ebook img

Configuring IP ACLs PDF

60 Pages·2016·1.85 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Configuring IP ACLs

Configuring IP ACLs ThischapterdescribeshowtoconfigureIPaccesscontrollists(ACLs)onCiscoNX-OSdevices. Unlessotherwisespecified,thetermIPACLreferstoIPv4andIPv6ACLs. Note TheCiscoNX-OSreleasethatisrunningonamanageddevicemaynotsupportalldocumentedfeaturesor settings.Forthelatestfeatureinformationandcaveats,seethedocumentationandreleasenotesforyour platformandsoftwarerelease. Thischapterincludesthefollowingsections: •FindingFeatureInformation,onpage1 •InformationAboutACLs,onpage2 •PrerequisitesforIPACLs,onpage16 •GuidelinesandLimitationsforIPACLs,onpage17 •DefaultSettingsforIPACLs,onpage21 •ConfiguringIPACLs,onpage22 •ConfiguringScaleACL,onpage37 •ConfigurationExamplesforScaleACL,onpage38 •VerifyingtheIPACLConfiguration,onpage40 •MonitoringandClearingIPACLStatistics,onpage42 •ConfigurationExamplesforIPACLs,onpage42 •ConfiguringObjectGroups,onpage43 •VerifyingtheObject-GroupConfiguration,onpage48 •ConfiguringTimeRanges,onpage49 •VerifyingtheTime-RangeConfiguration,onpage54 •AdditionalReferencesforIPACLs,onpage54 •FeatureHistoryforIPACLs,onpage55 Finding Feature Information Yoursoftwarereleasemightnotsupportallthefeaturesdocumentedinthismodule.Forthelatestcaveats andfeatureinformation,seetheBugSearchToolathttps://tools.cisco.com/bugsearch/andthereleasenotes foryoursoftwarerelease.Tofindinformationaboutthefeaturesdocumentedinthismodule,andtoseealist ConfiguringIPACLs 1 ConfiguringIPACLs InformationAboutACLs ofthereleasesinwhicheachfeatureissupported,seethe"NewandChangedInformation"chapterorthe FeatureHistorytableinthischapter. Information About ACLs AnACLisanorderedsetofrulesthatyoucanusetofiltertraffic.Eachrulespecifiesasetofconditionsthat apacketmustsatisfytomatchtherule.WhenthedevicedeterminesthatanACLappliestoapacket,ittests thepacketagainsttheconditionsofallrules.Thefirstmatchingruledetermineswhetherthepacketispermitted ordenied.Ifthereisnomatch,thedeviceappliestheapplicableimplicitrule.Thedevicecontinuesprocessing packetsthatarepermittedanddropspacketsthataredenied. YoucanuseACLstoprotectnetworksandspecifichostsfromunnecessaryorunwantedtraffic.Forexample, youcoulduseACLstodisallowHTTPtrafficfromahigh-securitynetworktotheInternet.Youcouldalso useACLstoallowHTTPtrafficbutonlytospecificsites,usingtheIPaddressofthesitetoidentifyitinan IPACL. ACL Types and Applications ThedevicesupportsthefollowingtypesofACLsforsecuritytrafficfiltering: FCoEACLs ThedeviceappliesFibreChanneloverEthernet(FCoE)ACLsonlytoFibreChanneltraffic.Formore informationonFCoE,seetheCiscoNX-OSFCoEConfigurationGuideforCiscoNexus7000andCisco MDS9500. IPv4ACLs ThedeviceappliesIPv4ACLsonlytoIPv4traffic. IPv6ACLs ThedeviceappliesIPv6ACLsonlytoIPv6traffic. MACACLs ThedeviceappliesMACACLsonlytonon-IPtrafficbydefault;however,youcanconfigureLayer2 interfacestoapplyMACACLstoalltraffic. Security-groupACLs(SGACLs) ThedeviceappliesSGACLstotraffictaggedbyCiscoTrustSec. IPandMACACLshavethefollowingtypesofapplications: PortACL FiltersLayer2traffic RouterACL FiltersLayer3traffic VLANACL FiltersVLANtraffic VTYACL Filtersvirtualteletype(VTY)traffic ConfiguringIPACLs 2 ConfiguringIPACLs