Cisco GSS Administration Guide (Software Version 1.2)
Configuring Access Lists and Filtering GSS Traffic
Download this chapter
Configuring Access Lists and Filtering GSS TrafficConfiguring Access Lists and Filtering GSS Traffic
Download the complete book
Cisco Global Site Selector Administration Guide Book-Length PDF, Software Version 1.2Cisco Global Site Selector Administration Guide Book-Length PDF, Software Version 1.2 (PDF - 4 MB)
give_us_feedback

Table Of Contents

Configuring Access Lists and Filtering GSS Traffic

Filtering GSS Traffic Using Access Lists

Access List Overview

Creating an Access List

Associating an Access List with a GSS Interface

Disassociating an Access List from a GSS Interface

Adding Rules to an Access List

Removing Rules from an Access List

Segmenting GSS Traffic by Ethernet Interface

Displaying Access Lists

Deploying GSS Devices Behind Firewalls

GSS Firewall Deployment Overview

Configuring GSS Devices Behind a Firewall


Configuring Access Lists and Filtering GSS Traffic

You can filter incoming traffic received by the GSS through the use of access lists. You create access lists at the CLI of each GSS device. This chapter describes how to create access lists and access groups to filter GSS traffic.

It contains the following major sections:

Filtering GSS Traffic Using Access Lists

Deploying GSS Devices Behind Firewalls

Filtering GSS Traffic Using Access Lists

This section includes the following procedures:

Access List Overview

Creating an Access List

Associating an Access List with a GSS Interface

Disassociating an Access List from a GSS Interface

Adding Rules to an Access List

Removing Rules from an Access List

Segmenting GSS Traffic by Ethernet Interface

Segmenting GSS Traffic by Ethernet Interface

Access List Overview

The packet filtering tools on the GSS instruct each device to permit or refuse specific packets based on a combination of criteria that includes:

Destination port of the packets

Requesting host

Protocol used (TCP, UDP, or ICMP)

You create packet-filtering tools, called access lists, from the GSS CLI. Access lists are essentially collections of filtering rules that you create using the access-list CLI command. Each access list is a sequential collection of permit and deny conditions that apply to a source network IP address to control whether the GSS forwards or blocks routed packets. The GSS examines each packet to determine whether to forward or drop the packet based on the criteria specified within the access lists.

You can create any number of access lists on each GSS device. After creating an access list, you can append or remove rules from the list at any time. Apply access lists to one or both of the GSS Ethernet interfaces using the access-group command.

The GSS appends each additional criteria statement to the end of the access list statements. Be aware that you cannot delete individual statements after creating them. You can only delete an entire access list.

The order of access list statements is very important. When the GSS decides whether to forward or block a packet, it tests the packet against each criteria statement in the order the statements were created. After a match is found, the GSS does not check any additional criteria statements.

If you create a criteria statement that explicitly permits all traffic, the GSS does not check any additional statements added after the explicit permit statement and permits all traffic. If you need additional statements, delete the access list and retype it with the new entries.

To ensure your GSS functions properly with access lists, identify the ports and protocols normally used by each GSS device. Table 5-1 illustrates the types of expected inbound traffic received by the GSS.

