228
Turbo Access Control List Scalability Enhancements
Restoring the Default Memory Limits for Turbo ACL Processing of Layer 3 and 4 Data in the Route Processing Path
Example:
Router# configure terminal
Step 3 no access-list compiled ipv4 limit memory Removes any memory limits for Layer 3 and Layer 4 Turbo
ACL processing, thereby allowing all available memory to be
Example: used for Layer 3 and Layer 4 Turbo ACL processing, if
necessary.
Router(config)# no access-list compiled ipv4
limit memory
Restoring the Default Memory Limits for Turbo ACL Processing of Layer 3 and
4 Data in the Route Processing Path
The default memory limit for Turbo ACL processing of Layer 3 and Layer 4 data in the RP path is always
256 MB on the NSE-150.
On the NSE-100, the default memory limit for Turbo ACL processing of Layer 3 and Layer 4 data in the RP
path is dependant on the amount of memory on your NSE-100. If you have more than 512 MB of memory
configured on your processor, your default memory limit for RP-based Turbo ACL processing is 256 MB. If
you have less than 512 MB of memory, your default memory limit for RP-based Turbo ACL processing is
128 MB.
To restore the default RP memory limit settings for Turbo ACL processing of Layer 3 and Layer 4 traffic,
you must complete the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. default access-list compiled ipv4 limit memory
DETAILED STEPS
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
229
Turbo Access Control List Scalability Enhancements
Layer 2 Data in the Route Processing Path
Example:
Router# configure terminal
Step 3 default access-list compiled ipv4 limit Restores the default memory limit setting for Layer 3 and Layer 4 Turbo ACL
memory traffic processing.
The default memory limit for Turbo ACL processing of Layer 3 and Layer 4
Example: data in the RP path is always 256 MB on the NSE-150.
Router(config)# default On the NSE-100, the default memory limit for Turbo ACL processing of Layer
access-list compiled ipv4 limit
memory 3 and Layer 4 data in the RP path is dependant on the amount of memory on
your NSE-100. If you have more than 512 MB of memory configured on your
processor, your default memory limit for RP-based Turbo ACL processing is
256 MB. If you have less than 512 MB of memory, your default memory limit
for RP-based Turbo ACL processing is 128 MB.
SUMMARY STEPS
1. enable
2. configure terminal
3. access-list compiled data-link limit memory number
DETAILED STEPS
Example:
Router# configure terminal
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
230
Turbo Access Control List Scalability Enhancements
Removing Memory Limits for Turbo ACL Processing of Layer 2 Data in the Route Processing Path
Removing Memory Limits for Turbo ACL Processing of Layer 2 Data in the Route
Processing Path
Removing all memory limits for Turbo ACL processing of Layer 2 data in the Route Processor allows all
route processing memory to be used for Turbo ACL processing of Layer 2 data, if necessary. It is important
to note that this functionality is not used to remove a previously configured limit, even though it is a no form
of a command.
To remove all RP-based memory limits for Turbo ACL processing for Layer 2 data and to allow as much
memory as needed for Layer 2 Turbo ACL processing, you must complete the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. no access-list compiled data-link limit memory
DETAILED STEPS
Example:
Router# configure terminal
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
231
Turbo Access Control List Scalability Enhancements
Restoring the Default Memory Limits for Turbo ACL Processing of Layer 2 Data in the Route Processing Path
Restoring the Default Memory Limits for Turbo ACL Processing of Layer 2 Data
in the Route Processing Path
The default memory limit for Turbo ACL processing of Layer 2 data in the RP processing path is 128 MB
for the NSE-100 and NSE-150.
To restore the default RP-based memory limit setting for Turbo ACL processing of Layer 2 data, you must
complete the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. default access-list compiled data-link limit memory
DETAILED STEPS
Example:
Router# configure terminal
Step 3 default access-list compiled data-link limit memory Restores the default memory limit setting for Layer 2 Turbo
ACL processing. The default memory limit setting for Layer
Example: 2 Turbo ACL processing is always 128 MB.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
232
Turbo Access Control List Scalability Enhancements
Verifying Memory Limitation Settings for Turbo ACL Processing
SUMMARY STEPS
1. enable
2. show access-list compiled
DETAILED STEPS
Step 2 show access-list compiled Displays the status and condition of the Turbo ACL tables associated with each
access list.
Example: When using this command to verify memory limitation settings for Turbo ACL
Router# show access-list processing, look at the “Mb limit” output for both IPv4 and Data-Link. The new MB
compiled limit setting should be listed in the “Mb limit” output for IPv4 or Data-Link,
depending on which memory limit was changed.
