ebook img

Configuring IP ACLs PDF

58 Pages·2017·1.78 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Configuring IP ACLs

Configuring IP ACLs ThischapterdescribeshowtoconfigureIPaccesscontrollists(ACLs)onCiscoNX-OSdevices. Unlessotherwisespecified,thetermIPACLreferstoIPv4andIPv6ACLs. Thischapterincludesthefollowingsections: •AboutACLs,onpage1 •LicensingRequirementsforIPACLs,onpage14 •PrerequisitesforIPACLs,onpage14 •GuidelinesandLimitationsforIPACLs,onpage15 •DefaultSettingsforIPACLs,onpage17 •ConfiguringIPACLs,onpage17 •VerifyingtheIPACLConfiguration,onpage41 •MonitoringandClearingIPACLStatistics,onpage43 •ConfigurationExamplesforIPACLs,onpage43 •ConfiguringObjectGroups,onpage44 •VerifyingtheObject-GroupConfiguration,onpage49 •ConfiguringTime-Ranges,onpage49 •VerifyingtheTime-RangeConfiguration,onpage54 About ACLs AnACLisanorderedsetofrulesthatyoucanusetofiltertraffic.Eachrulespecifiesasetofconditionsthat apacketmustsatisfytomatchtherule.WhenthedevicedeterminesthatanACLappliestoapacket,ittests thepacketagainsttheconditionsofallrules.Thefirstmatchingruledetermineswhetherthepacketispermitted ordenied.Ifthereisnomatch,thedeviceappliestheapplicableimplicitrule.Thedevicecontinuesprocessing packetsthatarepermittedanddropspacketsthataredenied. YoucanuseACLstoprotectnetworksandspecifichostsfromunnecessaryorunwantedtraffic.Forexample, youcoulduseACLstodisallowHTTPtrafficfromahigh-securitynetworktotheInternet.Youcouldalso useACLstoallowHTTPtrafficbutonlytospecificsites,usingtheIPaddressofthesitetoidentifyitinan IPACL. ACL Types and Applications ThedevicesupportsthefollowingtypesofACLsforsecuritytrafficfiltering: ConfiguringIPACLs 1 ConfiguringIPACLs ACLTypesandApplications IPv4ACLs ThedeviceappliesIPv4ACLsonlytoIPv4traffic. IPv6ACLs ThedeviceappliesIPv6ACLsonlytoIPv6traffic. MACACLs ThedeviceappliesMACACLsonlytonon-IPtraffic. IPandMACACLshavethefollowingtypesofapplications: PortACL FiltersLayer2traffic RouterACL FiltersLayer3traffic VLANACL FiltersVLANtraffic VTYACL Filtersvirtualteletype(VTY)traffic ThistablesummarizestheapplicationsforsecurityACLs. Table1:SecurityACLApplications Application SupportedInterfaces TypesofACLsSupported PortACL •Layer2interfaces •IPv4ACLs •Layer2Ethernetport-channelinterfaces •IPv6ACLs •MACACLs WhenaportACLisappliedtoatrunkport,the ACLfilterstrafficonallVLANsonthetrunk port. Router •VLANinterfaces •IPv4ACLs ACL •PhysicalLayer3interfaces •IPv6ACLs •Layer3Ethernetsubinterfaces Note MACACLsaresupportedon •Layer3Ethernetport-channelinterfaces Layer3interfacesonlyifyou enableMACpacketclassification. •Managementinterfaces Note EgressrouterACLsarenot Note YoumustenableVLANinterfaces supportedonsubinterfacesandon globallybeforeyoucanconfigurea CiscoNexus9300Seriesswitch VLANinterface. uplinkports. VLAN •VLANs •IPv4ACLs ACL •IPv6ACLs •MACACLs VTYACL •VTYs •IPv4ACLs •IPv6ACLs ConfiguringIPACLs 2 ConfiguringIPACLs OrderofACLApplication RelatedTopics AboutVLANACLs AboutMACACLs Order of ACL Application Whenthedeviceprocessesapacket,itdeterminestheforwardingpathofthepacket.Thepathdetermines whichACLsthatthedeviceappliestothetraffic.ThedeviceappliestheACLsinthefollowingorder: 1. PortACL 2. IngressVACL 3. IngressrouterACL 4. IngressVTYACL 5. EgressVTYACL 6. EgressrouterACL 7. EgressVACL IfthepacketisbridgedwithintheingressVLAN,thedevicedoesnotapplyrouterACLs. Figure1:OrderofACLApplication ThefollowingfigureshowstheorderinwhichthedeviceappliesACLs. Figure2:ACLsandPacketFlow ThefollowingfigureshowswherethedeviceappliesACLs,dependinguponthetypeofACL.Theredpath indicatesapacketsenttoadestinationonadifferentinterfacethanitssource.Thebluepathindicatesapacket