Feedback
Table Of Contents
Configuring Security Access Control Lists
Configuring Comments in an Extended ACL
Applying an ACL to an Interface
Applying an ACL Globally to All Interfaces in a Context
IP Addresses for ACLs with NAT
Displaying ACL Configuration Information and Statistics
Displaying ACL Configuration Information
Configuring Security Access Control Lists
This chapter describes how to configure security access control lists (ACLs) on the Cisco 4700 Series Application Control Engine (ACE) appliance. ACLs provide basic security for your network by filtering traffic and controlling network connections. This chapter contains the following major sections:
•
ACL Configuration Quick Start
•
ACL Overview
An ACL consists of a series of statements called ACL entries that define the network traffic profile. Each entry permits or denies network traffic (inbound and outbound) to the parts of your network specified in the entry. Each entry also contains a filter element that is based on criteria such as the source address, the destination address, the protocol, protocol-specific parameters, and so on. An implicit deny-all entry exists at the end of each ACL, so you must configure an ACL on each interface that you want to permit connections. Otherwise, the ACE denies all traffic on the interface.
ACLs allow you to control network connection setups rather than processing each packet. Such ACLs are commonly referred to as security ACLs.
You can configure ACLs as parts of other features (for example, security, Network Address Translation (NAT), server load balancing (SLB), and so on). The ACE merges these individual ACLs into one large ACL called a merged ACL. The ACL compiler then parses the merged ACL and generates the ACL lookup mechanisms. A match on this merged ACL can result in multiple actions.
When you use ACLs, you may want to permit all e-mail traffic on a circuit but block Telnet traffic. You can also use ACLs to allow one client to access a part of the network and prevent another client from accessing that same area.
When configuring ACLs, you must apply an ACL to an interface to control traffic on that interface. Applying an ACL on an interface assigns the ACL and its entries to that interface.
You can apply only one extended ACL to each direction (inbound or outbound) of an interface. You can also apply the same ACL on multiple interfaces.You can apply EtherType ACLs only in the inbound direction and only on Layer 2 interfaces.
ACL Types and Uses
You can configure the following two types of ACLs on the ACE:
•
•
Note
ACL Guidelines
This section describes the guidelines to observe when you configure and use ACLs in your network. This section contains the following topics:
•
ACL Entry Order
An ACL consists of one or more entries. Depending on the ACL type, you can specify the source and destination addresses, the protocol, the ports (for TCP or UDP), the ICMP type, the ICMP code, or the EtherType as the match criteria. By default, the ACE appends each ACL entry at the end of the ACL. You can also specify the location of each entry within an ACL.
The order of the entries is important. When the ACE decides whether to accept or refuse a connection, the ACE tests the packet against each ACL entry in the order in which the entries are listed. After it finds a match, the ACE does not check any more entries. For example, if you create an entry at the beginning of an ACL that explicitly permits all traffic, the ACE does not check any other statements in the ACL.
ACL Implicit Deny
All ACLs have an implicit deny entry at the end of the ACL, so, unless you explicitly permit it, traffic cannot pass. For example, if you want to allow all users to access a network through the ACE except for those users with particular IP addresses, then you must deny the particular IP addresses in one entry and permit all other IP addresses in another entry.
Maximum Number of ACL Entries
The ACE supports a maximum of 64,000 entries. Some ACLs use more memory than others, such as an ACL that uses large port number ranges or overlapping networks (for example, one entry specifies 10.0.0.0/8 and another entry specifies 10.1.1.0/24). Depending on the type of ACL, the actual limit that the ACE can support may be less than 64,000 entries.
If you exceed the memory limitations of the ACE, the appliance generates a syslog message and increments the Download Failures counter in the output of the show interface vlan number command. The configuration remains in the running-config file and the interface stays enabled. The ACL entries stay the same as they were before the failing configuration was attempted.
For example, if you add a new ACL with ten entries, but the addition of the sixth entry fails because the ACE runs out of memory, the ACE removes the five entries that you successfully entered.
ACL Configuration Quick Start
Table 1-1 provides a quick overview of the steps required to configure ACLs. Each step includes the CLI command or a reference to the procedure required to complete the task. For a complete description of each feature and all the options associated with the CLI commands, see the sections following Table 1-1.