For an example of the show access-list compiled command with these outputs
highlighted, see "Example Verifying ACL Memory Limit Configurations".
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
233
Turbo Access Control List Scalability Enhancements
Example Monitoring Memory Limitations for Layer 2 or Layer 3 and Layer 4 ACL Processing
• The output for show access-list compiled is separated for Layer 2 and for Layer 3 and Layer 4 data.
Layer 3 and Layer 4 ACL compilation tables and information can be seen in the “Compiled ACL statistics
for IPv4” section of the output, while Layer 2 ACL compilation tables and information can be seen in
the “Compiled ACL statistics for Data-Link” section.
• The “mem limits” output shows the number of times a compile has occurred and the ACL has reached
its configured limit. If you have reached the configured limit numerous times, you may want to consider
modifying the memory limit to allow more memory. In this example, ACL memory for Layer 3 and
Layer 4 data has never reached its configured limit. The same is true for Layer 2 data in this example.
• The “Mb limit” output shows the current memory limit setting. In this example, the Layer 3 and Layer
4 memory limit was previously set to 65 MB (via the access-list compiled ipv4 limit memory 65
command), while the Layer 2 memory limit has not been changed from its default limit of 128 MB.
• The “Mb default limit” output shows the current default memory limit setting. If the default form of the
access-list compiled ipv4 limit memory command or access-list compiled data-link limit memory
command is entered, the “Mb default limit” will become the “Mb limit.” In this example, the default
limits are 256 MB for Layer 3 and Layer 4 data and 128 MB for Layer 2 data.
• The “Mb max memory” output shows the maximum amount of memory the current ACL configuration
could actually consume under maximum usage conditions. This number is helpful for configuring
memory limits for ACL processing. If you want to free up RP memory, for instance, and you have a
small number of ACLs with a low “max memory,” you could configure a reservation of a small amount
of memory for ACL processing using the access-list compiled [ipv4 | data-link] limit memory number
command, thereby freeing up memory for other RP processes. Conversely, if you have a high memory
limit, you may want to use the access-list compiled [ipv4 | data-link] limit memory numbercommand
to commit more memory to ACL processing, or even the no access-list compiled [ipv4 | data-link]
limit memory command to allow as much memory as is available for ACL processing. In this example,
the max memory for the current Layer 3 and Layer 4 Turbo ACL configuration data on the router is 1
MB, and the max memory for Layer 2 Turbo ACL configuration data is 0 Mb.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
234
Turbo Access Control List Scalability Enhancements
Example Reserving a Set Amount of Memory for Layer 2 ACL Processing
Example Allowing All Available Memory to Be Used for Layer 2 ACL Processing
The following example allows Layer 2 ACL processing to use as much memory as is needed for Layer 2 ACL
processing:
Example Restoring the Default Amount of Memory Reserved for Layer 2 ACL
Processing
The following example restores the default amount of memory reserved for Layer 2 ACL processing in the
RP path:
default access-list compiled data-link limit memory
Example Reserving a Set Amount of Memory for Layer 3 and Layer 4 ACL
Processing
The following example reserves 100 MB of memory for Layer 3 and Layer 4 ACL processing in the RP path:
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
235
Turbo Access Control List Scalability Enhancements
Example Allowing All Available Memory to Be Used for Layer 3 and Layer 4 ACL Processing
Example Allowing All Available Memory to Be Used for Layer 3 and Layer 4
ACL Processing
The following example allows Layer 3 and Layer 4 ACL processing to use as much memory as is needed for
Layer 3 and Layer 4 ACL data:
Example Restoring the Default Amount of Memory Reserved for Layer 3 and
Layer 4 ACL Processing
The following example restores the default amount of memory reserved for Layer 3 and Layer 4 ACL processing
in the RP path:
default access-list compiled ipv4 limit memory
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
236
Turbo Access Control List Scalability Enhancements
Additional References
int-l2-18 Operational 1 1 0 0
19 ACLs, 13 active, 22 builds, 422 entries, 832 ms last compile
0 history updates, 524288 history entries
0 mem limits, 128 Mb limit, 128 Mb default limit, 0 Mb max memory
0 compile failures, 0 priming failures
Overflows: L1 3
Table expands:[3]=3
L0: 593Kb 1013/1014 2/3
L1: 86Kb 1013/1518
Ex: 191Kb
Tl: 871Kb 2028 equivs (1013 dynamic)
Additional References
Related Documents
Network Services Engines Cisco 7304 Network Services Engine Installation and
Configuration Guide
Standards
Standards Title
None --
MIBs
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
237
Turbo Access Control List Scalability Enhancements
Feature Information for Turbo ACL Scalability Enhancements
RFCs
RFCs Title
None --
Technical Assistance
Description Link
The Cisco Technical Support & Documentation http://www.cisco.com/techsupport
website contains thousands of pages of searchable
technical content, including links to products,
technologies, solutions, technical tips, tools, and
technical documentation. Registered Cisco.com users
can log in from this page to access even more content.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
238
Turbo Access Control List Scalability Enhancements
Glossary
Glossary
Access Control List --A list kept by routers to control access to or from the router for a number of services.