thatisbridgedwithinitsVLAN. ThedeviceappliesonlytheapplicableACLs.Forexample,iftheingressportisaLayer2portandthetraffic isonaVLANthatisaVLANinterface,aportACLandarouterACLbothcanapply.Inaddition,ifaVACL isappliedtotheVLAN,thedeviceappliesthatACLtoo. ConfiguringIPACLs 3 ConfiguringIPACLs AboutRules About Rules Rulesarewhatyoucreate,modify,andremovewhenyouconfigurehowanACLfiltersnetworktraffic.Rules appearintherunningconfiguration.WhenyouapplyanACLtoaninterfaceorchangearulewithinanACL thatisalreadyappliedtoaninterface,thesupervisormodulecreatesACLentriesfromtherulesintherunning configurationandsendsthoseACLentriestotheapplicableI/Omodule.Dependinguponhowyouconfigure theACL,theremaybemoreACLentriesthanrules,especiallyifyouimplementpolicy-basedACLsbyusing objectgroupswhenyouconfigurerules. Youcancreaterulesinaccess-listconfigurationmodebyusingthepermitordenycommand.Thedevice allowstrafficthatmatchesthecriteriainapermitruleandblockstrafficthatmatchesthecriteriainadeny rule.Youhavemanyoptionsforconfiguringthecriteriathattrafficmustmeetinordertomatchtherule. Thissectiondescribessomeoftheoptionsthatyoucanusewhenyouconfigurearule. Protocols for IP ACLs and MAC ACLs IPv4,IPv6,andMACACLsallowyoutoidentifytrafficbyprotocol.Foryourconvenience,youcanspecify someprotocolsbyname.Forexample,inanIPv4orIPv6ACL,youcanspecifyICMPbyname. Youcanspecifyanyprotocolbynumber.InMACACLs,youcanspecifyprotocolsbytheEtherTypenumber oftheprotocol,whichisahexadecimalnumber.Forexample,youcanuse0x0800tospecifyIPtrafficina MACACLrule. InIPv4andIPv6ACLs,youcanspecifyprotocolsbytheintegerthatrepresentstheInternetprotocolnumber. Source and Destination Ineachrule,youspecifythesourceandthedestinationofthetrafficthatmatchestherule.Youcanspecify boththesourceanddestinationasaspecifichost,anetworkorgroupofhosts,oranyhost.Howyouspecify thesourceanddestinationdependsonwhetheryouareconfiguringIPv4ACLs,IPv6ACLs,orMACACLs. Implicit Rules for IP and MAC ACLs IPandMACACLshaveimplicitrules,whichmeansthatalthoughtheserulesdonotappearintherunning configuration,thedeviceappliesthemtotrafficwhennootherrulesinanACLmatch.Whenyouconfigure thedevicetomaintainper-rulestatisticsforanACL,thedevicedoesnotmaintainstatisticsforimplicitrules. AllIPv4ACLsincludethefollowingimplicitrule: ConfiguringIPACLs 4 ConfiguringIPACLs AdditionalFilteringOptions deny ip any any ThisimplicitruleensuresthatthedevicedeniesunmatchedIPtraffic. AllIPv6ACLsincludethefollowingimplicitrule: deny ipv6 any any ThisimplicitruleensuresthatthedevicedeniesunmatchedIPv6traffic. Note IPv6nd-na,nd-ns,router-advertisement,androuter-solicitationpacketswillnotbepermittedastheimplicit permitrulesonIPv6ACL.Youmustaddthefollowingrulesexplicitlytoallowthem: •permiticmpanyanynd-na •permiticmpanyanynd-ns •permiticmpanyanyrouter-advertisement •permiticmpanyanyrouter-solicitation AllMACACLsincludethefollowingimplicitrule: deny any any protocol Thisimplicitruleensuresthatthedevicedeniestheunmatchedtraffic,regardlessoftheprotocolspecifiedin theLayer2headerofthetraffic. Additional Filtering Options Youcanidentifytrafficbyusingadditionaloptions.TheseoptionsdifferbyACLtype.Thefollowinglist includesmostbutnotalladditionalfilteringoptions: •IPv4ACLssupportthefollowingadditionalfilteringoptions: •Layer4protocol •TCPandUDPports •ICMPtypesandcodes •IGMPtypes •Precedencelevel •DifferentiatedServicesCodePoint(DSCP)value •TCPpacketswiththeACK,FIN,PSH,RST,SYN,orURGbitset •EstablishedTCPconnections •Packetlength •IPv6ACLssupportthefollowingadditionalfilteringoptions: •Layer4protocol ConfiguringIPACLs 5 ConfiguringIPACLs SequenceNumbers •EncapsulatingSecurityPayload •PayloadCompressionProtocol •StreamControlTransmissionProtocol(SCTP) •SCTP,TCP,andUDPports •ICMPtypesandcodes •DSCPvalue •TCPpacketswiththeACK,FIN,PSH,RST,SYN,orURGbitset •EstablishedTCPconnections •Packetlength •MACACLssupportthefollowingadditionalfilteringoptions: •Layer3protocol(Ethertype) •VLANID •ClassofService(CoS) Sequence Numbers Thedevicesupportssequencenumbersforrules.Everyrulethatyouenterreceivesasequencenumber,either assignedbyyouorassignedautomaticallybythedevice.SequencenumberssimplifythefollowingACL tasks: Addingnewrulesbetweenexistingrules Byspecifyingthesequencenumber,youspecifywhereintheACLanewruleshouldbepositioned.For example,ifyouneedtoinsertarulebetweenrulesnumbered100and110,youcouldassignasequence numberof105tothenewrule. Removingarule Withoutusingasequencenumber,removingarulerequiresthatyouenterthewholerule,asfollows: switch(config-acl)# no permit tcp 10.0.0.0/8 any However,ifthesamerulehadasequencenumberof101,removingtherulerequiresonlythefollowing command: switch(config-acl)# no 101 Movingarule Withsequencenumbers,ifyouneedtomovearuletoadifferentpositionwithinanACL,youcanadd asecondinstanceoftheruleusingthesequencenumberthatpositionsitcorrectly,andthenyoucan removetheoriginalinstanceoftherule.Thisactionallowsyoutomovetherulewithoutdisrupting traffic. Ifyouenterarulewithoutasequencenumber,thedeviceaddstheruletotheendoftheACLandassignsa sequencenumberthatis10greaterthanthesequencenumberoftheprecedingruletotherule.Forexample, ConfiguringIPACLs 6 ConfiguringIPACLs LogicalOperatorsandLogicalOperationUnits ifthelastruleinanACLhasasequencenumberof225andyouaddarulewithoutasequencenumber,the deviceassignsthesequencenumber235tothenewrule. Inaddition,CiscoNX-OSallowsyoutoreassignsequencenumberstorulesinanACL.Resequencingis usefulwhenanACLhasrulesnumberedcontiguously,suchas100and101,andyouneedtoinsertoneor morerulesbetweenthoserules. Logical Operators and Logical Operation Units IPACLrulesforTCPandUDPtrafficcanuselogicaloperatorstofiltertrafficbasedonportnumbers.Cisco NX-OSsupportslogicaloperatorsinonlytheingressdirection. Thedevicestoresoperator-operandcouplesinregisterscalledlogicaloperatorunits(LOUs).TheLOUusage foreachtypeofoperatorisasfollows: eq IsneverstoredinanLOU gt Uses1LOU lt Uses1LOU neq Uses1LOU range Uses1LOU IPv4 ACL Logging TheIPv4ACLloggingfeaturemonitorsIPv4ACLflowsandlogsstatistics. Aflowisdefinedbythesourceinterface,protocol,sourceIPaddress,sourceport,destinationIPaddress,and destinationportvalues.Thestatisticsmaintainedforaflowincludethenumberofforwardedpackets(for eachflowthatmatchesthepermitconditionsoftheACLentry)anddroppedpackets(foreachflowthat matchesthedenyconditionsoftheACLentry). Time Ranges YoucanusetimerangestocontrolwhenanACLruleisineffect.Forexample,ifthedevicedeterminesthat aparticularACLappliestotrafficarrivingonaninterface,andaruleintheACLusesatimerangethatisnot ineffect,thedevicedoesnotcomparethetraffictothatrule.Thedeviceevaluatestimerangesbasedonits clock. WhenyouapplyanACLthatusestimeranges,thedeviceupdatestheaffectedI/Omodulewheneveratime rangereferencedintheACLstartsorends.Updatesthatareinitiatedbytimerangesoccuronabest-effort priority.Ifthedeviceisespeciallybusywhenatimerangecausesanupdate,thedevicemaydelaytheupdate byuptoafewseconds. IPv4,IPv6,andMACACLssupporttimeranges.WhenthedeviceappliesanACLtotraffic,therulesin effectareasfollows: •Allruleswithoutatimerangespecified •RuleswithatimerangethatincludesthesecondwhenthedeviceappliestheACLtotraffic ConfiguringIPACLs 7 ConfiguringIPACLs TimeRanges Thedevicesupportsnamed,reusabletimeranges,whichallowsyoutoconfigureatimerangeonceandspecify