ACLs (2)

advertisement
Access Lists on the OS2400/L3
Introduction
Integral to the task of managing IP traffic is eliminating unwanted
traffic while still allowing appropriate user-access to necessary
services. The OS2400/L3 provides mechanisms for reducing unwanted
traffic and restricting network use to only authorized users.
IP Access Lists
An IP access list is a sequential collection of permit and deny
conditions that apply to IP addresses or upper-layer IP protocols.
Access lists are not necessarily secure when used by themselves,
however, they may be used as part of network security strategy.
Access lists can be applied to an IP interface or virtual terminal
line, they can be used to control the transmission of packets on an
interface or even to restrict contents of routing rules.
Access List Processing
Once an Access list is applied to an interface, the router tests each
packet received on this interface against the conditions in the access
list one by one. The first match determines whether the router accepts
or rejects the packet. Because the router stops testing conditions
after the first match, the order of the conditions is critical. If no
conditions match, the router rejects the packet.
Wildcard Mask
IP access lists use wildcard mask for specifying IP addresses ranges
and TCP/UDP ports ranges. The wildcard mask is a prefix length, which
is equal to the number of contiguous one-bits in the traditional mask.
Address bits corresponding to wildcard mask bits set to 1 are used in
comparisons, address bits corresponding to wildcard mask bits set to 0
are ignored in comparisons. This is similar to the operation used in
subnet masking.
An alternative way to think of the wildcard mask is as follows:
 If a 1 bit appears in a mask the corresponding bit location in
the access list address (or TCP/UDP port) and the same location
in the packet address (or TCP/UDP port) must match (either both 0
or both 1).
 If a 0 bit appears in the mask, the bit location in the packet
will match whether it is 0 or 1, and the bit location in the
access list address (or TCP/UDP port) is ignored. For this
reason, 0 bits in the mask are sometimes called "don't care"
bits.
Here are some examples for IP addresses ranges
Address/Mask
0.0.0.0
130.108.10.0/24
194.90.140.100/32
194.90.141.0/24
194.90.142.16/30
Matches
Any address
Subnet 131.108.10.0
Host 194.90.140.100
Network 194.90.141.0
Subnet 194.90.141.16
Here are some examples for ports ranges
Port/Mask
20/15
16/12
21/16
0/7
16/8
Matches ports
20,21
16-31
21
0-511
0-255
Upstream and downstream traffic filtering
For performance optimization and efficiency, the router should know
whether the access list is applied in order to filter upstream traffic
or downstream traffic.
Upstream traffic are packets that originates from hosts on a local
subnet, and bounded to the internet or to hosts on a different local
subnet. This kind of traffic is characterized by IP source addresses
that belong to the local subnet.
Downstream traffic are packets that originates from the internet, and
bounded to hosts on the local subnet. This traffic is characterized by
IP destination addresses that belong to the local subnet.
When creating an access-lists, it is highly recommended to separate the
rules that filter upstream traffic from those that filter downstream
traffic by inserting them into different rules, and then apply them
according to their nature, 'up' for upstream traffic, 'down' for
downstream traffic.
Configuring Principles for Access Lists
The following four general principles help ensure that the access list
you create have the intended results:
 Top Down processing – Organize your access list so that more
specific references in the network or subnet appear before more
general ones. Place more frequently occuring conditions before
less frequent conditions to optimize performance.
 Implicit deny any – Unless you end your access list with an
explicit permit any, it will deny by default all traffic that
fails to match any of the access list lines.
 New lines added to the end – Subsequent additions are always
added to the end of the access list.
 Undefined access list means permit any – If you apply an access
list with the access-group command to an interface before any
access list lines have been created, the result will be permit
any.
Access List Configuration Tasks
Whenever you are creating an access list, you need to complete the
following tasks:
1. Create an access list in global configuration mode by specifing
an access list name and access conditions.
2. Apply the access list in interface configuration mode to
interfaces or terminal lines. After an access list is created,
you can apply it to one or more interfaces.
Access List commands
Use the access-list command to create an IP entry in a traffic filter
list:
access-list name {permit | deny}
{ source/wildcard-mask | any}
{ destination/wildcard-mask | any}
Use the access-list tcp command to create a TCP entry in the traffic
filter list:
access-list name {permit | deny} tcp
{ source/wildcard-mask | any}
src-ports source-port/wildcard-mask
{ destination/wildcard-mask | any}
dst-ports destination-port/wildcard-mask
The configuration for UDP is similar to TCP:
access-list name {permit | deny} udp
{ source/wildcard-mask | any}
src-ports source-port/wildcard-mask
{ destination/wildcard-mask | any}
dst-ports destination-port/wildcard-mask
Configuration of other protocols is also allowed:
access-list name {permit | deny} protocol
{ source/wildcard-mask | any}
{ destination/wildcard-mask | any}
You can also add a remark or a comment to an access-list
access-list name remark line
In the following table you can find explaination regarding the
parameters:
Parameter
name
permit | deny
protocol
Source & destination
wildcard-mask
Description
Accesss list identifier
Whether this entry is used to allow
or block the specific address(es)
Number in the range of 0 through
255 indicating the protocol (e.g
icmp, igmp, ospf)
IP addresses
Wildcard mask of address or port
bits that must match. 1s indicate
any
source-port & destination-port
bits that must match. 0s are "don't
care".
Any address
TCP/UDP ports
Use the access-class command to link an existing access list to an
interface. An interface can have only one access list active, however a
single access list may be applied to more then one interface at a time.
Once an access-list was applied the router makes validity checks on all
the rules and verify that internal resources are available for that
access list. If not the command failes and all the access list rules
are removed.
access-class access-list-name {up | down}
Parameter
name
up
down
Description
Indicating the accesss list to be
linked to the interface
Optimize for upstream traffic
Optimize for downstream traffic
All the above commands have a “no” notion like any other cli
configuration command.
Use the show access-list to view previously configured access list and
verify configuration
show access-list [name]
Parameter
name
Description
(Optional) Shows a specific list.
If this option is not specified,
all IP access list are displayed.
Download