NSE --network services engine. The Cisco 7304 router has two types of processor, the NSE and the network
processing engine (NPE). Two versions of the NSE exist, the NSE-100 and the NSE-150.
RP --Route Processor. One of two processing paths on a Cisco 7304 router using an NSE, with the Parallel
eXpress Forwarding path being the other path. All traffic not supported in the PXF path on a Cisco 7304
router using an NSE is forwarded using the RP path.
Turbo Access Control Lists --A Turbo Access Control list is an access list that more expediently processes
traffic by compiling the ACLs into a set of lookup tables while still maintaining the match requirements.
PXF --Parallel eXpress Forwarding. One of two processing paths on a Cisco 7304 router using an NSE, with
the Route Processor (RP) path being the other path. The PXF processing path is used to accelerate the
performance for certain supported features.
Note See Internetworking Terms and Acronyms for terms not included in this glossary.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
239
Turbo Access Control List Scalability Enhancements
Glossary
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
240
CHAPTER 21
IPv6 Secure Neighbor Discovery
IPv6 Secure Neighbor Discovery for Cisco software is one of several features that comprise first-hop security
functionality in IPv6.
IPv6 nodes use the Neighbor Discovery (ND) protocol to discover other nodes on the link, to determine their
link-layer addresses to find devices, and to maintain reachability information about the paths to active
neighbors. If not secured, the Neighbor Discovery protocol is vulnerable to various attacks.
Secure neighbor discovery (SeND) is designed to counter possible threats of the Neighbor Discovery protocol.
SeND defines a set of neighbor discovery options and two neighbor discovery messages. SeND also defines
a new autoconfiguration mechanism to establish address ownership.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
241
IPv6 Secure Neighbor Discovery
Prerequisites for IPv6 Secure Neighbor Discovery
Complete the following tasks before you configure SeND on a host or device:
• Configure the host with one or more trust anchors.
• Configure the host with an RSA key pair or configure the host with the capability to generate an RSA
key pair locally. For hosts that do not establish their own authority using a trust anchor, these keys are
not certified by any certificate authority (CA).
• Configure devices with RSA keys and corresponding certificate chains, or the capability to obtain
certificate chains that match the host trust anchor at some level of the chain.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
242
IPv6 Secure Neighbor Discovery
SeND Protocol
Nodes on the same link use neighbor discovery to detect each other’s presence and link-layer addresses, to
find devices, and to maintain reachability information about paths to active neighbors. Neighbor discovery is
used by both hosts and devices.
SeND Protocol
The SeND protocol counters ND threats. It defines a set of ND options, and two ND messages, Certification
Path Solicitation (CPS) and Certification Path Answer (CPA). It also defines an autoconfiguration mechanism
to be used in conjunction with these ND options to establish address ownership.
SeND defines the mechanisms defined in the following sections for securing ND:
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
243
IPv6 Secure Neighbor Discovery
SeND Deployment Models
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
244
IPv6 Secure Neighbor Discovery
SeND Deployment Models
and CGA options, and have nonce, time stamp, and RSA neighbor discovery options. The figure below
illustrates this scenario.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
245
IPv6 Secure Neighbor Discovery
SeND Deployment Models
devices using trusted anchors. When using RAs, devices must be authenticated through a trust anchor. The
figure below illustrates this scenario.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
246
IPv6 Secure Neighbor Discovery
SeND Deployment Models
own range, certified by CA1, and so on. Part of the validation process when a certification chain is received
consists of validating the certification chain and the consistency of nested prefix ranges.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
247
IPv6 Secure Neighbor Discovery
How to Configure IPv6 Secure Neighbor Discovery
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
248
IPv6 Secure Neighbor Discovery
Configuring Certificate Servers to Enable SeND
certificates. Once the certificate server is configured, other parameters for the certificate server can be
configured.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip http server
4. crypto pki trustpoint name
5. ip-extension [multicast | unicast] {inherit [ipv4 | ipv6] | prefix ipaddress | range min-ipaddress
max-ipaddress}
6. revocation-check {crl | none | ocsp}
7. exit
8. crypto pki server name
9. grant auto
10. cdp-url url-name
11. no shutdown
DETAILED STEPS
Example:
Device# configure terminal
Example:
Device(config)# ip http server
Step 4 crypto pki trustpoint name (Optional) Declares the trustpoint that your certificate
server should use, and enters ca-trustpoint configuration
Example: mode.
