An Access Control List (ACL) is a set of rules permitting or denying access based on source and destination IP addresses or subnets, protocol, and application ports. You create a list using the accessList command and add match statements using one of the accessList rule commands. When you specify a list name for either command, if the named list does not exist, the system creates it.
Note:Although the accessList rule command is technically a single command with parameters that vary depending on the arguments supplied (a type-based view), for clarity it is presented as multiple commands here, based on the protocol type.
When you create a rule for an ACL, you associate a "precedence" with the rule using the ruleIndex argument. When more than one rule applies to an individual packet, the rule with the lowest ruleIndex is selected. It is a good idea to position more specific rules with a lower ruleIndex value, otherwise they could be ineffective. For example, if rule #1 denies all ICMP traffic, and rule #2 permits ICMP echo requests, echo requests will be dropped because rule #1, with higher precedence, denied ICMP. Every access list ends with an implicit "deny all" rule. In the case that traffic does not match any of the configured rules, it is handled by the implicit deny, and the traffic is dropped. This rule cannot be deleted or modified.
Once an ACL is created, it is applied to one or more IP interfaces with the accessGroup command. Every IP interface can support one inbound and one outbound ACL and a single ACL can be applied to many interfaces. Each vRouter can support up to four lists, and each list can support up to 256 rules. Rules within an access list can be added, deleted, modified, enabled, and disabled. Access control lists are enabled by default.
Both source and destination addresses are optional filters, and each can be entered in any of the forms below. That is, you can use either the same or different formats. Use the following formats to enter the ruleSrcAddrs or ruleDstAddrs arguments to define match criteria for permitting or denying traffic.
Format | Description | Example |
---|---|---|
any
|
Permits or denies all addresses (default). |
any
|
hostAddress
|
Specifies a single host address to permit or deny. |
10.10.10.3
|
lo-hiAddress
|
Specifies an address range to permit or deny. |
10.10.10.1-10.10.10.255
|
address/mask
|
Specifies a subnet to permit or deny. |
10.10.10.3/255.255.255.0
|
address/hostMask
|
Subnet to specify which addresses to permit or deny (reverses the
mask bits of the address/mask format). |
10.10.10.3/0.0.0.255
|
address/netBits
|
Uses a CIDR style subnet to specify which addresses to permit or deny. |
192.168.1.0/24
|
The following protocols can be specified as a match for filtering. Any of these values can be used with the ruleProto argument to define match criteria for permitting or denying traffic. For well-known protocols, you can supply a name or integer (names are listed in the table below). For less common protocols, you can use the protocol number, as defined by the Internet assigned numbers authority http://www.iana.org/numbers.html
Protocol | Definition |
---|---|
integer (1-255) | Represents an IP protocol number |
ah | Authentication Header (RFC 2402) |
any | Matches any protocol |
comp | IP Compression (RFC 3173) |
egp | External Gateway Protocol (RFC 827) |
esp | Encapsulating Security Payload (RFC 2406) |
gre | Generic Routing Encapsulation (RFC 2784) |
icmp | Internet Control Message Protocol (RFC 2463) |
idrp | Inter-Domain Routing Protocol (RFC 1745) |
igmp | Internet Group Management Protocol (RFC 3228) |
igrp | Interior Gateway Routing Protocol (RFC 2072) |
isis | Intermediate System-to-Intermediate System (RFC 1142) |
ospf | Open Shortest Path First (RFC 2740) |
rsvp | Resource Reservation Protocol (RFC 2205) |
tcp | Transmission Control Protocol (RFC 1213) |
udp | User Datagram Protocol (RFC 1213) |
vrrp | Virtual Router Redundancy Protocol (RFC 2338) |