Application Control Engine Module Getting Started Guide (Software Version A2(3.0))
Configuring Access Control Lists
Download this chapter
Configuring Access Control ListsConfiguring Access Control Lists
Download the complete book
Cisco Application Control Engine Module Getting Started Guide Book-Length PDF (Software Version A2(3.0))Cisco Application Control Engine Module Getting Started Guide Book-Length PDF (Software Version A2(3.0)) (PDF - 3 MB)
give_us_feedback

Table Of Contents

Configuring Access Control Lists

Information About ACLs

Guidelines and Restrictions

Configuring an ACL

Configuration Example for Configuring an ACL

Where to Go Next


Configuring Access Control Lists

This chapter describes how to configure security access control lists (ACLs) for the Cisco Application Control Engine (ACE) module.

This chapter contains the following sections:

Information About ACLs

Guidelines and Restrictions

Configuring an ACL

Configuration Example for Configuring an ACL

Where to Go Next

Information About ACLs

After reading this chapter, you should have a basic understanding of how to configure an ACL in an ACE to secure your network.

An ACL consists of a series of ACL entries, which are permit or deny entries with criteria for the source IP address, destination IP address, protocol, port, or protocol-specific parameters. Each entry permits or denies inbound or outbound network traffic to the parts of your network specified in the entry.

You can use ACLs with the ACE to permit or deny traffic to or from a specific IP address or an entire network. For example, you can permit all e-mail traffic on a circuit, but block Telnet traffic. You can also use ACLs to allow one client to access a part of the network while preventing other clients from doing so.

The order of the ACL entries is important. When the ACE decides whether to accept or refuse a connection, it tests the packet against each ACL entry in the order in which the entries are listed. After it finds a match, it stops checking entries.

For example, if you create an entry at the beginning of an ACL that explicitly permits all traffic, the ACE skips any other entries in the ACL. An implicit deny all entry exists at the end of every ACL, so you must include entries for every interface on which you want to permit connections. Otherwise, the ACE will deny all traffic on the interface.

Certain applications require special handling of the data portion of a packet as the packets pass through the ACE. The ACE verifies the protocol behavior and identifies unwanted or malicious traffic that attempts to pass through. Based on the specifications of the traffic policy, the ACE performs application protocol inspection to accept or reject the packet to ensure the secure use of applications and services.

For more information on how to configure an ACL to permit or deny specific traffic or resources, see the Cisco Application Control Engine Module Security Configuration Guide.

Guidelines and Restrictions

You must configure an ACL on each interface that you want to permit connections. Otherwise, the ACE will deny all traffic on the interface.

Configuring an ACL

Procedure

 
Command
Purpose

Step 1  

changeto context

Example: 

host1/Admin# changeto VC_WEB

host1/VC_WEB#

Changes to the correct context if necessary. Check the CLI prompt to verify that you are operating in the VC_WEB context.

Step 2  

config

Example: 

host1/VC_WEB# Config

host1/VC_WEB(config)#

Enters configuration mode.

Step 3  

access-list INBOUND extended permit ip 
any any

Example: 

host1/VC_WEB(config)# access-list 
INBOUND extended permit ip any any

Creates an ACL that permits all IP traffic to the ACE.

Step 4 

interface vlan vlan_id


Example: 

host1/VC_WEB(config)# interface vlan 
400

Enters interface VLAN configuration mode for the client-side VLAN 400.

Step 5  

access-group input acl_name

Example: 

host1/VC_WEB(config-if)# access-group 
input INBOUND

host1/VC_WEB(config-if)# exit

Applies the ACL to the interface.

Step 6 

exit


Example: 

host1/VC_WEB(config-if)# exit

host1/VC_WEB(config)# exit

host1/VC_WEB#

Exits interface configuration mode. Exits configuration mode.

Step 7  

show running-config access-list

Example: 

host1/VC_WEB# show running-config 
access-list

Displays the ACL configuration information.

Step 8 

copy running-config startup-config


Example:

host1/Admin# copy running-config startup-config

(Optional) Copies the running configuration to the startup configuration.

Configuration Example for Configuring an ACL

The following example shows the running configuration of the VC_WEB user context with the commands that you have configured in this chapter in bold text. 

switch/VC_WEB(config)# do show running config

Generating configuration....


access-list INBOUND line 8 extended permit ip any any


class-map type management match-any REMOTE_ACCESS

  description Remote access traffic match

  2 match protocol ssh any

  3 match protocol telnet any

  4 match protocol icmp any


policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY

  class REMOTE_ACCESS

    permit


service-policy input REMOTE_MGMT_ALLOW_POLICY


interface vlan 400

  description Client connectivity on VLAN 400

  ip address 10.10.40.1 255.255.255.0

  access-group input INBOUND

  no shutdown

interface vlan 500

  description Server connectivity on VLAN 500

  ip address 10.10.50.1 255.255.255.0

no shutdown


ip route 0.0.0.0 0.0.0.0 172.25.91.1

Where to Go Next

In this chapter, you have created an ACL entry to permit all traffic to the network. In the next chapter, you will create a user who is allowed to perform a subset of the ACE management functions on part of your network resources.