Device(config)# crypto pki trustpoint name1 • If you plan to use X.509 IP extensions, use this
command. To automatically generate a CS trustpoint,
go to Step 8.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
249
IPv6 Secure Neighbor Discovery
Configuring Certificate Servers to Enable SeND
Step 6 revocation-check {crl | none | ocsp} (Optional) Sets a method for revocation checking.
Example:
Device(ca-trustpoint)# revocation-check crl
Example:
Device(ca-trustpoint)# exit
Step 8 crypto pki server name Configures the PKI server, and places the device in server
configuration mode.
Example:
Device(config)# crypto pki server server1
Example:
Device(config-server)# grant auto
Step 10 cdp-url url-name (Optional) Sets the URL name if the host is using a
certificate revocation list (CRL).
Example:
Device(config-server)# cdp-url
http://10.165.202.129/server1.crl
Example:
Device(config-server)# no shutdown
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
250
IPv6 Secure Neighbor Discovery
Configuring a Host to Enable SeND
1. enable
2. configure terminal
3. crypto key generate rsa [general-keys | usage-keys | signature | encryption] [label key-label]
[exportable] [modulus modulus-size] [storage devicename:] [on devicename:]
4. ipv6 cga modifier rsakeypair key-label sec-level {0 | 1}
5. crypto pki trustpoint name
6. enrollment [mode] [retry period minutes] [retry count number] url url [pem]
7. revocation-check {crl | none | ocsp}
8. exit
9. crypto pki authenticate name
10. ipv6 nd secured sec-level minimum value
11. interface type number
12. ipv6 cga rsakeypair key-label
13. ipv6 address ipv6-address / prefix-length link-local cga
14. ipv6 nd secured trustanchor trustanchor-name
15. ipv6 nd secured timestamp {delta value | fuzz value}
16. exit
17. ipv6 nd secured full-secure
DETAILED STEPS
Example:
Device# configure terminal
Step 3 crypto key generate rsa [general-keys | usage-keys | signature Configures the RSA key.
| encryption] [label key-label] [exportable] [modulus
modulus-size] [storage devicename:] [on devicename:]
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
251
IPv6 Secure Neighbor Discovery
Configuring a Host to Enable SeND
Example:
Device(config)# crypto key generate rsa label SEND
modulus 1024
Step 4 ipv6 cga modifier rsakeypair key-label sec-level {0 | 1} Enables the RSA key to be used by SeND
(generates the modifier).
Example:
Device(config)# ipv6 cga modifier rsakeypair SEND
sec-level 1
Step 5 crypto pki trustpoint name Specifies the node trustpoint and enters
ca-trustpoint configuration mode.
Example:
Device(config)# crypto pki trustpoint SEND
Step 6 enrollment [mode] [retry period minutes] [retry count Specifies the enrollment parameters of a CA.
number] url url [pem]
Example:
Device(ca-trustpoint)# enrollment url
http://10.165.200.254
Example:
Device(ca-trustpoint)# revocation-check none
Example:
Device(ca-trustpoint)# exit
Step 9 crypto pki authenticate name Authenticates the certification authority by getting
the certificate of the CA.
Example:
Device(config)# crypto pki authenticate SEND
Example:
Device(config)# ipv6 nd secured sec-level minimum 1
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
252
IPv6 Secure Neighbor Discovery
Configuring a Host to Enable SeND
Example:
Device(config-if)# ipv6 cga rsakeypair SEND
Step 13 ipv6 address ipv6-address / prefix-length link-local cga Configures an IPv6 link-local address for the
interface, and enables IPv6 processing on the
Example: interface.
Step 15 ipv6 nd secured timestamp {delta value | fuzz value} (Optional) Configures the timing parameters.
Example:
Device(config-if)# ipv6 nd secured timestamp delta
300
Example:
Device(config-if)# exit
Example:
Device(config)# ipv6 nd secured full-secure
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
253
IPv6 Secure Neighbor Discovery
Configuring a Device to Enable SeND
1. enable
2. configure terminal
3. crypto key generate rsa [general-keys | usage-keys | signature | encryption] [label key-label]
[exportable] [modulus modulus-size] [storage devicename:] [on devicename:]
4. ipv6 cga modifier rsakeypair key-label sec-level {0 | 1}
5. crypto pki trustpoint name
6. subject-name [attr tag] [eq | ne | co | nc] string
7. rsakeypair key-label
8. revocation-check {crl | none | ocsp}
9. exit
10. crypto pki authenticate name
11. crypto pki enroll name
12. ipv6 nd secured sec-level minimum value
13. interface type number
14. ipv6 cga rsakeypair key-label
15. ipv6 address ipv6-address link-local cga
16. ipv6 nd secured trustanchor trustpoint-name
17. ipv6 nd secured timestamp {delta value | fuzz value}
18. exit
19. ipv6 nd secured full-secure
DETAILED STEPS
Example:
Device# configure terminal
Step 3 crypto key generate rsa [general-keys | usage-keys | Configures the RSA key.
