Configuring IPv4 ACLs • FindingFeatureInformation, page 1 • PrerequisitesforConfiguringIPv4AccessControlLists, page 1 • RestrictionsforConfiguringIPv4AccessControlLists, page 2 • InformationaboutNetworkSecuritywithACLs, page 3 • HowtoConfigureACLs, page 16 • MonitoringIPv4ACLs, page 41 • ConfigurationExamplesforACLs, page 42 • AdditionalReferences, page 56 • FeatureInformationforIPv4AccessControlLists, page 57 Finding Feature Information Yoursoftwarereleasemaynotsupportallthefeaturesdocumentedinthismodule.Forthelatestcaveatsand featureinformation,seeBugSearchToolandthereleasenotesforyourplatformandsoftwarerelease.To findinformationaboutthefeaturesdocumentedinthismodule,andtoseealistofthereleasesinwhicheach featureissupported,seethefeatureinformationtableattheendofthismodule. UseCiscoFeatureNavigatortofindinformationaboutplatformsupportandCiscosoftwareimagesupport. ToaccessCiscoFeatureNavigator,gotohttp://www.cisco.com/go/cfn.AnaccountonCisco.comisnot required. Prerequisites for Configuring IPv4 Access Control Lists Thissectionliststheprerequisitesforconfiguringnetworksecuritywithaccesscontrollists(ACLs). •OnswitchesrunningtheLANbasefeatureset,VLANmapsarenotsupported. Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 1 Configuring IPv4 ACLs Restrictions for Configuring IPv4 Access Control Lists Restrictions for Configuring IPv4 Access Control Lists General Network Security ThefollowingarerestrictionsforconfiguringnetworksecuritywithACLs: •NotallcommandsthatacceptanumberedACLacceptanamedACL.ACLsforpacketfiltersandroute filtersoninterfacescanuseaname.VLANmapsalsoacceptaname. •AstandardACLandanextendedACLcannothavethesamename. •Thoughvisibleinthecommand-linehelpstrings,appletalkisnotsupportedasamatchingcondition forthedenyandpermitMACaccess-listconfigurationmodecommands. •ACLwildcardisnotsupportedindownstreamclientpolicy. IPv4 ACL Network Interfaces ThefollowingrestrictionsapplytoIPv4ACLstonetworkinterfaces: •Whencontrollingaccesstoaninterface,youcanuseanamedornumberedACL. •IfyouapplyanACLtoaLayer2interfacethatisamemberofaVLAN,theLayer2(port)ACLtakes precedenceoveraninputLayer3ACLappliedtotheVLANinterfaceoraVLANmapappliedtothe VLAN. •IfyouapplyanACLtoaLayer3interfaceandroutingisnotenabledontheswitch,theACLonlyfilters packetsthatareintendedfortheCPU,suchasSNMP,Telnet,orwebtraffic. •Ifthepreauth_ipv4_aclACLisconfiguredtofilterpackets,theACLisremovedafterauthentication. •YoudonothavetoenableroutingtoapplyACLstoLayer2interfaces. Note Bydefault,theroutersendsInternetControlMessageProtocol(ICMP)unreachablemessageswhena packetisdeniedbyanaccessgrouponaLayer3interface.Theseaccess-groupdeniedpacketsarenot droppedinhardwarebutarebridgedtotheswitchCPUsothatitcangeneratetheICMP-unreachable message.TheydonotgenerateICMPunreachablemessages. ICMPunreachablemessagescanbedisabled onrouterACLswiththenoipunreachablesinterfacecommand. MAC ACLs on a Layer 2 Interface AfteryoucreateaMACACL,youcanapplyittoaLayer2interfacetofilternon-IPtrafficcominginthat interface.WhenyouapplytheMACACL,considertheseguidelines: •YoucanapplynomorethanoneIPaccesslistandoneMACaccesslisttothesameLayer2interface. TheIPaccesslistfiltersonlyIPpackets,andtheMACaccesslistfiltersnon-IPpackets. •ALayer2interfacecanhaveonlyoneMACaccesslist.IfyouapplyaMACaccesslisttoaLayer2 interfacethathasaMACACLconfigured,thenewACLreplacesthepreviouslyconfiguredone. Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) 2 OL-32606-01 Configuring IPv4 ACLs Information about Network Security with ACLs Note Themacaccess-groupinterfaceconfigurationcommandisonlyvalidwhenappliedtoaphysicalLayer2 interface.YoucannotusethecommandonEtherChannelportchannels. IP Access List Entry Sequence Numbering •Thisfeaturedoesnotsupportdynamic,reflexive,orfirewallaccesslists. Related Topics ApplyinganIPv4ACLtoanInterface, onpage29 IPv4ACLInterfaceConsiderations, onpage16 CreatingNamedMACExtendedACLs, onpage30 ApplyingaMACACLtoaLayer2Interface, onpage32 Information about Network Security with ACLs Thischapterdescribeshowtoconfigurenetworksecurityontheswitchbyusingaccesscontrollists(ACLs), whichincommandsandtablesarealsoreferredtoasaccesslists. Cisco TrustSec and ACLs Catalyst3850switchesrunningtheIPbaseorIPservicesfeaturesetalsosupportCiscoTrustSecSecurity GroupTag(SCT)ExchangeProtocol(SXP).Thisfeaturesupportssecuritygroupaccesscontrollists(SGACLs), whichdefineACLpoliciesforagroupofdevicesinsteadofanIPaddress.TheSXPcontrolprotocolallows taggingpacketswithSCTswithoutahardwareupgrade,andrunsbetweenaccesslayerdevicesattheCisco TrustSecdomainedgeanddistributionlayerdeviceswithintheCiscoTrustSecdomain.Catalyst3850switches operateasaccesslayerswitchesintheCiscoTrustSecnetwork. ThesectionsonSXPdefinethecapabilitiessupportedontheCatalyst3850switches. ACL Overview Packetfilteringcanhelplimitnetworktrafficandrestrictnetworkusebycertainusersordevices.ACLsfilter trafficasitpassesthrougharouterorswitchandpermitordenypacketscrossingspecifiedinterfacesor VLANs.AnACLisasequentialcollectionofpermitanddenyconditionsthatapplytopackets.Whenapacket isreceivedonaninterface,theswitchcomparesthefieldsinthepacketagainstanyappliedACLstoverify thatthepackethastherequiredpermissionstobeforwarded,basedonthecriteriaspecifiedintheaccesslists. Onebyone,ittestspacketsagainsttheconditionsinanaccesslist.Thefirstmatchdecideswhethertheswitch acceptsorrejectsthepackets.Becausetheswitchstopstestingafterthefirstmatch,theorderofconditions inthelistiscritical.Ifnoconditionsmatch,theswitchrejectsthepacket.Iftherearenorestrictions,theswitch forwardsthepacket;otherwise,theswitchdropsthepacket.TheswitchcanuseACLsonallpacketsitforwards, includingpacketsbridgedwithinaVLAN. YouconfigureaccesslistsonarouterorLayer3switchtoprovidebasicsecurityforyournetwork.Ifyoudo notconfigureACLs,allpacketspassingthroughtheswitchcouldbeallowedontoallpartsofthenetwork. YoucanuseACLstocontrolwhichhostscanaccessdifferentpartsofanetworkortodecidewhichtypesof Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 3 Configuring IPv4 ACLs Supported ACLs trafficareforwardedorblockedatrouterinterfaces.Forexample,youcanallowe-mailtraffictobeforwarded butnotTelnettraffic.ACLscanbeconfiguredtoblockinboundtraffic,outboundtraffic,orboth. Access Control Entries AnACLcontainsanorderedlistofaccesscontrolentries(ACEs).EachACEspecifiespermitordenyanda setofconditionsthepacketmustsatisfyinordertomatchtheACE.Themeaningofpermitordenydepends onthecontextinwhichtheACLisused. ACL Supported Types