ebook img

Configuring IPv4 ACLs PDF

58 Pages·2017·2.08 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Configuring IPv4 ACLs

Configuring IPv4 ACLs • FindingFeatureInformation, page 1 • PrerequisitesforConfiguringIPv4AccessControlLists, page 1 • RestrictionsforConfiguringIPv4AccessControlLists, page 2 • InformationaboutNetworkSecuritywithACLs, page 3 • HowtoConfigureACLs, page 16 • MonitoringIPv4ACLs, page 41 • ConfigurationExamplesforACLs, page 42 • AdditionalReferences, page 56 • FeatureInformationforIPv4AccessControlLists, page 57 Finding Feature Information Yoursoftwarereleasemaynotsupportallthefeaturesdocumentedinthismodule.Forthelatestcaveatsand featureinformation,seeBugSearchToolandthereleasenotesforyourplatformandsoftwarerelease.To findinformationaboutthefeaturesdocumentedinthismodule,andtoseealistofthereleasesinwhicheach featureissupported,seethefeatureinformationtableattheendofthismodule. UseCiscoFeatureNavigatortofindinformationaboutplatformsupportandCiscosoftwareimagesupport. ToaccessCiscoFeatureNavigator,gotohttp://www.cisco.com/go/cfn.AnaccountonCisco.comisnot required. Prerequisites for Configuring IPv4 Access Control Lists Thissectionliststheprerequisitesforconfiguringnetworksecuritywithaccesscontrollists(ACLs). •OnswitchesrunningtheLANbasefeatureset,VLANmapsarenotsupported. Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 1 Configuring IPv4 ACLs Restrictions for Configuring IPv4 Access Control Lists Restrictions for Configuring IPv4 Access Control Lists General Network Security ThefollowingarerestrictionsforconfiguringnetworksecuritywithACLs: •NotallcommandsthatacceptanumberedACLacceptanamedACL.ACLsforpacketfiltersandroute filtersoninterfacescanuseaname.VLANmapsalsoacceptaname. •AstandardACLandanextendedACLcannothavethesamename. •Thoughvisibleinthecommand-linehelpstrings,appletalkisnotsupportedasamatchingcondition forthedenyandpermitMACaccess-listconfigurationmodecommands. •ACLwildcardisnotsupportedindownstreamclientpolicy. IPv4 ACL Network Interfaces ThefollowingrestrictionsapplytoIPv4ACLstonetworkinterfaces: •Whencontrollingaccesstoaninterface,youcanuseanamedornumberedACL. •IfyouapplyanACLtoaLayer2interfacethatisamemberofaVLAN,theLayer2(port)ACLtakes precedenceoveraninputLayer3ACLappliedtotheVLANinterfaceoraVLANmapappliedtothe VLAN. •IfyouapplyanACLtoaLayer3interfaceandroutingisnotenabledontheswitch,theACLonlyfilters packetsthatareintendedfortheCPU,suchasSNMP,Telnet,orwebtraffic. •Ifthepreauth_ipv4_aclACLisconfiguredtofilterpackets,theACLisremovedafterauthentication. •YoudonothavetoenableroutingtoapplyACLstoLayer2interfaces. Note Bydefault,theroutersendsInternetControlMessageProtocol(ICMP)unreachablemessageswhena packetisdeniedbyanaccessgrouponaLayer3interface.Theseaccess-groupdeniedpacketsarenot droppedinhardwarebutarebridgedtotheswitchCPUsothatitcangeneratetheICMP-unreachable message.TheydonotgenerateICMPunreachablemessages. ICMPunreachablemessagescanbedisabled onrouterACLswiththenoipunreachablesinterfacecommand. MAC ACLs on a Layer 2 Interface AfteryoucreateaMACACL,youcanapplyittoaLayer2interfacetofilternon-IPtrafficcominginthat interface.WhenyouapplytheMACACL,considertheseguidelines: •YoucanapplynomorethanoneIPaccesslistandoneMACaccesslisttothesameLayer2interface. TheIPaccesslistfiltersonlyIPpackets,andtheMACaccesslistfiltersnon-IPpackets. •ALayer2interfacecanhaveonlyoneMACaccesslist.IfyouapplyaMACaccesslisttoaLayer2 interfacethathasaMACACLconfigured,thenewACLreplacesthepreviouslyconfiguredone. Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) 2 OL-32606-01 Configuring IPv4 ACLs Information about Network Security with ACLs Note Themacaccess-groupinterfaceconfigurationcommandisonlyvalidwhenappliedtoaphysicalLayer2 interface.YoucannotusethecommandonEtherChannelportchannels. IP Access List Entry Sequence Numbering •Thisfeaturedoesnotsupportdynamic,reflexive,orfirewallaccesslists. Related Topics ApplyinganIPv4ACLtoanInterface, onpage29 IPv4ACLInterfaceConsiderations, onpage16 CreatingNamedMACExtendedACLs, onpage30 ApplyingaMACACLtoaLayer2Interface, onpage32 Information about Network Security with ACLs Thischapterdescribeshowtoconfigurenetworksecurityontheswitchbyusingaccesscontrollists(ACLs), whichincommandsandtablesarealsoreferredtoasaccesslists. Cisco TrustSec and ACLs Catalyst3850switchesrunningtheIPbaseorIPservicesfeaturesetalsosupportCiscoTrustSecSecurity GroupTag(SCT)ExchangeProtocol(SXP).Thisfeaturesupportssecuritygroupaccesscontrollists(SGACLs), whichdefineACLpoliciesforagroupofdevicesinsteadofanIPaddress.TheSXPcontrolprotocolallows taggingpacketswithSCTswithoutahardwareupgrade,andrunsbetweenaccesslayerdevicesattheCisco TrustSecdomainedgeanddistributionlayerdeviceswithintheCiscoTrustSecdomain.Catalyst3850switches operateasaccesslayerswitchesintheCiscoTrustSecnetwork. ThesectionsonSXPdefinethecapabilitiessupportedontheCatalyst3850switches. ACL Overview Packetfilteringcanhelplimitnetworktrafficandrestrictnetworkusebycertainusersordevices.ACLsfilter trafficasitpassesthrougharouterorswitchandpermitordenypacketscrossingspecifiedinterfacesor VLANs.AnACLisasequentialcollectionofpermitanddenyconditionsthatapplytopackets.Whenapacket isreceivedonaninterface,theswitchcomparesthefieldsinthepacketagainstanyappliedACLstoverify thatthepackethastherequiredpermissionstobeforwarded,basedonthecriteriaspecifiedintheaccesslists. Onebyone,ittestspacketsagainsttheconditionsinanaccesslist.Thefirstmatchdecideswhethertheswitch acceptsorrejectsthepackets.Becausetheswitchstopstestingafterthefirstmatch,theorderofconditions inthelistiscritical.Ifnoconditionsmatch,theswitchrejectsthepacket.Iftherearenorestrictions,theswitch forwardsthepacket;otherwise,theswitchdropsthepacket.TheswitchcanuseACLsonallpacketsitforwards, includingpacketsbridgedwithinaVLAN. YouconfigureaccesslistsonarouterorLayer3switchtoprovidebasicsecurityforyournetwork.Ifyoudo notconfigureACLs,allpacketspassingthroughtheswitchcouldbeallowedontoallpartsofthenetwork. YoucanuseACLstocontrolwhichhostscanaccessdifferentpartsofanetworkortodecidewhichtypesof Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 3 Configuring IPv4 ACLs Supported ACLs trafficareforwardedorblockedatrouterinterfaces.Forexample,youcanallowe-mailtraffictobeforwarded butnotTelnettraffic.ACLscanbeconfiguredtoblockinboundtraffic,outboundtraffic,orboth. Access Control Entries AnACLcontainsanorderedlistofaccesscontrolentries(ACEs).EachACEspecifiespermitordenyanda setofconditionsthepacketmustsatisfyinordertomatchtheACE.Themeaningofpermitordenydepends onthecontextinwhichtheACLisused. ACL Supported Types TheswitchsupportsIPACLsandEthernet(MAC)ACLs: •IPACLsfilterIPv4traffic,includingTCP,UserDatagramProtocol(UDP),InternetGroupManagement Protocol(IGMP),andInternetControlMessageProtocol(ICMP). •EthernetACLsfilternon-IPtraffic. Thisswitchalsosupportsqualityofservice(QoS)classificationACLs. Supported ACLs TheswitchsupportsthreetypesofACLstofiltertraffic: •PortACLsaccess-controltrafficenteringaLayer2interface.YoucanapplyportACLstoaLayer2 interfaceineachdirectiontoeachaccesslisttype—IPv4andMAC. •RouterACLsaccess-controlroutedtrafficbetweenVLANsandareappliedtoLayer3interfacesina specificdirection(inboundoroutbound). •VLANACLsorVLANmapsaccess-controlallpackets(bridgedandrouted).YoucanuseVLANmaps tofiltertrafficbetweendevicesinthesameVLAN.VLANmapsareconfiguredtoprovideaccesscontrol basedonLayer3addressesforIPv4.Unsupportedprotocolsareaccess-controlledthroughMACaddresses usingEthernetACEs.AfteraVLANmapisappliedtoaVLAN,allpackets(routedorbridged)entering theVLANarecheckedagainsttheVLANmap.PacketscaneitherentertheVLANthroughaswitch portorthrougharoutedportafterbeingrouted. ACL Precedence WhenVLANmaps,PortACLs,androuterACLsareconfiguredonthesameswitch,thefilteringprecedence, fromgreatesttoleastforingresstrafficisportACL,VLANmap,andthenrouterACL.Foregresstraffic,the filteringprecedenceisrouterACL,VLANmap,andthenportACL. Thefollowingexamplesdescribesimpleusecases: •WhenbothaninputportACLandaVLANmapareapplied,incomingpacketsreceivedonportswith aportACLappliedarefilteredbytheportACL.OtherpacketsarefilteredbytheVLANmap •WhenaninputrouterACLandinputportACLexistinaswitchvirtualinterface(SVI),incomingpackets receivedonportstowhichaportACLisappliedarefilteredbytheportACL.IncomingroutedIPpackets receivedonotherportsarefilteredbytherouterACL.Otherpacketsarenotfiltered. Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) 4 OL-32606-01 Configuring IPv4 ACLs Supported ACLs •WhenanoutputrouterACLandinputportACLexistinanSVI,incomingpacketsreceivedontheports towhichaportACLisappliedarefilteredbytheportACL.OutgoingroutedIPpacketsarefilteredby therouterACL.Otherpacketsarenotfiltered. •WhenaVLANmap,inputrouterACL,andinputportACLexistinanSVI,incomingpacketsreceived ontheportstowhichaportACLisappliedareonlyfilteredbytheportACL.IncomingroutedIPpackets receivedonotherportsarefilteredbyboththeVLANmapandtherouterACL.Otherpacketsarefiltered onlybytheVLANmap. •WhenaVLANmap,outputrouterACL,andinputportACLexistinanSVI,incomingpacketsreceived ontheportstowhichaportACLisappliedareonlyfilteredbytheportACL.OutgoingroutedIPpackets arefilteredbyboththeVLANmapandtherouterACL.OtherpacketsarefilteredonlybytheVLAN map. Related Topics RestrictionsforConfiguringIPv4AccessControlLists, onpage2 Port ACLs PortACLsareACLsthatareappliedtoLayer2interfacesonaswitch.PortACLsaresupportedonlyon physicalinterfacesandnotonEtherChannelinterfaces.PortACLscanbeappliedtotheinterfaceinoutbound andinbounddirection.Thefollowingaccesslistsaresupported: •StandardIPaccesslistsusingsourceaddresses •ExtendedIPaccesslistsusingsourceanddestinationaddressesandoptionalprotocoltypeinformation •MACextendedaccesslistsusingsourceanddestinationMACaddressesandoptionalprotocoltype information TheswitchexaminesACLsonaninterfaceandpermitsordeniespacketforwardingbasedonhowthepacket