OrderofACLApplication ThistablesummarizestheapplicationsforsecurityACLs. Table1:SecurityACLApplications Application SupportedInterfaces TypesofACLsSupported PortACL •Layer2interfaces •IPv4ACLs •Layer2Ethernetport-channelinterfaces •IPv6ACLs •MACACLs WhenaportACLisappliedtoatrunkport,theACL filterstrafficonallVLANsonthetrunkport. Router •VLANinterfaces •IPv4ACLs ACL •PhysicalLayer3interfaces •IPv6ACLs •Layer3Ethernetsubinterfaces Note MACACLsaresupported •Layer3Ethernetport-channelinterfaces onLayer3interfacesonly ifyouenableMACpacket •Layer3Ethernetport-channelsubinterfaces classification. •Tunnels •Managementinterfaces Note YoumustenableVLANinterfacesglobally beforeyoucanconfigureaVLANinterface. Formoreinformation,seetheCiscoNexus 7000SeriesNX-OSInterfacesConfiguration Guide. VLAN •VLANs •IPv4ACLs ACL •IPv6ACLs •MACACLs VTYACL •VTYs •IPv4ACLs •IPv6ACLs RelatedTopics MACPacketClassification InformationAboutMACACLs InformationAboutVLANACLs SGACLsandSGTs Order of ACL Application Whenthedeviceprocessesapacket,itdeterminestheforwardingpathofthepacket.Thepathdetermines whichACLsthatthedeviceappliestothetraffic.ThedeviceappliestheACLsinthefollowingorder: ConfiguringIPACLs 3 ConfiguringIPACLs OrderofACLApplication 1. PortACL 2. IngressVACL 3. IngressrouterACL 4. IngressVTYACL 5. SGACL 6. EgressVTYACL 7. EgressrouterACL 8. EgressVACL IfthepacketisbridgedwithintheingressVLAN,thedevicedoesnotapplyrouterACLs. Figure1:OrderofACLApplication Thefollowingfigureshowstheorderinwhichthedeviceapplies ACLs. Figure2:ACLsandPacketFlow ThefollowingfigureshowswherethedeviceappliesACLs,dependinguponthetypeofACL.Theredpath indicatesapacketsenttoadestinationonadifferentinterfacethanitssource.Thebluepathindicatesapacket thatisbridgedwithinitsVLAN. ThedeviceappliesonlytheapplicableACLs.Forexample,iftheingressportisaLayer2portandthetraffic isonaVLANthatisaVLANinterface,aportACLandarouterACLbothcanapply.Inaddition,ifaVACL isappliedtotheVLAN,thedeviceappliesthatACLtoo. ConfiguringIPACLs 4 ConfiguringIPACLs AboutRules RelatedTopics SGACLsandSGTs About Rules Rulesarewhatyoucreate,modify,andremovewhenyouconfigurehowanACLfiltersnetworktraffic.Rules appearintherunningconfiguration.WhenyouapplyanACLtoaninterfaceorchangearulewithinanACL thatisalreadyappliedtoaninterface,thesupervisormodulecreatesACLentriesfromtherulesintherunning configurationandsendsthoseACLentriestotheapplicableI/Omodule.Dependinguponhowyouconfigure theACL,theremaybemoreACLentriesthanrules,especiallyifyouimplementpolicy-basedACLsbyusing objectgroupswhenyouconfigurerules. Youcancreaterulesinaccess-listconfigurationmodebyusingthepermitordenycommand.Thedevice allowstrafficthatmatchesthecriteriainapermitruleandblockstrafficthatmatchesthecriteriainadeny rule.Youhavemanyoptionsforconfiguringthecriteriathattrafficmustmeetinordertomatchtherule. Thissectiondescribessomeoftheoptionsthatyoucanusewhenyouconfigurearule.Forinformationabout everyoption,seetheapplicablepermitanddenycommandsintheCiscoNexus7000SeriesNX-OSSecurity CommandReference. Protocols for IP ACLs IPv4,IPv6,andMACACLsallowyoutoidentifytrafficbyprotocol.Foryourconvenience,youcanspecify someprotocolsbyname.Forexample,inanIPv4orIPv6ACL,youcanspecifyICMPbyname. Youcanspecifyanyprotocolbynumber.InMACACLs,youcanspecifyprotocolsbytheEtherTypenumber