Configuring ACLs
This section contains the following topics:
•
•
•
•
Configuring an Extended ACL
An extended ACL allows you to specify both the source and the destination IP addresses of traffic as well as the following parameters:
•
•
You can specify these parameters directly when you use the access-list command.
For TCP, UDP, and ICMP connections, you do not need to apply an ACL on the destination interface to allow returning traffic, because the ACE allows all returning traffic for established connections.
Note
Tip
To create an extended ACL, use the access-list extended command in configuration mode. There are three major types of extended ACLs:
•
•
•
You can permit or deny network connections based on IP protocol and source and destination IP addresses. To configure an IP extended ACL, use the following syntax:
access-list name [line number] extended {deny | permit} {protocol} {src_ip_address netmask | any | host src_ip_address} {dest_ip_address netmask | any | host dest_ip_address}
In addition to the protocol and IP addresses, you can permit or deny network connections based on TCP or UDP source or destination ports. To configure a TCP or a UDP extended ACL, use the following syntax:
access-list name [line number] extended {deny | permit} {tcp | udp}} {src_ip_address netmask | any | host src_ip_address} [operator port1 [port2]] {dest_ip_address netmask | any | host dest_ip_address} [operator port3 [port4]]
You can permit or deny network connections based on the ICMP type (for example, echo, echo-reply, unreachable, and so on). To configure an ICMP extended ACL, use the following syntax:
access-list name [line number] extended {deny | permit} icmp {src_ip_address netmask | any | host src_ip_address | {any | host dest_ip_address | dest_ip_address netmask} [icmp_type [code operator code1 [code2]]]
The keywords and arguments are as follows:
•
•
•
•
•
•
•
•
•
•
–
–
–
–
–
•
•
•
•
•
–
–
–
–
–
•
•
•
•
–
–
–
–
–
•
For example, to configure a TCP extended ACL, enter:
host1/Admin(config)# access-list INBOUND line 10 extended permit tcp 192.168.12.0 255.255.255.0 gt 1024 172.27.16.0 255.255.255.0 lt 4000For example, to remove an entry from an extended ACL, enter:
host1/Admin(config)# no access-list INBOUND line 10To control ping, specify echo (8) (host to ACE).
For example, to allow an external host with IP address 192.168.12.5 to ping a host behind the ACE with an IP address of 10.0.0.5, enter:
host1/Admin(config)# access-list INBOUND permit icmp host 192.168.12.5 host 10.0.0.5 echoFor example, to remove an entry from an ICMP ACL, enter:
host1/Admin(config)# no access-list INBOUND permit icmp host 192.168.12.5 echoConfiguring Comments in an Extended ACL
You can add comments about an extended ACL to clarify the function of the ACL. To add a comment to an ACL, use the access-list name remark command in configuration mode. You can enter only one comment per ACL and the comment always appears at the beginning of the ACL. The syntax of this command is as follows:
access-list name remark text
•
•
For example, enter:
host1/Admin(config)# access-list INBOUND remark This is a remarkFor example, to remove entry comments from an ACL, enter:
host1/Admin(config)# no access-list INBOUND line 200 remarkIf you delete an ACL using the no access-list name command, then all the remarks are also removed.
Configuring an EtherType ACL
You can configure an ACL that controls traffic based on its EtherType. An EtherType is a subprotocol identifier. EtherType ACLs support Ethernet V2 frames. EtherType ACLs do not support 802.3-formatted frames because they use a length field instead of a type field. The only exception is a bridge protocol data unit (BPDU), which is SNAP encapsulated. The ACE can specifically handle BPDUs.
You can permit or deny BPDUs. By default, all BPDUs are denied. The ACE receives trunk port (Cisco proprietary) BPDUs because ACE ports are trunk ports. Trunk BPDUs have VLAN information inside the payload, so the ACE modifies the payload with the outgoing VLAN if you allow BPDUs. If you configure redundancy, you must allow BPDUs on both interfaces with an EtherType ACL to avoid bridging loops. For details about configuring redundancy, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.