matchestheentriesintheACL.Inthisway,ACLscontrolaccesstoanetworkortopartofanetwork. ThisisanexampleofusingportACLstocontrolaccesstoanetworkwhenallworkstationsareinthesame VLAN.ACLsappliedattheLayer2inputwouldallowHostAtoaccesstheHumanResourcesnetwork,but Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 5 Configuring IPv4 ACLs Supported ACLs preventHostBfromaccessingthesamenetwork.PortACLscanonlybeappliedtoLayer2interfacesinthe inbounddirection. Figure 1: Using ACLs to Control Traffic in a Network WhenyouapplyaportACLtoatrunkport,theACLfilterstrafficonallVLANspresentonthetrunkport. WhenyouapplyaportACLtoaportwithvoiceVLAN,theACLfilterstrafficonbothdataandvoiceVLANs. WithportACLs,youcanfilterIPtrafficbyusingIPaccesslistsandnon-IPtrafficbyusingMACaddresses. YoucanfilterbothIPandnon-IPtrafficonthesameLayer2interfacebyapplyingbothanIPaccesslistand aMACaccesslisttotheinterface. Note YoucannotapplymorethanoneIPaccesslistandoneMACaccesslisttoaLayer2interface.IfanIP accesslistorMACaccesslistisalreadyconfiguredonaLayer2interfaceandyouapplyanewIPaccess listorMACaccesslisttotheinterface,thenewACLreplacesthepreviouslyconfiguredone. Router ACLs YoucanapplyrouterACLsonswitchvirtualinterfaces(SVIs),whichareLayer3interfacestoVLANs;on physicalLayer3interfaces;andonLayer3EtherChannelinterfaces.YouapplyrouterACLsoninterfaces forspecificdirections(inboundoroutbound).YoucanapplyonerouterACLineachdirectiononaninterface. TheswitchsupportstheseaccesslistsforIPv4traffic: •StandardIPaccesslistsusesourceaddressesformatchingoperations. •ExtendedIPaccesslistsusesourceanddestinationaddressesandoptionalprotocoltypeinformation formatchingoperations. Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) 6 OL-32606-01 Configuring IPv4 ACLs ACEs and Fragmented and Unfragmented Traffic AswithportACLs,theswitchexaminesACLsassociatedwithfeaturesconfiguredonagiveninterface.As packetsentertheswitchonaninterface,ACLsassociatedwithallinboundfeaturesconfiguredonthatinterface areexamined.Afterpacketsareroutedandbeforetheyareforwardedtothenexthop,allACLsassociated withoutboundfeaturesconfiguredontheegressinterfaceareexamined. ACLspermitordenypacketforwardingbasedonhowthepacketmatchestheentriesintheACL,andcanbe usedtocontrolaccesstoanetworkortopartofanetwork. VLAN Maps VLANACLsorVLANmapsareusedtocontrolnetworktrafficwithinaVLAN.YoucanapplyVLANmaps toallpacketsthatarebridgedwithinaVLANintheswitchorswitchstack.VACLsarestrictlyforsecurity packetfilteringandforredirectingtraffictospecificphysicalinterfaces.VACLsarenotdefinedbydirection (ingressoregress). Allnon-IPprotocolsareaccess-controlledthroughMACaddressesandEthertypeusingMACVLANmaps. (IPtrafficisnotaccesscontrolledbyMACVLANmaps.)YoucanenforceVLANmapsonlyonpackets goingthroughtheswitch;youcannotenforceVLANmapsontrafficbetweenhostsonahuboronanother switchconnectedtothisswitch. WithVLANmaps,forwardingofpacketsispermittedordenied,basedontheactionspecifiedinthemap. ThisshowshowaVLANmapisappliedtopreventaspecifictypeoftrafficfromHostAinVLAN10from beingforwarded.YoucanapplyonlyoneVLANmaptoaVLAN. Figure 2: Using VLAN Maps to Control Traffic ACEs and Fragmented and Unfragmented Traffic IPpacketscanbefragmentedastheycrossthenetwork.Whenthishappens,onlythefragmentcontainingthe beginningofthepacketcontainstheLayer4information,suchasTCPorUDPportnumbers,ICMPtypeand