IOS-XR ACLs

Posted on Fri 06 September 2019 in Network

ACLs

Configure

IPv4

Create ACL

IPv4 ACL configuration in IOS XR is pretty similar to IOS::

RP/0/0/CPU0:router(config)#ipv4 access-list TEST
RP/0/0/CPU0:router(config-ipv4-acl)#remark FIRST
RP/0/0/CPU0:router(config-ipv4-acl)#permit icmp any any echo
RP/0/0/CPU0:router(config-ipv4-acl)#permit icmp any any echo-reply 
RP/0/0/CPU0:router(config-ipv4-acl)#permit icmp any any ttl-exceeded 
RP/0/0/CPU0:router(config-ipv4-acl)#permit icmp any any unreachable  
RP/0/0/CPU0:router(config-ipv4-acl)#permit icmp any any packet-too-big 
RP/0/0/CPU0:router(config-ipv4-acl)#deny icmp any any 
RP/0/0/CPU0:router(config-ipv4-acl)#exit
RP/0/0/CPU0:router(config)#commit

Apply ACL

The ACL can then be applied to an interface with the following::

RP/0/0/CPU0:router(config)#interface g0/0/0/0
RP/0/0/CPU0:router(config-if)#ipv4 access-group TEST ingress

Implicit Entries

Every IPv4 ACL in IOS XR has the following implicit statement as its last match entry::

deny ipv4 any any

The ACL must have at least one (1) explicit entry for the implicit deny ipv4 any any statement to take effect.

IPv6

Create ACL

IPv6 ACL configuration in IOS XR is pretty similar to IOS::

RP/0/0/CPU0:router(config)#ipv6 access-list TEST6
RP/0/0/CPU0:router(config-ipv6-acl)#remark FIRST!
RP/0/0/CPU0:router(config-ipv6-acl)#permit icmp any any echo
RP/0/0/CPU0:router(config-ipv6-acl)#permit icmp any any echo-reply 
RP/0/0/CPU0:router(config-ipv6-acl)#permit icmp any any ttl        
RP/0/0/CPU0:router(config-ipv6-acl)#permit icmp any any ttl-exceeded 
RP/0/0/CPU0:router(config-ipv6-acl)#permit icmp any any unreachable  
RP/0/0/CPU0:router(config-ipv6-acl)#permit icmp any any packet-too-big 
RP/0/0/CPU0:router(config-ipv6-acl)#deny icmp any any

Apply ACL

The ACL can then be applied to an interface with the following::

RP/0/0/CPU0:router(config)#interface g0/0/0/0
RP/0/0/CPU0:router(config-if)#ipv4 access-group TEST6 egress

Implicit Entries

Every IPv6 ACL in IOS XR has the folling implicit statements as its last match entries::

permit icmp any any nd-na
permit icmp any any nd-ns
deny ipv6 any any

The first two entries allow for ICMPv6 neighbor discovery by default. The ACL must have at least one (1) explicit entry for the implicit deny ipv6 any any statement to take effect.

Hardware Counters

Hardware counters are disabled by default for IPv4. They can be enabled per-interface and per-ACL using the following::

RP/0/0/CPU0:router(config)#interface *interface-name*
RP/0/0/CPU0:router(config-if)#ipv4 access-group *acl-name* { ingress | egress } hardware-count