TheswitchsupportsIPACLsandEthernet(MAC)ACLs: •IPACLsfilterIPv4traffic,includingTCP,UserDatagramProtocol(UDP),InternetGroupManagement Protocol(IGMP),andInternetControlMessageProtocol(ICMP). •EthernetACLsfilternon-IPtraffic. Thisswitchalsosupportsqualityofservice(QoS)classificationACLs. Supported ACLs TheswitchsupportsthreetypesofACLstofiltertraffic: •PortACLsaccess-controltrafficenteringaLayer2interface.YoucanapplyportACLstoaLayer2 interfaceineachdirectiontoeachaccesslisttype—IPv4andMAC. •RouterACLsaccess-controlroutedtrafficbetweenVLANsandareappliedtoLayer3interfacesina specificdirection(inboundoroutbound). •VLANACLsorVLANmapsaccess-controlallpackets(bridgedandrouted).YoucanuseVLANmaps tofiltertrafficbetweendevicesinthesameVLAN.VLANmapsareconfiguredtoprovideaccesscontrol basedonLayer3addressesforIPv4.Unsupportedprotocolsareaccess-controlledthroughMACaddresses usingEthernetACEs.AfteraVLANmapisappliedtoaVLAN,allpackets(routedorbridged)entering theVLANarecheckedagainsttheVLANmap.PacketscaneitherentertheVLANthroughaswitch portorthrougharoutedportafterbeingrouted. ACL Precedence WhenVLANmaps,PortACLs,androuterACLsareconfiguredonthesameswitch,thefilteringprecedence, fromgreatesttoleastforingresstrafficisportACL,VLANmap,andthenrouterACL.Foregresstraffic,the filteringprecedenceisrouterACL,VLANmap,andthenportACL. Thefollowingexamplesdescribesimpleusecases: •WhenbothaninputportACLandaVLANmapareapplied,incomingpacketsreceivedonportswith aportACLappliedarefilteredbytheportACL.OtherpacketsarefilteredbytheVLANmap •WhenaninputrouterACLandinputportACLexistinaswitchvirtualinterface(SVI),incomingpackets receivedonportstowhichaportACLisappliedarefilteredbytheportACL.IncomingroutedIPpackets receivedonotherportsarefilteredbytherouterACL.Otherpacketsarenotfiltered. Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) 4 OL-32606-01 Configuring IPv4 ACLs Supported ACLs •WhenanoutputrouterACLandinputportACLexistinanSVI,incomingpacketsreceivedontheports towhichaportACLisappliedarefilteredbytheportACL.OutgoingroutedIPpacketsarefilteredby therouterACL.Otherpacketsarenotfiltered. •WhenaVLANmap,inputrouterACL,andinputportACLexistinanSVI,incomingpacketsreceived ontheportstowhichaportACLisappliedareonlyfilteredbytheportACL.IncomingroutedIPpackets receivedonotherportsarefilteredbyboththeVLANmapandtherouterACL.Otherpacketsarefiltered onlybytheVLANmap. •WhenaVLANmap,outputrouterACL,andinputportACLexistinanSVI,incomingpacketsreceived ontheportstowhichaportACLisappliedareonlyfilteredbytheportACL.OutgoingroutedIPpackets arefilteredbyboththeVLANmapandtherouterACL.OtherpacketsarefilteredonlybytheVLAN map. Related Topics RestrictionsforConfiguringIPv4AccessControlLists, onpage2 Port ACLs PortACLsareACLsthatareappliedtoLayer2interfacesonaswitch.PortACLsaresupportedonlyon physicalinterfacesandnotonEtherChannelinterfaces.PortACLscanbeappliedtotheinterfaceinoutbound andinbounddirection.Thefollowingaccesslistsaresupported: •StandardIPaccesslistsusingsourceaddresses •ExtendedIPaccesslistsusingsourceanddestinationaddressesandoptionalprotocoltypeinformation •MACextendedaccesslistsusingsourceanddestinationMACaddressesandoptionalprotocoltype information TheswitchexaminesACLsonaninterfaceandpermitsordeniespacketforwardingbasedonhowthepacket