Configuring Layer 4 ACL

The Layer 3 Extended IP ACL provides support for filtering traffic based on Layer 4 fields of the packets such as TCP source port/destination port range, TCP ACK/ RST flags, UDP source port/destination port range, ICMP message types, message codes, etc.

Parent topic: Configuring ACL

TCP Filter Configuration

  1. For TCP Filter Configuration, execute the following commands.

    Type the following:

    • Enter the Global Configuration Mode.
    iS5comm# configure terminal
    • Create an extended IP access list.
    iS5comm(config)# ip access-list extended 1002
    • Configure the permit action for TCP packet flow with any TCP port number.
    iS5comm(config-ext-nacl)# permit TCP any any
    Note:

    Similarly, for deny, the rule will be deny tcp any any

    • Exit the IP Extended Configuration Mode.
    iS5comm(config-ext-nacl) # end
  2. Configure a filter for Port 1 at the ingress direction.

    Type the following:

    • Enter the Global Configuration Mode, and then Interface Configuration Mode.
    iS5comm# configure terminal
    iS5comm (config)# interface gigabitethernet 0/1
    • Configure an ACL for the gigabitethernet 0/1 port on the ingress side.
    iS5comm(config-if)# ip access-group 1002 in
    • Exit the Interface Configuration Mode.
    iS5comm(config-if) # end
  3. View the configuration by executing the following command.

    Type the following:

    iS5comm# show  access-lists ip 1002
    Extended IP Access List 1002
    ----------------------------
    Filter Priority                  : 1
    IP address Type                  : IPV4
    Source IP address                : 0.0.0.0
    Source IP address mask           : 0.0.0.0
    Source IP Prefix Length          : 0
    Destination IP address           : 0.0.0.0
    Destination IP address mask      : 0.0.0.0
    Destination IP Prefix Length     : 0
    Flow Identifier                  : 0
    In Port List                     : Gi0/1
    Out Port List                    : NIL
    Filter TOS                       : Invalid combination
    Filter DSCP                      : NIL
    Filter Source Ports From         : 0
    Filter Source Ports Till         : 65535
    Filter Destination Ports From    : 0
    Filter Destination Ports Till    : 65535
    Filter Action                    : Permit
    Redirect Port List               : NIL
    TrafficDistField                 : Unknown
    Sub Action                       : NONE
    Sub Action Id                    : 0
    Status                           : Active

UDP Filter Configuration

  1. For UDP Filter Configuration, execute the following commands.

    Type the following:

    • Enter the Global Configuration Mode.
    iS5comm# configure terminal
    • Create an extended IP access list.
    iS5comm(config)# ip access-list extended 1008
    • Configure deny rule of the UDP filter with destination UDP port number of 63.
    iS5comm(config-ext-nacl)# deny udp any any eq 63
    Note:

    Similarly for permit, the rule will be as permit udp any any eq 63

    • Exit the IP Extended Configuration Mode.
    iS5comm(config-ext-nacl) # end
  2. Configure a filter for Port 1 at the ingress direction.

    Type the following:

    • Enter the Global Configuration Mode, and then Interface Configuration Mode.
    iS5comm# configure terminal
    iS5comm (config)# interface gigabitethernet 0/1
    • Configure an ACL for the gigabitethernet 0/1 port on the ingress side.
    iS5comm(config-if)# ip access-group 1008 in
    • Exit the Interface Configuration Mode.
    iS5comm(config-if) # end
  3. View the configuration by executing the following command.

    Type the following:

    iS5comm# show  access-lists ip 1008
    Extended IP Access List 1008
    ----------------------------
    Filter Priority                  : 1 
    Filter Protocol Type             : UDP
    IP address Type                  : IPV4
    Source IP address                : 0.0.0.0
    Source IP address mask           : 0.0.0.0
    Source IP Prefix Length          : 0
    Destination IP address           : 0.0.0.0
    Destination IP address mask      : 0.0.0.0
    Destination IP Prefix Length     : 0
    Flow Identifier                  : 0
    In Port List                     : Gi0/1
    Out Port List                    : NIL
    Filter TOS                       : Invalid combination
    Filter DSCP                      : NIL
    Filter Source Ports From         : 0
    Filter Source Ports Till         : 65535
    Filter Destination Ports From    : 63
    Filter Destination Ports Till    : 63
    Filter Action                    : Deny
    Redirect Port List               : NIL
    TrafficDistField                 : Unknown
    Sub Action                       : NONE
    Sub Action Id                    : 0
    Status                           : Active