signature | encryption] [label key-label] [exportable]
[modulus modulus-size] [storage devicename:] [on
devicename:]
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
254
IPv6 Secure Neighbor Discovery
Configuring a Device to Enable SeND
Example:
Device(config)# crypto key generate rsa label SEND
modulus 1024
Step 4 ipv6 cga modifier rsakeypair key-label sec-level {0 | 1} Enables the RSA key to be used by SeND (generates
the modifier).
Example:
Device(config)# ipv6 cga modifier rsakeypair SEND
sec-level 1
Step 5 crypto pki trustpoint name Configures PKI for a single or multiple-tier CA,
specifies the device trustpoint, and places the device
Example: in ca-trustpoint configuration mode.
Step 6 subject-name [attr tag] [eq | ne | co | nc] string Creates a rule entry.
Example:
Device(ca-trustpoint)# subject-name C=FR, ST=PACA,
L=Example, O=Cisco, OU=NSSTG, CN=device
Step 7 rsakeypair key-label Binds the RSA key pair for SeND.
Example:
Device(ca-trustpoint)# rsakeypair SEND
Step 8 revocation-check {crl | none | ocsp} Sets one or more methods of revocation.
Example:
Device(ca-trustpoint)# revocation-check none
Example:
Device(ca-trustpoint)# exit
Step 10 crypto pki authenticate name Authenticates the certification authority by getting
the certificate of the CA.
Example:
Device(config)# crypto pki authenticate SEND
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
255
IPv6 Secure Neighbor Discovery
Configuring a Device to Enable SeND
Example:
Device(config)# crypto pki enroll SEND
Step 12 ipv6 nd secured sec-level minimum value (Optional) Configures CGA and provides additional
parameters such as security level and key size.
Example:
Device(config)# ipv6 nd secured sec-level minimum
1
Step 13 interface type number Specifies an interface type and number, and places
the device in interface configuration mode.
Example:
Device(config)# interface fastethernet 0/0
Example:
Device(config-if)# ipv6 cga rsakeypair SEND
Step 15 ipv6 address ipv6-address link-local cga Configures an IPv6 link-local address for the
interface and enables IPv6 processing on the
Example: interface.
Step 16 ipv6 nd secured trustanchor trustpoint-name (Optional) Configures trusted anchors to be preferred
for certificate validation.
Example:
Device(config-if)# ipv6 nd secured trustanchor SEND
Step 17 ipv6 nd secured timestamp {delta value | fuzz value} (Optional) Configures the timing parameters.
Example:
Device(config-if)# ipv6 nd secured timestamp delta
300
Example:
Device(config-if)# exit
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
256
IPv6 Secure Neighbor Discovery
Generating the RSA Key Pair and CGA Modifier for the Key Pair
Generating the RSA Key Pair and CGA Modifier for the Key Pair
SUMMARY STEPS
1. enable
2. configure terminal
3. crypto key generate rsa [general-keys | usage-keys | signature | encryption] [label key-label]
[exportable] [modulus modulus-size] [storage devicename:] [on devicename:]
4. ipv6 cga modifier rsakeypair key-label sec-level {0 | 1}
DETAILED STEPS
Example:
Device# configure terminal
Step 3 crypto key generate rsa [general-keys | usage-keys | signature Generates RSA key pairs.
| encryption] [label key-label] [exportable] [modulus
modulus-size] [storage devicename:] [on devicename:]
Example:
Device(config)# crypto key generate rsa label SEND
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
257
IPv6 Secure Neighbor Discovery
Configuring Certificate Enrollment for a PKI
SUMMARY STEPS
1. enable
2. configure terminal
3. crypto pki trustpoint name
4. subject-name x.500-name
5. enrollment [mode] [retry period minutes] [retry count number] url url [pem]
6. serial-number [none]
7. auto-enroll [percent] [regenerate]
8. password string
9. rsakeypair key-label [key-size [encryption-key-size]]
10. fingerprint ca-fingerprint
11. ip-extension [multicast | unicast] {inherit [ipv4 | ipv6] | prefix ipaddress | range min-ipaddress
max-ipaddress}
12. exit
13. crypto pki authenticate name
14. exit
DETAILED STEPS
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
258
IPv6 Secure Neighbor Discovery
Configuring Certificate Enrollment for a PKI
Example:
Device# configure terminal
Step 3 crypto pki trustpoint name Declares the trustpoint that your device should use and
enters ca-trustpoint configuration mode.