oftheprotocol,whichisahexadecimalnumber.Forexample,youcanuse0x0800tospecifyIPtrafficina MACACLrule. InIPv4andIPv6ACLs,youcanspecifyprotocolsbytheintegerthatrepresentstheInternetprotocolnumber. Forexample,youcanuse115tospecifyLayer2TunnelingProtocol(L2TP)traffic. ConfiguringIPACLs 5 ConfiguringIPACLs SourceandDestination ForalistoftheprotocolsthateachtypeofACLsupportsbyname,seetheapplicablepermitanddeny commandsintheCiscoNexus7000SeriesNX-OSSecurityCommandReference. Source and Destination Ineachrule,youspecifythesourceandthedestinationofthetrafficthatmatchestherule.Youcanspecify boththesourceanddestinationasaspecifichost,anetworkorgroupofhosts,oranyhost.Howyouspecify thesourceanddestinationdependsonwhetheryouareconfiguringIPv4,IPv6,orMACACLs.Forinformation aboutspecifyingthesourceanddestination,seetheapplicablepermitanddenycommandsintheCiscoNexus 7000SeriesNX-OSSecurityCommandReference. Implicit Rules for IP and MAC ACLs IPandMACACLshaveimplicitrules,whichmeansthatalthoughtheserulesdonotappearintherunning configuration,thedeviceappliesthemtotrafficwhennootherrulesinanACLmatch.Whenyouconfigure thedevicetomaintainper-rulestatisticsforanACL,thedevicedoesnotmaintainstatisticsforimplicitrules. AllIPv4ACLsincludethefollowingimplicitrule: deny ip any any ThisimplicitruleensuresthatthedevicedeniesunmatchedIPtraffic. AllIPv6ACLsincludethefollowingimplicitrules: permit icmp any any nd-na permit icmp any any nd-ns permit icmp any any router-advertisement permit icmp any any router-solicitation deny ipv6 any any UnlessyouconfigureanIPv6ACLwitharulethatdeniesICMPv6neighbordiscoverymessages,thefirst fourrulesensurethatthedevicepermitsneighbordiscoveryadvertisementandsolicitationmessages.The fifthruleensuresthatthedevicedeniesunmatchedIPv6traffic. Note IfyouexplicitlyconfigureanIPv6ACLwithadenyipv6anyanyrule,theimplicitpermitrulescannever permittraffic.Ifyouexplicitlyconfigureadenyipv6anyanyrulebutwanttopermitICMPv6neighbor discoverymessages,explicitlyconfigurearuleforallfiveimplicitIPv6ACLrules. AllMACACLsincludethefollowingimplicitrule: deny any any protocol Thisimplicitruleensuresthatthedevicedeniestheunmatchedtraffic,regardlessoftheprotocolspecifiedin theLayer2headerofthetraffic. Additional Filtering Options Youcanidentifytrafficbyusingadditionaloptions.TheseoptionsdifferbyACLtype.Thefollowinglist includesmostbutnotalladditionalfilteringoptions: •IPv4ACLssupportthefollowingadditionalfilteringoptions: ConfiguringIPACLs 6 ConfiguringIPACLs AdditionalFilteringOptions •Layer4protocol •AuthenticationHeaderProtocol •EnhancedInteriorGatewayRoutingProtocol(EIGRP) •EncapsulatingSecurityPayload •GeneralRoutingEncapsulation(GRE) •KA9QNOS-compatibleIP-over-IPtunneling •OpenShortestPathFirst(OSPF) •PayloadCompressionProtocol •Protocol-independentmulticast(PIM) •TCPandUDPports •ICMPtypesandcodes •IGMPtypes •Precedencelevel •DifferentiatedServicesCodePoint(DSCP)value •TCPpacketswiththeACK,FIN,PSH,RST,SYN,orURGbitset •EstablishedTCPconnections •Packetlength •IPv6ACLssupportthefollowingadditionalfilteringoptions: •Layer4protocol •AuthenticationHeaderProtocol •EncapsulatingSecurityPayload •PayloadCompressionProtocol •StreamControlTransmissionProtocol(SCTP) •SCTP,TCP,andUDPports •ICMPtypesandcodes •IGMPtypes •Flowlabel •DSCPvalue •TCPpacketswiththeACK,FIN,PSH,RST,SYN,orURGbitset •EstablishedTCPconnections •Packetlength ConfiguringIPACLs 7 ConfiguringIPACLs SequenceNumbers •MACACLssupportthefollowingadditionalfilteringoptions: •Layer3protocol •VLANID •ClassofService(CoS) Forinformationaboutallfilteringoptionsavailableinrules,seetheapplicablepermitanddenycommands intheCiscoNexus7000SeriesNX-OSSecurityCommandReference. Sequence Numbers Thedevicesupportssequencenumbersforrules.Everyrulethatyouenterreceivesasequencenumber,either assignedbyyouorassignedautomaticallybythedevice.SequencenumberssimplifythefollowingACL tasks: Addingnewrulesbetweenexistingrules Byspecifyingthesequencenumber,youspecifywhereintheACLanewruleshouldbepositioned.For example,ifyouneedtoinsertarulebetweenrulesnumbered100and110,youcouldassignasequence numberof105tothenewrule. Removingarule Withoutusingasequencenumber,removingarulerequiresthatyouenterthewholerule,asfollows: switch(config-acl)# no permit tcp 10.0.0.0/8 any However,ifthesamerulehadasequencenumberof101,removingtherulerequiresonlythefollowing command: switch(config-acl)# no 101 Movingarule Withsequencenumbers,ifyouneedtomovearuletoadifferentpositionwithinanACL,youcanadd asecondinstanceoftheruleusingthesequencenumberthatpositionsitcorrectly,andthenyoucan removetheoriginalinstanceoftherule.Thisactionallowsyoutomovetherulewithoutdisrupting traffic. Ifyouenterarulewithoutasequencenumber,thedeviceaddstheruletotheendoftheACLandassignsa sequencenumberthatis10greaterthanthesequencenumberoftheprecedingruletotherule.Forexample, ifthelastruleinanACLhasasequencenumberof225andyouaddarulewithoutasequencenumber,the deviceassignsthesequencenumber235tothenewrule. Inaddition,CiscoNX-OSallowsyoutoreassignsequencenumberstorulesinanACL.Resequencingis usefulwhenanACLhasrulesnumberedcontiguously,suchas100and101,andyouneedtoinsertoneor morerulesbetweenthoserules. Logical Operators and Logical Operation Units IPACLrulesforTCPandUDPtrafficcanuselogicaloperatorstofiltertrafficbasedonportnumbers.The devicestoresoperator-operandcouplesinregisterscalledlogicaloperatorunits(LOUs).CiscoNexus7000 Seriesdevicessupport104LOUs. TheLOUusageforeachtypeofoperatorisasfollows: ConfiguringIPACLs 8 ConfiguringIPACLs Logging eq IsneverstoredinanLOU gt Uses1/2LOU lt Uses1/2LOU neq Uses1/2LOU range Uses1LOU Thefollowingguidelinesdeterminewhenthedevicesstoreoperator-operandcouplesinLOUs: •Iftheoperatororoperanddiffersfromotheroperator-operandcouplesthatareusedinotherrules,the coupleisstoredinanLOU. Forexample,theoperator-operandcouples"gt10"and"gt11"wouldbestoredseparatelyinhalfan LOUeach.Thecouples"gt10"and"lt10"wouldalsobestoredseparately. •Whethertheoperator-operandcoupleisappliedtoasourceportoradestinationportintheruleaffects LOUusage.Identicalcouplesarestoredseparatelywhenoneoftheidenticalcouplesisappliedtoa sourceportandtheothercoupleisappliedtoadestinationport. Forexample,ifaruleappliestheoperator-operandcouple"gt10"toasourceportandanotherruleapplies a"gt10"coupletoadestinationport,bothcoupleswouldalsobestoredinhalfanLOU,resultinginthe useofonewholeLOU.Anyadditionalrulesusinga"gt10"couplewouldnotresultinfurtherLOU