|
|
This chapter describes how to configure and maintain access control lists. Access control lists are used to permit or deny access to the LightStream 1010 ATM switch.
The access control list is used by the Asynchronous Transfer Mode (ATM) signaling software to filter setup messages on an interface or subinterface as either destination or source. Access lists can be used to deny connections that are known to be security risks and permit all other connections, or to permit those connections that are considered acceptable and deny all the rest. For firewall implementation, denying access to security risks offers more control.
The LightStream 1010 ATM Switch Command Reference publication provides the complete syntax for every switch configuration command and describes the no form of each command.
During initial configuration perform the following steps to use access control to filter setup messages:
Step 2 Create the ATM filter expression.
Step 3 Create the ATM access group either globally or on a specific interface.
Step 4 Confirm the configuration.
The following sections describe access control configuration, including examples:
Configure a global ATM template alias using the following commands using the no form of the command to delete the specified alias:
| Task | Command |
|---|---|
At the privileged EXEC prompt, enter configuration mode from the terminal. |
|
| 1This command is documented in the LightStream 1010 ATM Switch Command Reference publication. |
name —The name for the template alias.
template—An ATM address template which may be a single ATM address that matches itself or contain wildcards and/or a prefix or suffix, that allows a single template to match many addresses.
The symbols used for wildcards and prefix/suffix are as follows:
The following example creates a template alias named training with the ATM address template 47.1328 and using ellipse (...) to fill in the trailing 4-bit hexadecimal digits in the address:
The following example creates a template alias named competition with the ATM address template 47.0012. plus any additional addresses matching (10**) and using the ellipse:
The following example creates a template alias named bad_users with the ATM address template ending with 1234. and the binary digits (01*1):
To create an ATM filter for the entire switch use the global address pattern-matching filter. Using the no form of the command deletes the specified ATM filter set:
| Task | Command |
|---|---|
At the privileged EXEC prompt, enter configuration mode from the terminal. |
|
| 1This command is documented in the LightStream 1010 ATM Switch Command Reference publication. |
If neither permit nor deny is specified, permit is assumed. If an address does not match any of the filter set entries, an implicit deny is returned as the permit or deny action of the filter set.
The following example creates a global filter named filter_1 that permits access to the specific ATM address 47.0000.8100.1234.0003.c386.b301.0003.c386.b301.00:
The following example creates a global filter named filter_2 that denies access to the specific ATM address 47.000.8100.5678.0003.c386.b301.0003.c386.b301.00:
The following example creates a global filter named filter_3 that denies access to all ATM addresses that begin with the prefix 47.840F:
The following example creates a global filter named filter_4 that denies access to all ATM addresses described by the ATM template alias bad_users:
The following commands create global ATM address pattern-matching filter expressions:
| 1This command is documented in the LightStream 1010 ATM Switch Command Reference publication. |
If neither permit nor deny is specified, permit is assumed. If an address does not match any of the filter set entries, an implicit deny is returned as the permit or deny action of the filter set.
name—the name of the pattern-matching filter expression.
term—can be any of the following:
For commands with two terms the evaluation sequence is from left to right of the expression, for example, commands using logical operators or, and, and xor.
For commands using logical operators or plus and, the evaluation for the second term is conducted only when necessary. For example, the evaluation for the second term is omitted if the truth or falsehood can already be concluded from the evaluation for the first term.
The following example defines a simple filter expression that is pattern-matched only if the pattern given by term filter_1 is matched:
The following example defines a filter expression that is pattern-matched only if the pattern given by term filter_1 is not matched.
The third form defines a filter expression that is pattern-matched if either of the patterns given by the two terms filter_1 and filter_2 are matched.
The following example defines a filter expression that is pattern-matched only if both of the patterns given by the two terms are matched.
The following example defines a filter expression that is pattern-matched only if one of the patterns, but not both, given by the two terms are matched.
The command to subscribe an ATM interface or subinterface to an existing ATM address pattern-matching filter expression is as follows using the no form of the command to delete an address access filter subscription on a specified interface or subinterface:
| Task | Command |
|---|---|
At the privileged EXEC prompt, enter configuration mode from the terminal. |
|
Configure an existing ATM address pattern matching filter expression. |
| 1This command is documented in the LightStream 1010 ATM Switch Command Reference publication. |
name—The name of the filter expression or filter set.
in—Indicates the filter should be applied to incoming SETUP message.
out—Indicates the filter should be applied to outgoing SETUP message. This is the default.
If neither in nor out is specified, the filter is applied to outgoing SETUP message.
The following example defines ATM template alias training to be filtered out:
The following example defines ATM template alias marketing to be allowed in:
Exec commands to display access control configuration are as follows:
| Task | Command |
|---|---|
The following command displays the configured ATM filters:
The following command displays the configured ATM filter expressions:
Internet Protocol (IP) packet filtering helps control packet movement through the network. Such control can help limit network traffic and restrict network use by certain users or devices. To permit or deny packets from crossing specified IP interfaces, we provide access lists.
You can use access lists in several ways:
This section summarizes how to create IP access lists and how to apply them.
