Using and Configuring IP ACLs

Configuring IP ACLs

From Figure 13-4 Network Example - IP ACL for Internal Servers, the following information is available:


  • Source IP address
  • Source netmask
  • Destination IP address
  • Destination netmask
  • Type of protocol to deny - IP
  • Ports
  • VLAN


Using a Deny IP ACL to Block Network Traffic


In this example, a network is shown with a Finance server on one part of the network, and an Engineering server on another part. 

You want to block the Engineering server from the Finance server in order to protect company sensitive information. 


See Configuring an Internal Deny ACL to review the configuration sample.



Figure 13-4 - Network Example - IP ACL for Internal Servers


Or, you may discover that an external source is attempting to access your network, and ping your servers for IP addresses. 

You can use an ACL to block the specific source using an IP ACL.



Figure 13-5 - IP ACL Blocking External Access


See Configuring an External Deny ACL to review the configuration example.


Using IP ACLs to Allow Network Traffic

In the same manner, you can allow specific traffic to a destination such as the external server as shown in Figure 2 - IP ACL Blocking External Access.

To allow HTTP traffic to, see Configuring an External Allow IP ACL to review the configuration example.


Configuring an Internal Deny ACL


Let’s configure the ACL for denying traffic from the Engineering server to the Finance server and name the ACL, deny-finance:

CLI (network-admin@Leaf1) >  acl-ip-create name deny-finance action deny scope local src-ip src-ip-mask 24 dst-ip dst-ip-netmask 24 proto ip src-port 55 dst-port 33 vlan 1505


To review the configuration, use the acl-ip-show command:


CLI (network-admin@Leaf1) >  acl-ip-show name deny-hr layout vertical


name:                  deny-ip

id:                    b00011:20

action:                deny

proto:                 ip


src-port:              55


dst-port:              33

vlan:                  1505

scope:                 local

port:                  0



Now, when you attempt to access the Finance server from the Engineering server, the packets are dropped.


Configuring an External Deny ACL


From Figure 2 IP ACL Blocking External Access, you can see the following information:


  • IP Address
  • Port Number

To configure an ACL to deny traffic from the external server, use the acl-ip-create command to create an ACL named deny-external:

CLI (network-admin@Leaf1) >  acl-ip-create name deny-external scope fabric src-ip


To review the configuration, use the acl-ip-show command:


CLI (network-admin@Leaf1) >  acl-ip-show name deny-external layout vertical


name:               deny-external

id:                 b000022:20

action:             deny

proto:              tcp


src-port:           0

dst-ip:             ::/0

dst-port:           0

vlan:               0

scope:              fabric

port:               0


Configuring an External Allow IP ACL


To allow HTTP traffic to the external server, with a netmask of and a scope of fabric, you can create an IP ACL called allow-http using the following syntax:

CLI (network-admin@Leaf1) >  acl-ip-create name allow-http permit scope fabric src-ip src-ip-mask dst-ip dst-ip-mask protocol tcp dst-port 57


To review the configuration, use the acl-ip-show command:


CLI (network-admin@Leaf1) > >acl-ip-show name allow-http layout vertical


name:               allow-http

id:                 b000025:20

action:             allow

proto:              tcp


src-port:           0


dst-port:           57

vlan:               0

scope:              fabric

port:               0



To delete the ACL configuration, use the acl-ip-delete command.


To modify the ACL configuration, use the acl-ip-modify command.