Example:
Device(config)# crypto pki trustpoint
trustpoint1
Step 4 subject-name x.500-name Specifies the subject name in the certificate request.
Example:
Device(ca-trustpoint)# subject-name name1
Step 5 enrollment [mode] [retry period minutes] [retry count Specifies the URL of the CA on which your device should
number] url url [pem] send certificate requests.
Example:
Device(ca-trustpoint)# enrollment url
http://name1.example.com
Step 6 serial-number [none] (Optional) Specifies the device serial number in the
certificate request.
Example:
Device(ca-trustpoint)# serial-number
Step 8 password string (Optional) Specifies the revocation password for the
certificate.
Example:
Device(ca-trustpoint)# password password1
Step 9 rsakeypair key-label [key-size [encryption-key-size]] Specifies which key pair to associate with the certificate.
Example:
Device(ca-trustpoint)# rsakeypair SEND
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
259
IPv6 Secure Neighbor Discovery
Configuring a Cryptographically Generated Address
Step 11 ip-extension [multicast | unicast] {inherit [ipv4 | ipv6] Adds IP extensions (IPv6 prefixes or range) to verifythe
| prefix ipaddress | range min-ipaddress max-ipaddress} prefix list the device is allowed to advertise.
Example:
Device(ca-trustpoint)# ip-extension unicast
prefix 2001:100:1://48
Step 13 crypto pki authenticate name Retrieves and authenticates the CA certificate.
• This command is optional if the CA certificate is
Example: already loaded into the configuration.
Device(config)# crypto pki authenticate name1
SUMMARY STEPS
1. enable
2. configure terminal
3. ipv6 nd secured sec-level [minimum value]
4. ipv6 nd secured key-length [[minimum | maximum] value]
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
260
IPv6 Secure Neighbor Discovery
Configuring a Cryptographically Generated Address
DETAILED STEPS
Example:
Device# configure terminal
Step 3 ipv6 nd secured sec-level [minimum value] Configures the SeND security level.
Example:
Device(config)# ipv6 nd secured sec-level minimum 1
Step 4 ipv6 nd secured key-length [[minimum | maximum] value] Configures SeND key-length options.
Example:
Device(config)# ipv6 nd secured key-length minimum
512
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ipv6 cga rsakeypair key-label
5. ipv6 address {ipv6-address/prefix-length [cga] | prefix-name sub-bits/prefix-length [cga]}
DETAILED STEPS
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
261
IPv6 Secure Neighbor Discovery
Configuring SeND Parameters
Example:
Device# configure terminal
Step 3 interface type number Specifies an interface type and number, and places the device
in interface configuration mode.
Example:
Device(config)# interface Ethernet 0/0
Step 4 ipv6 cga rsakeypair key-label Specifies which RSA key pair should be used on a specified
interface.
Example:
Device(config-if)# ipv6 cga rsakeypair SEND
Step 5 ipv6 address {ipv6-address/prefix-length [cga] | Configures an IPv6 address based on an IPv6 general prefix
prefix-name sub-bits/prefix-length [cga]} and enables IPv6 processing on an interface.
• The cga keyword generates a CGA address.
Example:
Device(config-if)# ipv6 address Note The CGA link-local addresses must be configured by
2001:0DB8:1:1::/64 cga using the ipv6 address link-local command.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
262
IPv6 Secure Neighbor Discovery
Configuring SeND Parameters
A CA certificate must be uploaded for the referred trustpoint, which is a trusted anchor.
Several trustpoints, pointing to the same RSA keys, can be configured on a given interface. This function is
useful if different hosts have different trusted anchors (that is, CAs that they trust). The device can then provide
each host with the certificate signed by the CA it trusts.