Table 5-1 GSS-Related Ports and Protocols for Inbound Traffic 

Source Port
(Remote Device)
Destination Port
(GSS)
Protocol
Details

1

20-23

TCP

FTP, SSH, and Telnet server services on the GSS

20-23

*

TCP

Return traffic of FTP and Telnet GSS CLI commands

*

53

UDP, TCP

GSS DNS server traffic

53

*

UDP

GSS software reverse lookup and "dnslookup" queries

123

123

UDP

Network Time Protocol (NTP) updates

*

161

UDP

Simple Network Management Protocol (SNMP) traffic

*

443

TCP

Primary GSSM GUI

1304

1304

UDP

CRA keepalives

*

2000

UDP

Inter-GSS periodic status reporting

*

2001-2005

TCP

Inter-GSS communication

2001-2005

*

TCP

Inter-GSS communication

*

3002-3008

TCP

Inter-GSS communication

3002-3008

*

TCP

Inter-GSS communication

3340

*

TCP

Sticky and Config Agent communication

3341

*

TCP

Sticky communication source

3342

*

TCP

Sticky and DNS processes communication

5002

*

UDP

KAL-AP keepalives

1974

1974

UDP

DRP protocol traffic

*

5001

TCP

Global sticky mesh protocol traffic

5001

*

TCP

Global sticky mesh protocol traffic

1 Any legal port number.


Creating an Access List

Use the access-list command in global configuration mode to create an access list. You must have access to the CLI of each GSS device to create access lists for that device.

The syntax for the access-list command is:

access-list name {permit | deny} protocol [source-address source-netmask | host source-address | any] operator port [port] [destination-port operator port [port]]

The options and variables are:

name—Specifies an alphanumeric name used to identify the access list you are creating.

permit—Allows a connection when a packet matches the condition. All provisions of the condition must be met to make a match.

deny —Prevents a connection when a packet matches the condition. All provisions of the condition must be met to make a match.

protocol—Identifies the protocol for the traffic type. Recognized IP protocols include: tcp (Transmission Control Protocol), udp (User Datagram Protocol), and icmp (Internet Control Message Protocol).

source-address—Specifies the network IP address from which the packet originated. The GSS software uses the source-address and source-netmask arguments to match the incoming packet to a source network.

source-netmask—Specifies the subnet mask for the network from which the packet originated. The software uses the source-address and source-netmask arguments to match the incoming packet to a source network.

host—Identifies the host machine that is the source of the packet.

source-address—Specifies the IP address of the device that is the source of the packet.

any—Identifies the wildcard value for the packet source. With any used in place of the source-address, source-netmask, or host source-address values, the GSS matches packets from all incoming sources.

operator —Compares arbitrary bytes within the packet. The operator can be one of the following values: eq (equal), neq (not equal), range (range)

port—Specifies the source or destination port of the packet.

destination-port—Compares the destination port of the packet with the access condition.

For example, to configure an access list named alist1 containing a rule that allows any traffic using the TCP protocol on port 443 on the GSS device, enter the following: 

gss1.example.com# config

gss1.example.com(config)# access-list alist1 permit tcp any 
destination-port eq 443

Use the access-list command for each access list that you intend to add to this GSS device. See the "Adding Rules to an Access List" section for instructions on adding more rules to an access list that already exists.

Included below is an example of a completed access list. 


gss1.example.com(config)#show access-list


access-list: acl_1

   access-list acl_1 permit tcp any destination-port range 20 23

   access-list acl_1 permit tcp any eq 20

   access-list acl_1 permit tcp any eq 21

   access-list acl_1 permit tcp any eq 23

   access-list acl_1 permit tcp any destination-port eq 53

   access-list acl_1 permit udp any destination-port eq 53

   access-list acl_1 permit udp any eq 53

   access-list acl_1 permit udp any eq 123 destination-port eq 123

   access-list acl_1 permit udp any destination-port eq 161

   access-list acl_1 permit tcp any destination-port eq 443

   access-list acl_1 permit udp any eq 1304 destination-port eq 1304

   access-list acl_1 permit udp any destination-port eq 2000

   access-list acl_1 permit tcp any destination-port range 2001 2005

   access-list acl_1 permit tcp any range 2001 2005

   access-list acl_1 permit tcp any destination-port range 3002 3008

   access-list acl_1 permit tcp any range 3002 3008

   access-list acl_1 permit udp any destination-port eq 5002

   access-list acl_1 permit udp any eq 1974 destination-port eq 1974

   access-list acl_1 permit tcp any destination-port eq 5001

   access-list acl_1 permit tcp any eq 5001

   access-list acl_1 permit icmp any


Kernel output

  access-list acl_1 on interface eth0 (1 references)