code,andsoon.Allotherfragmentsaremissingthisinformation. Someaccesscontrolentries(ACEs)donotcheckLayer4informationandthereforecanbeappliedtoall packetfragments.ACEsthatdotestLayer4informationcannotbeappliedinthestandardmannertomost ofthefragmentsinafragmentedIPpacket.WhenthefragmentcontainsnoLayer4informationandtheACE testssomeLayer4information,thematchingrulesaremodified: •PermitACEsthatchecktheLayer3informationinthefragment(includingprotocoltype,suchasTCP, UDP,andsoon)areconsideredtomatchthefragmentregardlessofwhatthemissingLayer4information mighthavebeen. Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 7 Configuring IPv4 ACLs ACLs and Switch Stacks Note ForTCPACEswithL4Ops,thefragmentedpacketswillbedroppedperRFC1858. •DenyACEsthatcheckLayer4informationnevermatchafragmentunlessthefragmentcontainsLayer 4information. ACEs and Fragmented and Unfragmented Traffic Examples Consideraccesslist102,configuredwiththesecommands,appliedtothreefragmentedpackets: Switch(config)# access-list 102 permit tcp any host 10.1.1.1 eq smtp Switch(config)# access-list 102 deny tcp any host 10.1.1.2 eq telnet Switch(config)# access-list 102 permit tcp any host 10.1.1.2 Switch(config)# access-list 102 deny tcp any any Note InthefirstandsecondACEsintheexamples,theeqkeywordafterthedestinationaddressmeanstotest fortheTCP-destination-portwell-knownnumbersequalingSimpleMailTransferProtocol(SMTP)and Telnet,respectively. •PacketAisaTCPpacketfromhost10.2.2.2.,port65000,goingtohost10.1.1.1ontheSMTPport.If thispacketisfragmented,thefirstfragmentmatchesthefirstACE(apermit)asifitwereacomplete packetbecauseallLayer4informationispresent.TheremainingfragmentsalsomatchthefirstACE, eventhoughtheydonotcontaintheSMTPportinformation,becausethefirstACEonlychecksLayer 3informationwhenappliedtofragments.TheinformationinthisexampleisthatthepacketisTCPand thatthedestinationis10.1.1.1. •PacketBisfromhost10.2.2.2,port65001,goingtohost10.1.1.2ontheTelnetport.Ifthispacketis fragmented,thefirstfragmentmatchesthesecondACE(adeny)becauseallLayer3andLayer4 informationispresent.TheremainingfragmentsinthepacketdonotmatchthesecondACEbecause theyaremissingLayer4information.Instead,theymatchthethirdACE(apermit). Becausethefirstfragmentwasdenied,host10.1.1.2cannotreassembleacompletepacket,sopacketB iseffectivelydenied.However,thelaterfragmentsthatarepermittedwillconsumebandwidthonthe networkandresourcesofhost10.1.1.2asittriestoreassemblethepacket. •FragmentedpacketCisfromhost10.2.2.2,port65001,goingtohost10.1.1.3,portftp.Ifthispacketis fragmented,thefirstfragmentmatchesthefourthACE(adeny).Allotherfragmentsalsomatchthe fourthACEbecausethatACEdoesnotcheckanyLayer4informationandbecauseLayer3information inallfragmentsshowsthattheyarebeingsenttohost10.1.1.3,andtheearlierpermitACEswerechecking differenthosts. ACLs and Switch Stacks ACLsupportisthesameforaswitchstackasforastandaloneswitch.ACLconfigurationinformationis propagatedtoallswitchesinthestack.Allswitchesinthestack,includingtheactiveswitch,processthe informationandprogramtheirhardware. Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) 8 OL-32606-01 Configuring IPv4 ACLs Standard and Extended IPv4 ACLs Active Switch and ACL Functions TheactiveswitchperformstheseACLfunctions: •ItprocessestheACLconfigurationandpropagatestheinformationtoallstackmembers. •ItdistributestheACLinformationtoanyswitchthatjoinsthestack. •Ifpacketsmustbeforwardedbysoftwareforanyreason(forexample,notenoughhardwareresources), theactiveswitchforwardsthepacketsonlyafterapplyingACLsonthepackets. •ItprogramsitshardwarewiththeACLinformationitprocesses. Stack Member and ACL Functions StackmembersperformtheseACLfunctions: •TheyreceivetheACLinformationfromtheactiveswitchandprogramtheirhardware. •Astackmemberconfiguredasastandbyswitch,performsthefunctionsoftheactiveswitchintheevent theactiveswitchfails. Active Switch Failure and ACLs BoththeactiveandstandbyswitcheshavetheACLinformation.Whentheactiveswitchfails,thestandby takesover.ThenewactiveswitchdistributestheACLinformationtoallstackmembers. Standard and Extended IPv4 ACLs ThissectiondescribesIPACLs. AnACLisasequentialcollectionofpermitanddenyconditions.Onebyone,theswitchtestspacketsagainst theconditionsinanaccesslist.Thefirstmatchdetermineswhethertheswitchacceptsorrejectsthepacket. Becausetheswitchstopstestingafterthefirstmatch,theorderoftheconditionsiscritical.Ifnoconditions match,theswitchdeniesthepacket. ThesoftwaresupportsthesetypesofACLsoraccesslistsforIPv4: •StandardIPaccesslistsusesourceaddressesformatchingoperations. •ExtendedIPaccesslistsusesourceanddestinationaddressesformatchingoperationsandoptional protocol-typeinformationforfinergranularityofcontrol. IPv4 ACL Switch Unsupported Features ConfiguringIPv4ACLsontheswitchisthesameasconfiguringIPv4ACLsonotherCiscoswitchesand routers. ThefollowingACL-relatedfeaturesarenotsupported: •Non-IPprotocolACLs •IPaccounting Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 9 Configuring IPv4 ACLs Standard and Extended IPv4 ACLs •ReflexiveACLsanddynamicACLsarenotsupported. Access List Numbers ThenumberyouusetodenoteyourACLshowsthetypeofaccesslistthatyouarecreating. Thisliststheaccess-listnumberandcorrespondingaccesslisttypeandshowswhetherornottheyaresupported intheswitch.TheswitchsupportsIPv4standardandextendedaccesslists,numbers1to199and1300to 2699. Table 1: Access List Numbers Access List Number Type Supported 1–99 IPstandardaccesslist Yes 100–199 IPextendedaccesslist Yes 200–299 Protocoltype-codeaccesslist No 300–399 DECnetaccesslist No 400–499 XNSstandardaccesslist No 500–599 XNSextendedaccesslist No 600–699 AppleTalkaccesslist No 700–799 48-bitMACaddressaccesslist No 800–899 IPXstandardaccesslist No 900–999 IPXextendedaccesslist No 1000–1099 IPXSAPaccesslist No 1100–1199 Extended48-bitMACaddressaccesslist No 1200–1299 IPXsummaryaddressaccesslist No 1300–1999 IPstandardaccesslist(expandedrange) Yes 2000–2699 IPextendedaccesslist(expandedrange) Yes InadditiontonumberedstandardandextendedACLs,youcanalsocreatestandardandextendednamedIP ACLsbyusingthesupportednumbers.Thatis,thenameofastandardIPACLcanbe1to99;thenameof anextendedIPACLcanbe100to199.TheadvantageofusingnamedACLsinsteadofnumberedlistsisthat youcandeleteindividualentriesfromanamedlist. Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) 10 OL-32606-01

Description:
Monitoring IPv4 ACLs, page 41. • Configuration Examples for ACLs, page 42. • Additional References, page 56. • Feature Information for IPv4 Access Control Lists, page 57. Finding Feature Information. Your software release may not support all the features documented in this module. For the lat
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.