SUMMARY STEPS
1. enable
2. configure terminal
3. crypto key generate rsa [general-keys | usage-keys | signature | encryption] [label key-label]
[exportable] [modulus modulus-size] [storage devicename:] [on devicename:]
4. ipv6 cga modifier rsakeypair key-label sec-level {0 | 1}
5. crypto pki trustpoint name
6. subject-name [x.500-name]
7. rsakeypair key-label [ key-size [encryption-key-size]]
8. enrollment terminal [pem]
9. ip-extension [multicast | unicast] {inherit [ipv4 | ipv6] | prefix ipaddress | range min-ipaddress
max-ipaddress}
10. exit
11. crypto pki authenticate name
12. crypto pki enroll name
13. crypto pki import name certificate
14. interface type number
15. ipv6 nd secured trustpoint trustpoint-name
DETAILED STEPS
Example:
Device# configure terminal
Step 3 crypto key generate rsa [general-keys | usage-keys | Generates RSA key pairs.
signature | encryption] [label key-label] [exportable]
[modulus modulus-size] [storage devicename:] [on
devicename:]
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
263
IPv6 Secure Neighbor Discovery
Configuring SeND Parameters
Example:
Device(config)# crypto key generate rsa label SEND
Step 4 ipv6 cga modifier rsakeypair key-label sec-level {0 | 1} Generates the CGA modifier for a specified RSA
key, which enables the key to be used by SeND.
Example:
Device(config)# ipv6 cga modifier rsakeypair SEND
sec-level 1
Step 5 crypto pki trustpoint name Defines the trustpoint that the device should use, and
enters ca-trustpoint configuration mode.
Example:
Device(config)# crypto pki trustpoint trustpoint1
Step 6 subject-name [x.500-name] Specifies the subject name in the certificate request.
Example:
Device(ca-trustpoint)# subject-name name1
Step 7 rsakeypair key-label [ key-size [encryption-key-size]] Specifies which key pair to associate with the
certificate.
Example:
Device(ca-trustpoint)# rsakeypair SEND
Example:
Device(ca-trustpoint)# enrollment terminal
Step 9 ip-extension [multicast | unicast] {inherit [ipv4 | ipv6] | Adds IP extensions to the device certificate request.
prefix ipaddress | range min-ipaddress max-ipaddress}
Example:
Device(ca-trustpoint)# ip-extension unicast prefix
2001:100:1://48
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
264
IPv6 Secure Neighbor Discovery
Configuring SeND Parameters
Step 12 crypto pki enroll name Obtains the certificates for your device from the CA.
Example:
Device(config)# crypto pki enroll trustpoint1
Step 13 crypto pki import name certificate Imports a certificate manually using TFTP or the
cut-and-paste method at the terminal.
Example:
Device(config)# crypto pki import trustpoint1
certificate
Step 14 interface type number Specifies an interface type and number, and places
the device in interface configuration mode.
Example:
Device(config)# interface Ethernet 0/0
Step 15 ipv6 nd secured trustpoint trustpoint-name Enables SeND on an interface, and specifies which
trustpoint should be used.
Example:
Device(config-if)# ipv6 nd secured trustpoint
trustpoint1
The trust anchor configuration is accomplished by binding SeND to one or several PKI trustpoints. PKI is
used to upload the corresponding certificates, which contain the required parameters, such as name and key.
This optional task allows you to select trust anchors listed in the CPS when requesting for a certificate.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
265
IPv6 Secure Neighbor Discovery
Configuring SeND Parameters
SUMMARY STEPS
1. enable
2. configure terminal
3. crypto pki trustpoint name
4. enrollment terminal [pem]
5. exit
6. crypto pki authenticate name
7. interface type number
8. ipv6 nd secured trustanchor trustanchor-name
DETAILED STEPS
Example:
Device# configure terminal
Step 3 crypto pki trustpoint name Defines the trustpoint for the device to use, and enters
ca-trustpoint configuration mode.
Example:
Device(config)# crypto pki trustpoint anchor1
Example:
Device(ca-trustpoint)# enrollment terminal
Example:
Device(ca-trustpoint)# exit
Step 6 crypto pki authenticate name Authenticates the certification authority by getting the
certificate of the CA.
Example:
Device(config)# crypto pki authenticate anchor1
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
266
IPv6 Secure Neighbor Discovery
Configuring SeND Parameters
Step 8 ipv6 nd secured trustanchor trustanchor-name Configures a trusted anchor on an interface, and binds
SeND to a trustpoint.
Example:
Device(config-if)# ipv6 nd secured trustanchor
anchor1
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ipv6 nd secured trustpoint trustpoint-name
5. no ipv6 nd secured full-secure
DETAILED STEPS
Example:
Device# configure terminal
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
267
IPv6 Secure Neighbor Discovery
Configuring SeND Parameters
Step 4 ipv6 nd secured trustpoint trustpoint-name Enables SeND on an interface and specifies which
trustpoint should be used.
Example:
Device(config-if)# ipv6 nd secured trustpoint
trustpoint1
Step 5 no ipv6 nd secured full-secure Provides the coexistence mode for secure and nonsecure
ND messages on the same interface.