  target     prot opt source        destination         

  ACCEPT     tcp  --  0.0.0.0/0     0.0.0.0/0    tcp dpts:20:23 

  ACCEPT     tcp  --  0.0.0.0/0     0.0.0.0/0    tcp spt:20 

  ACCEPT     tcp  --  0.0.0.0/0     0.0.0.0/0    tcp spt:21 

  ACCEPT     tcp  --  0.0.0.0/0     0.0.0.0/0    tcp spt:23 

  ACCEPT     tcp  --  0.0.0.0/0     0.0.0.0/0    tcp dpt:53 

  ACCEPT     udp  --  0.0.0.0/0     0.0.0.0/0    udp dpt:53 

  ACCEPT     udp  --  0.0.0.0/0     0.0.0.0/0    udp spt:53 

  ACCEPT     udp  --  0.0.0.0/0     0.0.0.0/0    udp spt:123 dpt:123 

  ACCEPT     udp  --  0.0.0.0/0     0.0.0.0/0    udp dpt:161 

  ACCEPT     tcp  --  0.0.0.0/0     0.0.0.0/0    tcp dpt:443 

  ACCEPT     udp  --  0.0.0.0/0     0.0.0.0/0    udp spt:1304 dpt:1304 

  ACCEPT     udp  --  0.0.0.0/0     0.0.0.0/0    udp dpt:2000 

  ACCEPT     tcp  --  0.0.0.0/0     0.0.0.0/0    tcp dpts:2001:2005 

  ACCEPT     tcp  --  0.0.0.0/0     0.0.0.0/0    tcp spts:2001:2005 

  ACCEPT     tcp  --  0.0.0.0/0     0.0.0.0/0    tcp dpts:3002:3008 

  ACCEPT     tcp  --  0.0.0.0/0     0.0.0.0/0    tcp spts:3002:3008 

  ACCEPT     udp  --  0.0.0.0/0     0.0.0.0/0    udp dpt:5002 

  ACCEPT     udp  --  0.0.0.0/0     0.0.0.0/0    udp spt:1974 dpt:1974 

  ACCEPT     tcp  --  0.0.0.0/0     0.0.0.0/0    tcp dpt:5001 

  ACCEPT     tcp  --  0.0.0.0/0     0.0.0.0/0    tcp spt:5001 

  ACCEPT     icmp --  0.0.0.0/0     0.0.0.0/0          

  DROP       all  --  0.0.0.0/0     0.0.0.0/0

Associating an Access List with a GSS Interface

After you create an access list, associate it with one or both of the GSS Ethernet interfaces before you use the access list to filter incoming traffic received by the interface. If no access lists are associated with an interface, the GSS allows all incoming traffic received on that interface. After you apply an access list, the GSS allows only the type of traffic explicitly permitted by the access list. The GSS disallows all other traffic.

Use the access-group command in global configuration mode to associate an access list with a GSS interface. You must have access to the CLI of each GSS device to associate access lists with a GSS interface.

The syntax for the access-group command is:

access-group name interface {eth0 | eth1}

The options and variables are:

name—Identifies the name of a pre-existing access list.

interface—Specifies an interface on the GSS to which the access list will be assigned.

eth0—Identifies the first Ethernet interface on the GSS device.

eth1—Identifies the second Ethernet interface on the GSS device.

For example, to associate the access list named alist1 with the first interface on your GSS device, enter the following: 

gss1.example.com# config

gss1.example.com(config)# access-group alist1 interface eth0

Use the access-group command for each access list you want to associate with the interface.

Disassociating an Access List from a GSS Interface

To dissociate an access list from the associated GSS interface, use the no form of the access-group command. Disassociating an access list from an interface removes all constraints applied to the Ethernet interface. You must have access to the CLI of each GSS device to disassociate access lists from a GSS interface.

For example, to disassociate the access list named alist1 from the first interface on your GSS device, you would enter the following: 

gss1.example.com# config

gss1.example.com(config)# no access-group alist1 interface eth0

See the "Associating an Access List with a GSS Interface" section for an explanation of access-group command syntax.