If you allow MPLS, ensure that Label Distribution Protocol (LDP) and Tag Distribution Protocol (TDP) TCP connections are established through the ACE by configuring both MPLS routers connected to the ACE to use the IP address on the ACE interface as the router-id for LDP or TDP sessions. LDP and TDP allow MPLS routers to negotiate the labels (addresses) used to forward packets.
Note
On Cisco IOS routers, enter the appropriate command for your protocol, LDP or TDP. The interface is the interface connected to the ACE:
host1/Admin(config)# mpls ldp router-id interface forceor
host1/Admin(config)# tag-switching tdp router-id interface force
Tip
To configure an EtherType ACL, use the access-list ethertype command in configuration mode. The syntax of this command is as follows:
access-list name ethertype {deny | permit} {any | bpdu | ipv6 | mpls}
The keywords and arguments are as follows:
•
•
–
–
–
–
–
–
Note
For example, to configure an EtherType ACL for MPLS, enter:
host1/Admin(config)# access-list INBOUND ethertype permit mplsTo remove an entry from an EtherType ACL, enter:
host1/Admin(config)# no access-list INBOUND ethertype permit mplsResequencing Entries
You can resequence the entries in an ACL with a specific starting number and interval by using the access-list name resequence command in configuration mode. The syntax of this command is as follows:
access-list name resequence [number1] [number2]
•
•
•
•
For example, enter:
host1/Admin(config)# access-list INBOUND resequence 5 15Applying an ACL to an Interface
Before you can start using a configured ACL, you must apply it to one or more interfaces.
To apply an ACL to the inbound or outbound direction of an interface and make the ACL active, use the access-group command in interface configuration mode. You can apply one ACL of each type (extended and EtherType) to both directions of the interface. See the "Inbound and Outbound ACLs" section for more information about ACL directions.
Note
For connectionless protocols, you must apply the ACL to the source and destination interfaces if you want traffic to pass in both directions. For example, you can allow BGP in an ACL in transparent mode, and you must apply the ACL to both interfaces.
The syntax of this command is as follows:
access-group {input | output} acl_name
The keywords and arguments are as follows:
•
•
For example, enter:
host1/Admin(config)# interface vlan 100host1/Admin(config-if)# access-group input INBOUNDTo remove an ACL from an interface, enter:
host1/Admin(config-if)# no access-group input INBOUNDApplying an ACL Globally to All Interfaces in a Context
You can apply an ACL to all interfaces in a context at once, subject to the following conditions:
•
•
•
•
•
To apply an ACL globally to all interfaces in a context in the inbound direction, use the access-group command in configuration mode. The syntax of this command is as follows:
access-group input acl_name
For the acl_name argument, enter the identifier of an existing ACL as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
You can use this command to allow all traffic on all interfaces in a context by applying an ACL similar to the following example:
host1/Admin(config)# access-list ALL_ACCESS permit ip any anyThen, apply the ACL globally by entering:
host1/Admin(config)# access-group input ALL_ACCESSTo remove the ACL from all interfaces in the context, enter:
host1/Admin(config)# no access-group input ALL_ACCESSFiltering Traffic with an ACL
You can use an ACL to filter interesting traffic and instruct the ACE to either permit or deny the traffic based on the action in the ACL. To filter traffic using an ACL, use the match access-list command in a Layer 3 and Layer 4 class map.
When a packet matches an entry in an ACL, and if it is a permit entry, the ACE allows the matching result. If it is a deny entry, the ACE blocks the matching result. For details about configuring a Layer 3 and Layer 4 class map and policy map, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.
ACL Configuration Examples
This section provides the following examples of the different types of ACLs available in the ACE:
Examples of Extended ACLs
This section provides examples of extended ACLs. Use extended ACLs when you want to specify both the source IP address and the destination IP address (IP), ports (TCP or UDP), and ICMP types. For details about configuring extended ACLs, see the "Configuring an Extended ACL" section.
The following ACL allows all hosts (on the interface to which you apply the ACL) to go through the ACE:
host1/Admin(config)# access-list ACL_IN extended permit ip any anyThe following ACL prevents hosts on 192.168.1.0/24 from accessing the 209.165.201.0/27 network. All other addresses are permitted.
host1/Admin(config)# access-list ACL_IN extended deny tcp 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224host1/Admin(config)# access-list ACL_IN extended permit ip any anyIf you want to restrict access to only some hosts, then enter a limited permit entry. By default, all other traffic is denied unless explicitly permitted.
host1/Admin(config)# access-list ACL_IN extended permit ip 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224For a list of permitted keywords and well-known port assignments, see Table 1-3. DNS, Discard, Echo, Ident, NTP, RPC, SUNRPC, and Talk each require one definition for TCP and one for UDP. TACACS+ requires one definition for port 49 on TCP.