An access list is a sequential collection of permit and deny conditions that apply to IP addresses. The LightStream 1010 software tests addresses against the conditions in an access list one by one. The first match determines whether the software accepts or rejects the address. Because the software stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the software rejects the address.
The two steps involved in using access lists are as follows:
Step 2 Apply the access list to interfaces or terminal lines.
These steps are described in the next sections.
The software supports three styles of access lists for IP interfaces:
To create a standard access list, perform one of the following tasks in global configuration mode:
| 1This command is documented in the LightStream 1010 ATM Switch Command Reference publication. |
To create an extended access list, perform one of the following tasks in global configuration mode:
| 1This command is documented in the LightStream 1010 ATM Switch Command Reference publication. |
After an access list is created initially, any subsequent additions (possibly entered from the terminal) are placed at the end of the list. In other words, you cannot selectively add or remove access list command lines from a specific access list.
Note Keep in mind when making the standard and extended access list by default, the end of the access list contains an implicit deny statement for everything if it does not find a match before reaching the end. Further, with standard access lists, if you omit the mask from an associated IP host address access list specification, 0.0.0.0 is assumed to be the mask.
After an access list is created, you can apply it to one or more interfaces. Access lists can be applied on either outbound or inbound interfaces. The following two tables show how this task is accomplished for both terminal lines and network interfaces.
Perform the following task in line configuration mode:
| 1This command is documented in the LightStream 1010 ATM Switch Command Reference publication. |
Perform the following task in interface configuration mode:
| Task | Command |
|---|---|
At the privileged EXEC prompt, enter configuration mode from the terminal. |
|
| 1This command is documented in the LightStream 1010 ATM Switch Command Reference publication. |
For inbound access lists, after receiving a packet, the LightStream 1010 software checks the source address of the packet against the access list. If the access list permits the address, the software continues to process the packet. If the access list rejects the address, the software discards the packet and returns an Internet Control Message Protocol (ICMP) Host Unreachable message.
For outbound access lists, after receiving and routing a packet to a controlled interface, the software checks the source address of the packet against the access list. If the access list permits the address, the software transmits the packet. If the access list rejects the address, the software discards the packet and returns an ICMP Host Unreachable message.
When you apply an access list (standard or extended) that has not yet been defined to an interface, the software will act as if the access list has not been applied to the interface and will accept all packets. Remember this behavior if you use undefined access lists as a means of security in your network.
Note Set identical restrictions on all the virtual terminal lines, because a user can attempt to connect to any of them.
In the following example, network 36.0.0.0 is a Class A network whose second octet specifies a subnet; that is, its subnet mask is 255.255.0.0. The third and fourth octets of a network 36.0.0.0 address specify a particular host. Using access list 2, the LightStream 1010 software would accept one address on subnet 48 and reject all others on that subnet. The last line of the list shows that the software would accept addresses on all other network 36.0.0.0 subnets.
IP access lists contain implicit masks. For instance, if you omit the mask from an associated IP host address access list specification, 0.0.0.0 is assumed to be the mask. Consider the following example configuration:
For this example, the following masks are implied in the first two lines:
The last line in the configuration (using the deny keyword) can be left off, because IP access lists implicitly deny all other access. This is equivalent to finishing the access list with the following command statement:
The following access list only allows access for those hosts on the three specified networks. It assumes that subnetting is not used; the masks apply to the host portions of the network addresses. Any hosts with a source address that does not match the access list statements is rejected.
To specify a large number of individual addresses more easily, you can omit the address mask that is all zeros from the access-list global configuration command. Thus, the following two configuration commands are identical in effect:
In the following example, the first line permits any incoming Transmission Control Protocol (TCP) connections with destination ports greater than 1023. The second line permits incoming TCP connections to the simple mail transfer protocol (SMTP) port of host 128.88.1.2. The last line permits incoming ICMP messages for error feedback.
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 gt 1023
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq 25
access-list 102 permit icmp 0.0.0.0 255.255.255.255 128.88.0.0 255.255.255.255
For another example of using an extended access list, suppose you have a network connected to the Internet, and you want any host on an Ethernet to be able to form TCP connections to any host on the Internet. However, you do not want IP hosts to be able to form TCP connections to hosts on the Ethernet except to the mail (SMTP) port of a dedicated mail host.
SMTP uses TCP port 25 on one end of the connection and a random port number on the other end. The same two port numbers are used throughout the life of the connection. Mail packets coming in from the Internet will have a destination port of 25. Outbound packets will have the port numbers reversed. The fact that the secure system behind the switch will always be accepting mail connections on port 25 is what makes it possible to separately control incoming and outgoing services.The access list can be configured on either the outbound or inbound interface.
In the following example, the Ethernet network is a Class B network with the address 128.88.0.0, and the mail host's address is 128.88.1.2. The keyword established is used only for the TCP protocol to indicate an established connection. A match occurs if the TCP datagram has the acknowledgment (ACK) or RST bits set, which indicate that the packet belongs to an existing connection.
Posted: Thu Jan 23 21:03:47 PST 2003
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.