Adding Rules to an Access List

After you create one or more access lists, you can append rules to them at any time. Use the access-list command to add a new rule to an existing access list.

For example, to add a new rule to the access list named alist1 to block all traffic from host 192.168.1.101, enter the following: 

gss1.example.com# config

gss1.example.com(config)# access-list alist1 deny tcp host 
192.168.1.101

See the "Creating an Access List" section for an explanation of access-list command syntax.

Use the show access-list command to verify that the rule is added to your access list. 

gss1.example.com(config)# show access-list

access-list:alist1 

access-list alist1 permit tcp any destination-port eq 443

access-list alist1 deny tcp host 192.168.1.101

Removing Rules from an Access List

Access lists must contain at least one rule. Removing the last rule from an access list removes the list itself from the GSS. To remove a rule from an existing access list, use the no form of the access-list command in global configuration mode.

For example, to remove the rule from the access list named alist1 that blocks all traffic from host 192.168.1.101, enter the following: 

gss1.example.com# config

gss1.example.com(config)# no access-list alist1 deny tcp host 
192.168.1.101

See the "Creating an Access List" section for an explanation of access-list command syntax.

Use the show access-list command to verify that the rule has been removed from your access list. 

gss1.example.com(config)# show access-list

access-list:alist1 

access-list alist1 permit tcp any destination-port eq 443

Segmenting GSS Traffic by Ethernet Interface

By default, the GSS devices listen for DNS traffic on both GSS Ethernet interfaces, 0 and 1. In the case of inter-GSS communications, GSS devices listen for configuration and status updates on one interface only. Ethernet interface 0 is the default.

To reconfigure which interface is used for inter-GSS communications on the GSS network, use the gss-communications command. Refer to the Cisco Global Site Selector Getting Started Guide for details.

For security reasons you can limit GSS traffic to one Ethernet interface, or segment traffic by constraining a certain type of traffic on a designated interface. By using the access-list and access-group commands discussed previously, you can define access lists that limit traffic on either of the two GSS Ethernet interfaces.

For example, remote management services such as Telnet, SSH, and FTP listen on all active interfaces. To force these remote management services to listen on only the second GSS Ethernet interface, enter the following CLI commands: 

gss1.example.com# config

gss1.example.com(config)# 

gss1.example.com(config)# access-list alist1 permit tcp any 
destination-port ftp

gss1.example.com(config)# access-list alist1 permit tcp any 
destination-port ssh

gss1.example.com(config)# access-list alist1 permit tcp any 
destination-port telnet

gss1.example.com(config)# access-group alist1 interface eth1

The commands listed above limit the second Ethernet interface (eth1) to the specified traffic. All other traffic is refused to that interface.

To deny the same traffic on the first Ethernet interface (eth0), enter the following commands: 

gss1.example.com(config)# 

gss1.example.com(config)# access-list alist1 deny tcp any 
destination-port ftp

gss1.example.com(config)# access-list alist1 deny tcp any 
destination-port ssh

gss1.example.com(config)# access-list alist1 deny tcp any 
destination-port telnet

gss1.example.com(config)# access-group alist1 eth0

Displaying Access Lists

Use the show access-list command to display all configured access lists. 