Example:
Device(config-if)# no ipv6 nd secured
full-secure
SUMMARY STEPS
1. enable
2. configure terminal
3. ipv6 nd secured key-length [[minimum | maximum] value]
4. ipv6 nd secured sec-level minimum value
DETAILED STEPS
Example:
Device# configure terminal
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
268
IPv6 Secure Neighbor Discovery
Configuring SeND Parameters
Example:
Device(config)# ipv6 nd secured key-length minimum
512
Step 4 ipv6 nd secured sec-level minimum value Configures the minimum security level value that
can be accepted from peers.
Example:
Device(config)# ipv6 nd secured sec-level minimum
2
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ipv6 nd secured timestamp {delta value | fuzz value}
DETAILED STEPS
Example:
Device# configure terminal
Step 3 interface type number Specifies an interface type and number, and places the
device in interface configuration mode.
Example:
Device(config)# interface Ethernet 0/0
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
269
IPv6 Secure Neighbor Discovery
Configuration Examples for IPv6 Secure Neighbor Discovery
Example:
Device(config-if)# ipv6 nd secured timestamp delta
600
CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
c=FR
st=fr
l=example
o=cisco
ou=nsstg
cn=CA0
Subject:
c=FR
st=fr
l=example
o=cisco
ou=nsstg
cn=CA0
Validity Date:
start date: 09:50:52 GMT Feb 5 2009
end date: 09:50:52 GMT Jan 6 2011
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Signature Algorithm: MD5 with RSA Encryption
Fingerprint MD5: 87DB764F 29367A65 D05CEE3D C12E0AC3
Fingerprint SHA1: 04A06602 86AA72E9 43F2DB33 4A7D40A2 E2ED3325
X509v3 extensions:
X509v3 Key Usage: 86000000
Digital Signature
Key Cert Sign
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
270
IPv6 Secure Neighbor Discovery
Example: Configuring a Host to Enable SeND
CRL Signature
X509v3 Subject Key ID: 75B477C6 B2CA7BBE C7866657 57C84A32 90CEFB5A
X509v3 Basic Constraints:
CA: TRUE
X509v3 Authority Key ID: 75B477C6 B2CA7BBE C7866657 57C84A32 90CEFB5A
Authority Info Access:
X509v3 IP Extension:
IPv6:
2001::/16
Associated Trustpoints: CA
Building configuration...
[snip]
crypto pki trustpoint SEND
enrollment url http://10.165.200.225
revocation-check none
!
interface Ethernet1/0
ip address 10.165.202.129 255.255.255.0
duplex half
ipv6 cga rsakeypair SEND
ipv6 address 2001:100::/64 cga
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
271
IPv6 Secure Neighbor Discovery
Example: Configuring a Device to Enable SeND
Certificate
Status: Available
Certificate Serial Number: 0x15
Certificate Usage: General Purpose
Issuer:
cn=CA
Subject:
Name: Device
hostname=Device
c=FR
st=fr
l=example
o=cisco
ou=nsstg
cn=device
Validity Date:
start date: 09:40:38 UTC Feb 5 2009
end date: 09:40:38 UTC Feb 5 2010
Associated Trustpoints: SEND
CA Certificate
Status: Available
Certificate Serial Number: 0x1
Certificate Usage: Signature
Issuer:
cn=CA
Subject:
cn=CA
Validity Date:
start date: 10:54:53 UTC Jun 20 2008
end date: 10:54:53 UTC Jun 20 2011
Associated Trustpoints: SEND
To verify the configuration, use the show running-config command:
Building configuration...
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
272
IPv6 Secure Neighbor Discovery
Example: Configuring a SeND Trustpoint
[snip]
crypto pki trustpoint SEND
enrollment url http://209.165.201.1
subject-name C=FR, ST=fr, L=example, O=cisco, OU=nsstg, CN=device
revocation-check none rsakeypair SEND !
interface Ethernet1/0
ip address 209.165.200.225 255.255.255.0
duplex half
ipv6 cga rsakeypair SEND
ipv6 address FE80:: link-local cga
ipv6 address 2001:100::/64 cga
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
273
IPv6 Secure Neighbor Discovery
Additional References
Additional References
Related Documents
Standard/RFC Title
RFCs for IPv6 IPv6 RFCs
MIBs
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
274
IPv6 Secure Neighbor Discovery
Feature Information for IPv6 Secure Neighbor Discovery
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
275
IPv6 Secure Neighbor Discovery
Glossary
Glossary
• CA—certification authority.
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
276
IPv6 Secure Neighbor Discovery
Glossary
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
277
IPv6 Secure Neighbor Discovery
Glossary
Security Configuration Guide: Access Control Lists, Cisco IOS Release 15M&T
278