usage. Logging Youcanenablethedevicetocreateaninformationallogmessageforpacketsthatmatcharule.Thelog messagecontainsthefollowinginformationaboutthepacket: •Protocol •StatusofwhetherthepacketisaTCP,UDP,orICMPpacket,orifthepacketisonlyanumberedpacket. •Sourceanddestinationaddress •Sourceanddestinationportnumbers,ifapplicable Access Lists with Fragment Control Asnon-initialfragmentscontainonlyLayer3information,theseaccess-listentriescontainingonlyLayer3 information,cannowbeappliedtonon-initialfragmentsalso.Thefragmenthasalltheinformationthesystem requirestofilter,sotheaccess-listentryisappliedtothefragmentsofapacket. ThisfeatureaddstheoptionalfragmentskeywordtothefollowingIPaccesslistcommands:deny(IPv4), permit(IPv4),deny(IPv6),permit(IPv6).Byspecifyingthefragmentskeywordinanaccess-listentry, thatparticularaccess-listentryappliesonlytonon-initialfragmentsofpackets;thefragmentiseitherpermitted ordeniedaccordingly. Thebehaviorofaccess-listentriesregardingthepresenceorabsenceofthefragmentskeywordcanbe summarizedasfollows: ConfiguringIPACLs 9 ConfiguringIPACLs AccessListswithFragmentControl IftheAccess-ListEntryhas... Then... ...nofragmentskeywordandalloftheaccess-list Foranaccess-listentrycontainingonlyLayer3 entryinformationmatches information: •Theentryisappliedtonon-fragmentedpackets, initialfragments,andnon-initialfragments. Foranaccess-listentrycontainingLayer3andLayer 4information: •Theentryisappliedtonon-fragmentedpackets andinitialfragments. •Iftheentrymatchesandisapermit statement,thepacketorfragmentis permitted. •Iftheentrymatchesandisadenystatement, thepacketorfragmentisdenied. •Theentryisalsoappliedtonon-initialfragments inthefollowingmanner.Becausenon-initial fragmentscontainonlyLayer3information,only theLayer3portionofanaccess-listentrycanbe applied.IftheLayer3portionoftheaccess-list entrymatches,and •Iftheentryisapermitstatement,the non-initialfragmentispermitted. •Iftheentryisadenystatement,thenext access-listentryisprocessed. Note Thedenystatementsarehandled differentlyfornon-initialfragments versusnon-fragmentedorinitial fragments. ...thefragmentskeywordandalloftheaccess-list Theaccess-listentryisappliedonlytonon-initial entryinformationmatches fragments. Note Thefragmentskeywordcannotbe configuredforanaccess-listentrythat containsanyLayer4information. Youshouldnotaddthefragmentskeywordtoeveryaccess-listentry,becausethefirstfragmentoftheIP packetisconsideredanon-fragmentandistreatedindependentlyofthesubsequentfragments.Becausean initialfragmentwillnotmatchanaccesslistpermitordenyentrythatcontainsthefragmentskeyword,the packetiscomparedtothenextaccesslistentryuntilitiseitherpermittedordeniedbyanaccesslistentrythat doesnotcontainthefragmentskeyword.Therefore,youmayneedtwoaccesslistentriesforeverydeny entry.Thefirstdenyentryofthepairwillnotincludethefragmentskeyword,andappliestotheinitial fragment.Theseconddenyentryofthepairwillincludethefragmentskeywordandappliestothesubsequent ConfiguringIPACLs 10

Description:
Troubleshooting Flexible ACL TCAM Bank Chaining, page 58. • Additional References for IP ACLs, page 59. • Feature History for IP ACLs, page 60.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.