Here are the step by step configuration of implementing Access-Lists or ACL on Cisco routers such as ASR9000 running on IOS-XR, utilizing the object-group for simplicity and convenience.
1.Create object-group
object-group network ipv4 allowed_ip
192.168.0.0/24
object-group port allowed_port
eq ssh
2. Create ACL
ipv4 access-list ACL88
10 permit tcp net-group allowed_ip any port-group allowed_port
20 deny tcp any any port-group allowed_port
30 permit ipv4 any any
3. Apply ACL
interface Te0/0/0/0
ipv4 access-group ACL88 egress
Verification:
show object-group network ipv4 allowed_ip
show object-group port allowed_port
show access-lists ACL88
show access-lists ACL88 expanded
show access-lists ACL88 object-groups
show access-lists ACL88 usage pfilter location all
Sample Output:
RP/0/RSP0/CPU0:CISCO-IOSXR#show object-group network ipv4 allowed_ip
object-group network ipv4 allowed_ip
members:
192.168.0.0/24
RP/0/RSP0/CPU0:CISCO-IOSXR#show object-group port allowed_port
object-group port allowed_port
members:
eq 22
RP/0/RSP0/CPU0:CISCO-IOSXR#show access-lists ACL88
ipv4 access-list ACL88
10 permit tcp net-group allowed_ip any port-group allowed_port
20 deny tcp any any port-group allowed_port
30 permit ipv4 any any
RP/0/RSP0/CPU0:CISCO-IOSXR#show access-lists ACL88 expanded
ipv4 access-list ACL88
10 permit tcp 192.168.0.0 0.0.0.255 any eq ssh
20 deny tcp any any eq ssh
30 permit ipv4 any any
RP/0/RSP0/CPU0:CISCO-IOSXR#show access-lists ACL88 object-groups
ACL Name : ACL88
Network Object-group :
allowed_ip
—————————
Total 1
Port Object-group :
allowed_port
—————————
Total 1
RP/0/RSP0/CPU0:CISCO-IOSXR#show access-lists ACL88 usage pfilter location all
Interface : TenGigE0/0/0/0
Input ACL : N/A
Output ACL : ACL88
Here’s an equivalent ACL configuration on Huawei Router –> ACL Configuration on Huawei Router using IP and Source Pool
[…] Here’s an equivalent ACL configuration on Cisco Router –> ACL Configuration on Cisco ASR9000 (IOS-XR) using object-group […]