The following ACL example restricts all hosts (on the interface to which you apply the ACL) from accessing a website at address 209.165.201.29. All other traffic is allowed.
host1/Admin(config)# access-list ACL_IN extended deny tcp any host 209.165.201.29 eq wwwhost1/Admin(config)# access-list ACL_IN extended permit ip any anyThe following ACLs allow all inside hosts to communicate with the outside network but only specific outside hosts to access the inside network:
host1/Admin(config)# access-list OUT extended permit ip any anyhost1/Admin(config)# access-list IN extended permit ip host 209.168.200.3 anyhost1/Admin(config)# access-list IN extended permit ip host 209.168.200.4 anyThe following examples show how to configure ICMP ACLs. For details about configuring ICMP ACLs, see the "Configuring an Extended ACL" section.
host1/Admin(config)# access-list INBOUND extended permit icmp any any echohost1/Admin(config)# access-list INBOUND extended permit icmp host 10.0.0.1 host 20.0.0.1 unreachable code range 0 3Inbound and Outbound ACLs
Traffic that flows across an interface in the ACE can be controlled in two ways:
•
•
To allow any traffic to enter the ACE, you must attach an inbound permit ACL to an interface; otherwise, the ACE automatically refuses all traffic that enters that interface. By default, traffic can exit the ACE on any interface unless you restrict it by using an outbound ACL, which adds restrictions to those ACLs already configured in the inbound ACL.
Note
You may choose to use an outbound ACL to simplify your ACL configuration. For example, if you want to allow three inside networks on three different interfaces to access each other, you can create a simple inbound ACL on each interface that allows all traffic on each inside interface (see Figure 1-1).
Figure 1-1 Inbound ACLs
The following commands create three inbound ACLs that allow all traffic on each inside interface.
host1/Admin(config)# access-list INSIDE extended permit ip any anyhost1/Admin(config)# interface vlan 100host1/Admin(config-if)# access-group input INSIDEhost1/Admin(config)# access-list HR extended permit ip any anyhost1/Admin(config)# interface vlan 100host1/Admin(config-if)# access-group input HRhost1/Admin(config)# access-list ENG extended permit ip any anyhost1/Admin(config)# interface vlan 100host1/Admin(config-if)# access-group input ENGIf you choose to allow only certain hosts on the inside networks to access a web server on the outside network, you can create a more restrictive ACL that allows only the specified hosts and apply it to the outbound direction of the outside interface (see Figure 1-2). For information about NAT and IP addresses, see the "IP Addresses for ACLs with NAT" section. The outbound ACL prevents any other hosts from reaching the outside network.
The following commands create an ACL that allows only specified hosts and apply it to the outbound direction of the outside interface.
host1/Admin(config)# access-list OUTSIDE extended permit tcp host 209.165.201.4 host 209.165.200.225 eq wwwhost1/Admin(config)# access-list OUTSIDE extended permit tcp host 209.165.201.6 host 209.165.200.225 eq wwwhost1/Admin(config)# access-list OUTSIDE extended permit tcp host 209.165.201.8 host 209.165.200.225 eq wwwhost1/Admin(config)# interface vlan 100host1/Admin(config-if)# access-group input OUTSIDEFigure 1-2 Outbound ACL
IP Addresses for ACLs with NAT
When you use NAT, the IP addresses that you specify for an ACL depend on the interface to which the ACL is attached. You must use addresses that are valid on the network that is connected to the interface. This guideline applies for both inbound and outbound ACLs: the ACL direction does not determine the address used, only the interface to which the ACL is attached determines the address used.
For example, suppose that you want to apply an ACL to the inbound direction of the interface. You configure the ACE to perform NAT on the inside source addresses when they access outside addresses. Because the ACL is applied to the inside interface, the source addresses are the original untranslated addresses. Because the outside addresses are not translated, the destination address used in the ACL is the real address (see Figure 1-3).