itbynamewhenyouconfiguremanyACLrules.Timerangenameshaveamaximumlengthof64alphanumeric characters. Atimerangecontainsoneormorerules.Thetwotypesofrulesareasfollows: Absolute Arulewithaspecificstartdateandtime,specificenddateandtime,both,orneither.Thefollowing itemsdescribehowthepresenceorabsenceofastartorenddateandtimeaffectwhetheranabsolute timerangeruleisactive: •Startandenddateandtimebothspecified—Thetimerangeruleisactivewhenthecurrenttimeis laterthanthestartdateandtimeandearlierthantheenddateandtime. •Startdateandtimespecifiedwithnoenddateandtime—Thetimerangeruleisactivewhenthe currenttimeislaterthanthestartdateandtime. •Nostartdateandtimewithenddateandtimespecified—Thetimerangeruleisactivewhenthe currenttimeisearlierthantheenddateandtime. •Nostartorenddateandtimespecified—Thetimerangeruleisalwaysactive. Forexample,youcouldprepareyournetworktoallowaccesstoanewsubnetbyspecifyingatimerange thatallowsaccessbeginningatmidnightofthedaythatyouplantoplacethesubnetonline.Youcanuse thattimerangeinACLrulesthatapplytothesubnet.Afterthestarttimeanddatehavepassed,thedevice automaticallybeginsapplyingtherulesthatusethistimerangewhenitappliestheACLsthatcontain therules. Periodic Arulethatisactiveoneormoretimesperweek.Forexample,youcoulduseaperiodictimerangeto allowaccesstoalabsubnetonlyduringworkhoursonweekdays.ThedeviceautomaticallyappliesACL rulesthatusethistimerangeonlywhentherangeisactiveandwhenitappliestheACLsthatcontain therules. Note Theorderofrulesinatimerangedoesnotaffecthowadeviceevaluateswhetheratimerangeisactive.Cisco NX-OSincludessequencenumbersintimerangestomakeeditingthetimerangeeasier. Timerangesalsoallowyoutoincluderemarks,whichyoucanusetoinsertcommentsintoatimerange. Remarkshaveamaximumlengthof100alphanumericcharacters. Thedevicedetermineswhetheratimerangeisactiveasfollows: •Thetimerangecontainsoneormoreabsoluterules—Thetimerangeisactiveifthecurrenttimeiswithin oneormoreabsoluterules. •Thetimerangecontainsoneormoreperiodicrules—Thetimerangeisactiveifthecurrenttimeiswithin oneormoreperiodicrules. •Thetimerangecontainsbothabsoluteandperiodicrules—Thetimerangeisactiveifthecurrenttime iswithinoneormoreabsoluterulesandwithinoneormoreperiodicrules. Whenatimerangecontainsbothabsoluteandperiodicrules,theperiodicrulescanonlybeactivewhenat leastoneabsoluteruleisactive. ConfiguringIPACLs 8 ConfiguringIPACLs Policy-BasedACLs Policy-Based ACLs Thedevicesupportspolicy-basedACLs(PBACLs),whichallowyoutoapplyaccesscontrolpoliciesacross objectgroups.AnobjectgroupisagroupofIPaddressesoragroupofTCPorUDPports.Whenyoucreate arule,youspecifytheobjectgroupsratherthanspecifyingIPaddressesorports. UsingobjectgroupswhenyouconfigureIPv4orIPv6ACLscanhelpreducethecomplexityofupdating ACLswhenyouneedtoaddorremoveaddressesorportsfromthesourceordestinationofrules.Forexample, ifthreerulesreferencethesameIPaddressgroupobject,youcanaddanIPaddresstotheobjectinsteadof changingallthreerules. PBACLsdonotreducetheresourcesrequiredbyanACLwhenyouapplyittoaninterface.Whenyouapply aPBACLorupdateaPBACLthatisalreadyapplied,thedeviceexpandseachrulethatreferstoobjectgroups intooneACLentryperobjectwithinthegroup.Ifarulespecifiesthesourceanddestinationbothwithobject groups,thenumberofACLentriescreatedontheI/OmodulewhenyouapplythePBACLisequaltothe numberofobjectsinthesourcegroupmultipliedbythenumberofobjectsinthedestinationgroup. Thefollowingobjectgrouptypesapplytoport,router,policy-basedrouting(PBR),andVLANACLs: IPv4AddressObjectGroups CanbeusedwithIPv4ACLrulestospecifysourceordestinationaddresses.Whenyouusethepermit ordenycommandtoconfigurearule,the