matchestheentriesintheACL.Inthisway,ACLscontrolaccesstoanetworkortopartofanetwork. ThisisanexampleofusingportACLstocontrolaccesstoanetworkwhenallworkstationsareinthesame VLAN.ACLsappliedattheLayer2inputwouldallowHostAtoaccesstheHumanResourcesnetwork,but Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 5 Configuring IPv4 ACLs Supported ACLs preventHostBfromaccessingthesamenetwork.PortACLscanonlybeappliedtoLayer2interfacesinthe inbounddirection. Figure 1: Using ACLs to Control Traffic in a Network WhenyouapplyaportACLtoatrunkport,theACLfilterstrafficonallVLANspresentonthetrunkport. WhenyouapplyaportACLtoaportwithvoiceVLAN,theACLfilterstrafficonbothdataandvoiceVLANs. WithportACLs,youcanfilterIPtrafficbyusingIPaccesslistsandnon-IPtrafficbyusingMACaddresses. YoucanfilterbothIPandnon-IPtrafficonthesameLayer2interfacebyapplyingbothanIPaccesslistand aMACaccesslisttotheinterface. Note YoucannotapplymorethanoneIPaccesslistandoneMACaccesslisttoaLayer2interface.IfanIP accesslistorMACaccesslistisalreadyconfiguredonaLayer2interfaceandyouapplyanewIPaccess listorMACaccesslisttotheinterface,thenewACLreplacesthepreviouslyconfiguredone. Router ACLs YoucanapplyrouterACLsonswitchvirtualinterfaces(SVIs),whichareLayer3interfacestoVLANs;on physicalLayer3interfaces;andonLayer3EtherChannelinterfaces.YouapplyrouterACLsoninterfaces forspecificdirections(inboundoroutbound).YoucanapplyonerouterACLineachdirectiononaninterface. TheswitchsupportstheseaccesslistsforIPv4traffic: •StandardIPaccesslistsusesourceaddressesformatchingoperations. •ExtendedIPaccesslistsusesourceanddestinationaddressesandoptionalprotocoltypeinformation formatchingoperations. Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) 6 OL-32606-01 Configuring IPv4 ACLs ACEs and Fragmented and Unfragmented Traffic AswithportACLs,theswitchexaminesACLsassociatedwithfeaturesconfiguredonagiveninterface.As packetsentertheswitchonaninterface,ACLsassociatedwithallinboundfeaturesconfiguredonthatinterface areexamined.Afterpacketsareroutedandbeforetheyareforwardedtothenexthop,allACLsassociated withoutboundfeaturesconfiguredontheegressinterfaceareexamined. ACLspermitordenypacketforwardingbasedonhowthepacketmatchestheentriesintheACL,andcanbe usedtocontrolaccesstoanetworkortopartofanetwork. VLAN Maps VLANACLsorVLANmapsareusedtocontrolnetworktrafficwithinaVLAN.YoucanapplyVLANmaps toallpacketsthatarebridgedwithinaVLANintheswitchorswitchstack.VACLsarestrictlyforsecurity packetfilteringandforredirectingtraffictospecificphysicalinterfaces.VACLsarenotdefinedbydirection (ingressoregress). Allnon-IPprotocolsareaccess-controlledthroughMACaddressesandEthertypeusingMACVLANmaps. (IPtrafficisnotaccesscontrolledbyMACVLANmaps.)YoucanenforceVLANmapsonlyonpackets goingthroughtheswitch;youcannotenforceVLANmapsontrafficbetweenhostsonahuboronanother switchconnectedtothisswitch. WithVLANmaps,forwardingofpacketsispermittedordenied,basedontheactionspecifiedinthemap. ThisshowshowaVLANmapisappliedtopreventaspecifictypeoftrafficfromHostAinVLAN10from beingforwarded.YoucanapplyonlyoneVLANmaptoaVLAN. Figure 2: Using VLAN Maps to Control Traffic ACEs and Fragmented and Unfragmented Traffic IPpacketscanbefragmentedastheycrossthenetwork.Whenthishappens,onlythefragmentcontainingthe