gss1.example.com(config)#show access-list


access-list: acl_1

   access-list acl_1 permit tcp any destination-port range 20 23

   access-list acl_1 permit tcp any eq 20

   access-list acl_1 permit tcp any eq 21

   access-list acl_1 permit tcp any eq 23

   access-list acl_1 permit tcp any destination-port eq 53

   access-list acl_1 permit udp any destination-port eq 53

   access-list acl_1 permit udp any eq 53

   access-list acl_1 permit udp any eq 123 destination-port eq 123

   access-list acl_1 permit udp any destination-port eq 161

   access-list acl_1 permit tcp any destination-port eq 443

   access-list acl_1 permit udp any eq 1304 destination-port eq 1304

   access-list acl_1 permit udp any destination-port eq 2000

   access-list acl_1 permit tcp any destination-port range 2001 2005

   access-list acl_1 permit tcp any range 2001 2005

   access-list acl_1 permit tcp any destination-port range 3002 3008

   access-list acl_1 permit tcp any range 3002 3008

   access-list acl_1 permit udp any destination-port eq 5002

   access-list acl_1 permit udp any eq 1974 destination-port eq 1974

   access-list acl_1 permit tcp any destination-port eq 5001

   access-list acl_1 permit tcp any eq 5001

   access-list acl_1 permit icmp any


Kernel output

  access-list acl_1 on interface eth0 (1 references)

  target     prot opt source        destination         

  ACCEPT     tcp  --  0.0.0.0/0     0.0.0.0/0    tcp dpts:20:23 

  ACCEPT     tcp  --  0.0.0.0/0     0.0.0.0/0    tcp spt:20 

  ACCEPT     tcp  --  0.0.0.0/0     0.0.0.0/0    tcp spt:21 

  ACCEPT     tcp  --  0.0.0.0/0     0.0.0.0/0    tcp spt:23 

  ACCEPT     tcp  --  0.0.0.0/0     0.0.0.0/0    tcp dpt:53 

  ACCEPT     udp  --  0.0.0.0/0     0.0.0.0/0    udp dpt:53 

  ACCEPT     udp  --  0.0.0.0/0     0.0.0.0/0    udp spt:53 

  ACCEPT     udp  --  0.0.0.0/0     0.0.0.0/0    udp spt:123 dpt:123 

  ACCEPT     udp  --  0.0.0.0/0     0.0.0.0/0    udp dpt:161 

  ACCEPT     tcp  --  0.0.0.0/0     0.0.0.0/0    tcp dpt:443 

  ACCEPT     udp  --  0.0.0.0/0     0.0.0.0/0    udp spt:1304 dpt:1304 

  ACCEPT     udp  --  0.0.0.0/0     0.0.0.0/0    udp dpt:2000 

  ACCEPT     tcp  --  0.0.0.0/0     0.0.0.0/0    tcp dpts:2001:2005 

  ACCEPT     tcp  --  0.0.0.0/0     0.0.0.0/0    tcp spts:2001:2005 

  ACCEPT     tcp  --  0.0.0.0/0     0.0.0.0/0    tcp dpts:3002:3008 

  ACCEPT     tcp  --  0.0.0.0/0     0.0.0.0/0    tcp spts:3002:3008 

  ACCEPT     udp  --  0.0.0.0/0     0.0.0.0/0    udp dpt:5002 

  ACCEPT     udp  --  0.0.0.0/0     0.0.0.0/0    udp spt:1974 dpt:1974 

  ACCEPT     tcp  --  0.0.0.0/0     0.0.0.0/0    tcp dpt:5001 

  ACCEPT     tcp  --  0.0.0.0/0     0.0.0.0/0    tcp spt:5001 

  ACCEPT     icmp --  0.0.0.0/0     0.0.0.0/0          

  DROP       all  --  0.0.0.0/0     0.0.0.0/0

Use the show access-group command to display a list of the access lists associated with GSS interfaces Ethernet 0 and Ethernet 1. 

gss1.example.com(config)#show access-group

access group acl_1 interface eth0

Deploying GSS Devices Behind Firewalls

This section describes how to configure your GSS for deployment behind a firewall. It contains the following sections:

GSS Firewall Deployment Overview

Configuring GSS Devices Behind a Firewall

GSS Firewall Deployment Overview

In addition to the packet-filtering features of the access-list and access-group commands (see the "Filtering GSS Traffic Using Access Lists" section), you can also deploy your GSS devices behind an existing firewall on your enterprise network.

When you configure your GSS for deployment behind a firewall, you must allow DNS traffic into the device. If you have multiple GSS devices deployed such that traffic between the devices must pass through a firewall, configure the firewall to allow inter-GSS communications and inter-GSS status reporting. Depending on your GSS configuration, you can also allow other traffic to pass through the firewall. This requirement depends on the GSS configuration (for example, if using KAL-AP keepalives) and the ability to access certain GSS services through the firewall (for example, SNMP).

The GSS does not support deployment of devices behind a NAT for inter-GSS communication. The communication between the GSS devices cannot include an intermediate device behind a NAT because the actual IP address of the devices is embedded in the payload of the packets.

To configure your firewall to function with a GSS device, follow the guidelines outlined in Table 5-2 and Table 5-3 to permit inbound and outbound traffic transmitted to and received from the specified GSS ports. In addition, use the access-list and access-group commands to enable authorized GSS traffic to the specified ports. By default, the GSS interface blocks all ports not explicitly permitted in your access list once you associate the access list with an Ethernet interface.

Table 5-2 Inbound Traffic Going Through a Firewall to the GSS 

Source Port
(Remote Device)
Destination Port
(GSS)
Protocol
Details

1

20-23

TCP

FTP, SSH, and Telnet services

*

53

UDP, TCP

GSS DNS server traffic

53

*

UDP

GSS software reverse lookup and "dnslookup" queries

123

123

UDP

Network Time Protocol (NTP) updates

*

161

UDP

Simple Network Management Protocol (SNMP) traffic

*

443

TCP

Primary GSSM GUI

1304

1304

UDP

CRA keepalives

*

2000

UDP

Inter-GSS periodic status reporting

*

2001-2005

TCP

Inter-GSS communication

*

3002-3008

TCP

Inter-GSS communication

3340

*

TCP

Sticky and Config Agent communication

3341

*

TCP

Sticky communication source

3342

*

TCP

Sticky and DNS processes communication

*

5002

UDP

KAL-AP keepalives

1974

1974

UDP

DRP protocol traffic

*

5001

TCP

Global sticky mesh protocol traffic

1 Any legal port number.


Table 5-3 Outbound Traffic Originating from the GSS 

Source Port
(GSS)
Destination Port
(Remote Device)
Protocol
Details

20-23

1

TCP

Return traffic of FTP, SSH, and Telnet server services on the GSS

*

20-23

TCP

Traffic of FTP and Telnet GSS CLI commands

53

*

UDP, TCP

GSS DNS server traffic

*

53

UDP

GSS software reverse lookup and "dnslookup" queries

123

123

UDP

Network Time Protocol (NTP) updates

161

*

UDP

Simple Network Management Protocol (SNMP) traffic

443

*

TCP

Primary GSSM GUI

1304

1304

UDP

CRA keepalives

*

2000

UDP

Inter-GSS periodic status reporting

*

2001-2005

TCP

Inter-GSS communication

2001-2005

*

TCP

Inter-GSS communication

*

3002-3008

TCP

Inter-GSS communication

3002-3008

*

TCP

Inter-GSS communication

3340

*

TCP

Sticky and Config Agent communication

3341

*

TCP

Sticky communication source

3342

*

TCP

Sticky and DNS processes communication

*

5002

UDP

KAL-AP keepalives

1974

1974

UDP

DRP protocol traffic

*

5001

TCP

Global sticky mesh protocol traffic

5001

*

TCP

Global sticky mesh protocol traffic

1 Any legal port number.


Configuring GSS Devices Behind a Firewall

To configure GSS devices to operate behind a firewall:

1. Determine the level of access and the services you want enabled on your GSS and GSSM devices. Decide if you want to:

Allow FTP, SSH, and Telnet access to the GSS device

Permit GUI access to the primary GSSM

Table 5-2 and Table 5-3 illustrate the GSS-related ports and protocols to enable for the GSS device to function properly.

2. Construct your access lists to filter traffic incoming and outgoing from your GSS device. See the "Creating an Access List" section for details.