addrgroup keywordallowsyoutospecifyanobjectgroup forthesourceordestination. IPv6AddressObjectGroups CanbeusedwithIPv6ACLrulestospecifysourceordestinationaddresses.Whenyouusethepermit ordenycommandtoconfigurearule,the addrgroup keywordallowsyoutospecifyanobjectgroup forthesourceordestination. ProtocolPortObjectGroups CanbeusedwithIPv4andIPv6TCPandUDPrulestospecifysourceordestinationports.Whenyou usethepermitordenycommandtoconfigurearule,theportgroupkeywordallowsyoutospecifyan objectgroupforthesourceordestination. Note Policy-basedrouting(PBR)ACLsdonotsupportdenyaccesscontrolentries(ACEs)ordenycommandsto configurearule. Statistics and ACLs ThedevicecanmaintainglobalstatisticsforeachrulethatyouconfigureinIPv4,IPv6,andMACACLs.If anACLisappliedtomultipleinterfaces,themaintainedrulestatisticsarethesumofpacketmatches(hits) onalltheinterfacesonwhichthatACLisapplied. Note Thedevicedoesnotsupportinterface-levelACLstatistics. ForeachACLthatyouconfigure,youcanspecifywhetherthedevicemaintainsstatisticsforthatACL,which allowsyoutoturnACLstatisticsonoroffasneededtomonitortrafficfilteredbyanACLortohelp troubleshoottheconfigurationofanACL. ConfiguringIPACLs 9 ConfiguringIPACLs AtomicACLUpdates ThedevicedoesnotmaintainstatisticsforimplicitrulesinanACL.Forexample,thedevicedoesnotmaintain acountofpacketsthatmatchtheimplicitdenyipanyanyruleattheendofallIPv4ACLs.Ifyouwantto maintainstatisticsforimplicitrules,youmustexplicitlyconfiguretheACLwithrulesthatareidenticaltothe implicitrules. RelatedTopics MonitoringandClearingIPACLStatistics,onpage43 ImplicitRulesforIPandMACACLs,onpage4 Atomic ACL Updates Bydefault,whenasupervisormoduleofaCiscoNexus9000SeriesdeviceupdatesanI/Omodulewith changestoanACL,itperformsanatomicACLupdate.Anatomicupdatedoesnotdisrupttrafficthatthe updatedACLappliesto;however,anatomicupdaterequiresthatanI/OmodulethatreceivesanACLupdate hasenoughavailableresourcestostoreeachupdatedACLentryinadditiontoallpre-existingentriesinthe affectedACL.Aftertheupdateoccurs,theadditionalresourcesusedfortheupdatearefreed.IftheI/Omodule lackstherequiredresources,thedevicegeneratesanerrormessageandtheACLupdatetotheI/Omodule fails. IfanI/Omodulelackstheresourcesrequiredforanatomicupdate,youcandisableatomicupdatesbyusing thenohardwareaccess-listupdateatomiccommand;however,duringthebrieftimerequiredforthedevice toremovethepreexistingACLandimplementtheupdatedACL,trafficthattheACLappliestoisdropped bydefault. IfyouwanttopermitalltrafficthatanACLappliestowhileitreceivesanonatomicupdate,usethehardware access-listupdatedefault-resultpermitcommand. ThisexampleshowshowtodisableatomicupdatestoACLs: switch# config t switch(config)# no hardware access-list update atomic ThisexampleshowshowtopermitaffectedtrafficduringanonatomicACLupdate: switch# config t switch(config)# hardware access-list update default-result permit Thisexampleshowshowtoreverttotheatomicupdatemethod: switch# config t switch(config)# no hardware access-list update default-result permit switch(config)# hardware access-list update atomic Session Manager Support for IP ACLs SessionManagersupportstheconfigurationofIPandMACACLs.ThisfeatureallowsyoutoverifyACL configurationandconfirmthattheresourcesrequiredbytheconfigurationareavailablepriortocommitting themtotherunningconfiguration. ACL TCAM Regions YoucanchangethesizeoftheACLternarycontentaddressablememory(TCAM)regionsinthehardware. ConfiguringIPACLs 10

Description:
For Network Forwarding Engine (NFE)-enabled switches, ingress RACLs matching the tunnel interface's outer header are not supported. • If the same
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.