Figure 1-3 IP Addresses in ACLs: NAT Used for Source Addresses
The following commands create an ACL that allows inside source network 10.1.1.0/24 to access the outside destination host 209.165.200.225 and apply the ACL to VLAN interface 100.
host1/Admin(config)# access-list INSIDE extended permit ip 10.1.1.0 255.255.255.0 host 209.165.200.225host1/Admin(config)# interface vlan 100host1/Admin(config-if)# access-group input INSIDEIf you want to allow an outside host to access an inside host, you can apply an inbound ACL to the outside interface. You must specify the translated address of the inside host in the ACL because that address is the address that can be used on the outside network (see Figure 1-4).
Figure 1-4 IP Addresses in ACLs: NAT used for Destination Addresses
The following commands create an ACL that allows outside host 209.165.200.225 to access inside host 209.165.201.5 (the translated address of the host 10.1.1.34). The last command applies the ACL to VLAN interface 100.
host1/Admin(config)# access-list OUTSIDE extended permit ip host 209.165.200.225 host 209.165.201.5host1/Admin(config)# interface vlan 100host1/Admin(config-if)# access-group input OUTSIDEIf you perform NAT on both interfaces, you must verify the addresses that are visible on each interface when you create and apply ACLs. In Figure 1-5, an outside server uses static NAT so that a translated address appears on the inside network.
Figure 1-5 IP Addresses in ACLs: NAT used for Source and Destination Addresses
The following commands create an ACL that allows inside source network 10.1.1.0/24 to access the outside destination host 10.1.1.56 (the translated address of the host 209.165.200.225). The last command applies the ACL to VLAN interface 100.
host1/Admin(config)# access-list INSIDE extended permit ip 10.1.1.0 255.255.255.0 host 10.1.1.56host1/Admin(config)# interface vlan 100host1/Admin(config-if)# access-group input INSIDEFor an example of IP addresses used in outbound ACLs, see Figure 1-2.
Examples of EtherType ACLs
This section provides examples of EtherType ACLs. For details about configuring an EtherType ACL, see the "Configuring an EtherType ACL" section.
For example, the following sample ACL allows common EtherTypes to originate on the inside interface:
host1/Admin(config)# access-list ETHER ethertype permit ipv6host1/Admin(config)# access-list ETHER ethertype permit bpduhost1/Admin(config)# access-list ETHER ethertype permit mplshost1/Admin(config)# interface vlan 100host1/Admin(config-if)# access-group output ethertype ETHERThe following ACL allows some EtherTypes through the ACE but denies IPv6:
host1/Admin(config)# access-list ETHER ethertype deny ipv6host1/Admin(config)# access-list ETHER ethertype permit bpduhost1/Admin(config)# access-list ETHER ethertype permit mplshost1/Admin(config)# interface vlan 100host1/Admin(config-if)# access-group input ethertype ETHERThe following ACL denies traffic with EtherType BPDU but allows all others on both interfaces:
host1/Admin(config)# access-list nonIP ethertype deny bpduhost1/Admin(config)# access-list nonIP ethertype permit anyhost1/Admin(config)# interface vlan 100host1/Admin(config-if)# access-group input ethertype nonIPDisplaying ACL Configuration Information and Statistics
This section describes the show commands you can use to display ACL configurations and statistics. It contains the following topics:
•
Displaying ACL Configuration Information
You can display all ACL configuration information, including the interfaces on which you applied the ACLs by using the show running-config command. The syntax of this command is as follows:
show running-config
To display only the ACLs and their entries, use the show running-config access-list command in Exec mode. The syntax of this command is as follows:
show running-config access-list
Displaying ACL Statistics
You can display ACL statistics for a particular ACL by using the show access-list command. The syntax of this command is as follows:
show access-list name
For the name argument, enter the name of an existing ACL as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
Table 1-6 describes the fields in the show access-list command output.
Clearing ACL Statistics
You can clear ACL statistics (hit counts for ACL entries) by using the clear access-list command in Exec mode. The syntax of this command is as follows:
clear access-list name
The name argument is an existing ACL. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
For example, enter:
host1/Admin# clear access-list acl1
Note