beginningofthepacketcontainstheLayer4information,suchasTCPorUDPportnumbers,ICMPtypeand code,andsoon.Allotherfragmentsaremissingthisinformation. Someaccesscontrolentries(ACEs)donotcheckLayer4informationandthereforecanbeappliedtoall packetfragments.ACEsthatdotestLayer4informationcannotbeappliedinthestandardmannertomost ofthefragmentsinafragmentedIPpacket.WhenthefragmentcontainsnoLayer4informationandtheACE testssomeLayer4information,thematchingrulesaremodified: •PermitACEsthatchecktheLayer3informationinthefragment(includingprotocoltype,suchasTCP, UDP,andsoon)areconsideredtomatchthefragmentregardlessofwhatthemissingLayer4information mighthavebeen. Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 7 Configuring IPv4 ACLs ACLs and Switch Stacks Note ForTCPACEswithL4Ops,thefragmentedpacketswillbedroppedperRFC1858. •DenyACEsthatcheckLayer4informationnevermatchafragmentunlessthefragmentcontainsLayer 4information. ACEs and Fragmented and Unfragmented Traffic Examples Consideraccesslist102,configuredwiththesecommands,appliedtothreefragmentedpackets: Switch(config)# access-list 102 permit tcp any host 10.1.1.1 eq smtp Switch(config)# access-list 102 deny tcp any host 10.1.1.2 eq telnet Switch(config)# access-list 102 permit tcp any host 10.1.1.2 Switch(config)# access-list 102 deny tcp any any Note InthefirstandsecondACEsintheexamples,theeqkeywordafterthedestinationaddressmeanstotest fortheTCP-destination-portwell-knownnumbersequalingSimpleMailTransferProtocol(SMTP)and Telnet,respectively. •PacketAisaTCPpacketfromhost10.2.2.2.,port65000,goingtohost10.1.1.1ontheSMTPport.If thispacketisfragmented,thefirstfragmentmatchesthefirstACE(apermit)asifitwereacomplete packetbecauseallLayer4informationispresent.TheremainingfragmentsalsomatchthefirstACE, eventhoughtheydonotcontaintheSMTPportinformation,becausethefirstACEonlychecksLayer 3informationwhenappliedtofragments.TheinformationinthisexampleisthatthepacketisTCPand thatthedestinationis10.1.1.1. •PacketBisfromhost10.2.2.2,port65001,goingtohost10.1.1.2ontheTelnetport.Ifthispacketis fragmented,thefirstfragmentmatchesthesecondACE(adeny)becauseallLayer3andLayer4 informationispresent.TheremainingfragmentsinthepacketdonotmatchthesecondACEbecause theyaremissingLayer4information.Instead,theymatchthethirdACE(apermit). Becausethefirstfragmentwasdenied,host10.1.1.2cannotreassembleacompletepacket,sopacketB iseffectivelydenied.However,thelaterfragmentsthatarepermittedwillconsumebandwidthonthe networkandresourcesofhost10.1.1.2asittriestoreassemblethepacket. •FragmentedpacketCisfromhost10.2.2.2,port65001,goingtohost10.1.1.3,portftp.Ifthispacketis fragmented,thefirstfragmentmatchesthefourthACE(adeny).Allotherfragmentsalsomatchthe fourthACEbecausethatACEdoesnotcheckanyLayer4informationandbecauseLayer3information inallfragmentsshowsthattheyarebeingsenttohost10.1.1.3,andtheearlierpermitACEswerechecking differenthosts. ACLs and Switch Stacks ACLsupportisthesameforaswitchstackasforastandaloneswitch.ACLconfigurationinformationis propagatedtoallswitchesinthestack.Allswitchesinthestack,includingtheactiveswitch,processthe informationandprogramtheirhardware. Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) 8 OL-32606-01 Configuring IPv4 ACLs Standard and Extended IPv4 ACLs Active Switch and ACL Functions TheactiveswitchperformstheseACLfunctions: •ItprocessestheACLconfigurationandpropagatestheinformationtoallstackmembers. •ItdistributestheACLinformationtoanyswitchthatjoinsthestack. •Ifpacketsmustbeforwardedbysoftwareforanyreason(forexample,notenoughhardwareresources), theactiveswitchforwardsthepacketsonlyafterapplyingACLsonthepackets. •ItprogramsitshardwarewiththeACLinformationitprocesses. Stack Member and ACL Functions StackmembersperformtheseACLfunctions: •TheyreceivetheACLinformationfromtheactiveswitchandprogramtheirhardware. •Astackmemberconfiguredasastandbyswitch,performsthefunctionsoftheactiveswitchintheevent theactiveswitchfails. Active Switch Failure and ACLs BoththeactiveandstandbyswitcheshavetheACLinformation.Whentheactiveswitchfails,thestandby takesover.ThenewactiveswitchdistributestheACLinformationtoallstackmembers. Standard and Extended IPv4 ACLs ThissectiondescribesIPACLs. AnACLisasequentialcollectionofpermitanddenyconditions.Onebyone,theswitchtestspacketsagainst theconditionsinanaccesslist.Thefirstmatchdetermineswhethertheswitchacceptsorrejectsthepacket. Becausetheswitchstopstestingafterthefirstmatch,theorderoftheconditionsiscritical.Ifnoconditions match,theswitchdeniesthepacket. ThesoftwaresupportsthesetypesofACLsoraccesslistsforIPv4: •StandardIPaccesslistsusesourceaddressesformatchingoperations. •ExtendedIPaccesslistsusesourceanddestinationaddressesformatchingoperationsandoptional protocol-typeinformationforfinergranularityofcontrol. IPv4 ACL Switch Unsupported Features ConfiguringIPv4ACLsontheswitchisthesameasconfiguringIPv4ACLsonotherCiscoswitchesand routers. ThefollowingACL-relatedfeaturesarenotsupported: •Non-IPprotocolACLs •IPaccounting Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 9 Configuring IPv4 ACLs Standard and Extended IPv4 ACLs •ReflexiveACLsanddynamicACLsarenotsupported. Access List Numbers ThenumberyouusetodenoteyourACLshowsthetypeofaccesslistthatyouarecreating. Thisliststheaccess-listnumberandcorrespondingaccesslisttypeandshowswhetherornottheyaresupported intheswitch.TheswitchsupportsIPv4standardandextendedaccesslists,numbers1to199and1300to 2699. Table 1: Access List Numbers Access List Number Type Supported 1–99 IPstandardaccesslist Yes 100–199 IPextendedaccesslist Yes 200–299 Protocoltype-codeaccesslist No 300–399 DECnetaccesslist No 400–499 XNSstandardaccesslist No 500–599 XNSextendedaccesslist No 600–699 AppleTalkaccesslist No 700–799 48-bitMACaddressaccesslist No 800–899 IPXstandardaccesslist No 900–999 IPXextendedaccesslist No 1000–1099 IPXSAPaccesslist No 1100–1199 Extended48-bitMACaddressaccesslist No 1200–1299 IPXsummaryaddressaccesslist No 1300–1999 IPstandardaccesslist(expandedrange) Yes 2000–2699 IPextendedaccesslist(expandedrange) Yes InadditiontonumberedstandardandextendedACLs,youcanalsocreatestandardandextendednamedIP ACLsbyusingthesupportednumbers.Thatis,thenameofastandardIPACLcanbe1to99;thenameof anextendedIPACLcanbe100to199.TheadvantageofusingnamedACLsinsteadofnumberedlistsisthat youcandeleteindividualentriesfromanamedlist. Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) 10 OL-32606-01
Description: