Cisco acl configure all solution
2008-06-29 23:34
ACL (Access Control List, Access Control List)
technology has always been a double edged sword, network applications and Internet penetration in the large improve the production efficiency, but also brings data security, such as employees use the Internet to do something so irrelevant and negative effects of work. how to manage a network effectively, reducing as much as possible bring Network negative impact placed on the network administrator becomes an important issue before.
A certain poor network management company currently is facing a pile of this problem. A company building a business network, and through a router access to the Internet. in the network core of a multilayer IOS-based switches, all the floor switches can be managed for IOS-based switches, in-house use of VLAN technology, according to different functions is divided into 6 VLAN. respectively, network equipment and network management (VLAN1, 10.1.1.0/24), the internal server (VLAN2), Internet connection (VLAN3), Finance Department (VLAN4), marketing (VLAN5), R & D (VLAN6), exports router Fa0 / 0 access company intranet, through the s0 / 0 to connect to the Internet. Each segment of the three devices (that is, the default gateway on the client) addresses are allocated down from a high level, all the other nodes address were up from the low distribution. topology of the network as shown below:
completed since the network has not been broken for troubles, while someone tries to logon to the network device to make trouble; while leadership is complaining that the Internet opened, staff all day long to know that foaming; while those who finance research and development department said the employees should not look at the data showed. These complaints have to find this poor network management, and made his head is big. That there any way to resolve these problem? The answer is to restrict access using the network layer control - Access Control List (hereinafter referred to as the ACL).
So, what is the ACL do? ACL is a kind of what kind of technology, it can do, and there are some What kind of limitations do?
ACL's basic principles, functions and limitations of
network is often said that the Cisco IOS ACL provides an access control technology, the router supports only the beginning, in recent years has been extended to the three switches, two-story part of the latest switch, such as the class of 2950 also started to provide ACL support. but not so perfect features to support it. In other router or multilayer switch vendors also offer similar technology, but name and the configuration may have subtle differences. This configuration of all instances are based on the ACL for the preparation of Cisco IOS.
basic principles: ACL using packet filtering technology, read the third layer on the router and third four-header The information such as source address, destination address, source port, destination port, etc., according to predefined rules to filter packets, so as to achieve the purpose of access control.
functions: resource nodes in the network nodes and user nodes of two categories, including resources to provide services or data node, the user node, the node provides access to resources and data services. ACL's main function is to protect the resources of one node, the node to prevent unauthorized users access to resources, on the other hand restricted to specific users nodes can have access to.
configure the basic principles of ACL: ACL in the process of implementation should be guided by the following two basic principles:
u the principle of least privilege: only to the controlled objects necessary to complete the task Permissions
u closest to the minimum principle of the controlled object: all the network layer access control
limitations: the ACL is to use packet filtering technologies to achieve, they just filter based on the third floor and fourth Layer header part of the information, this technology has some inherent limitations, such as not identifying the specific person, does not recognize the privilege level to the application such as internal. Therefore, to achieve end to end of the access control purposes, needs and system level and application-level access control combined.
ACL configuration technology Detailed
I did not want to say so much nonsense, because understanding these basic concepts and principles of simple configuration and troubleshooting of the follow-up are very useful. talk about, you first need what.
a network, I do not expect ordinary users to telnet to the network device Vlan1 in, that I only need the router to the VLAN 1 interface configured to allow only the source address of 10.1.6.66 the package through, other packets pass through the filter out. This is just the source IP address in the called
standard IP ACL ACL:
we SWA on the following configuration:
access-list 1 permit host 10.1.6.66
access-list 1 deny any
int vlan 1
ip access-group 1 out
several commands that the meaning of the keyword as follows:
access-list: all ACL configuration keywords, all the ACL are configured using this command.
access-list 1 back: No ACL, ACL all ACL the same number form a group. In determining whether a package, use the same set of entries from top to bottom one by one judge, a face to meet the entry in respect of the termination of the package to determine .1-99 as a standard IP ACL number, the standard IP ACL as read only part of the source address of IP header, consume fewer resources.
permit / deny: operation. Permit is to allow, deny packet is discarded.
host 10.1. 6.66/any: matching conditions, equivalent to 10.1.6.66 0.0.0.0. just said, the standard ACL source address only limit. Host 10.1.6.66 (10.1.6.66 0.0.0.0) means that only match the source address of 10.1. 6.66 package .0.0.0.0 is wildcards, certain of the wildcards for the IP address corresponding to 0 bits must be consistent, that IP address for the corresponding 1-bit regardless of anything. Simply put, that is, minus the sub-255.255.255.255 net mask value after, 0.0.0.0 of the wildcards is meant IP address must meet 10.1.6.66, may be referred to as the host 10.1.6.66.any that matches all addresses.
Note: IOS are used in ACL wildcards, and the use of wildcards for IP addresses will be strictly aligned, if you enter an access-list 1 permit 10.1.1.129 0.0.0.31, you show access-list to see, it will become access-list 1 permit 10.1.1.128 0.0 .0.31, PIXOS the ACL are using subnet masks, and will not be aligned operation. more detailed information on the IP V4 addresses can be found in my book -group 1 out: these two will be applied to the access-list 1 out interface vlan1 direction. where 1 is the ACL number, and associate the corresponding ACL. Out is the interface on the router which direction the packet filter, there can be two options in and out.
Note: Here in / out are all on the router or three modules (later referred to as R) point of view of, in that from the interface into the R package, out from the interface that out of the package.
Well, this is a basic ACL configuration method. What, you say that ordinary users can also telnet to the RTA? at the int vlan3 you are adding on a ip access-group 1 out now. Hammmm, etc., plus you do not go to ordinary users to access the internet. Let us remove the ACL just re-write.
recall, our aim is that in addition to the telnet 10.1.6.66 operations, Other users are not allowed to telnet operation. just as we said, the standard IP ACL can only control the source IP address, can not control to the port. to control the port to the fourth floor, you need to use to:
extended IP configuration
ACL configuration examples to look at it. in the SWA on the following configuration:
int vlan 1
no ip access-group 1 out
exit
no access-list 1
access-list 101 permit tcp host 10.1.6.66 any eq telnet
access-list 101 deny tcp any any eq telnet
int vlan 1
ip access-group 101 out
int vlan 3
ip access-group 101 out
here you should notice some changes in the ACL, and now part of the change to do some shows:
access-list 101: Note that the 101, and just a standard ACL 1 of the same ACL number 101 is that it is an extended IP ACL. extended IP ACL number range is 100-199, the extended IP ACL can control the source IP, the purpose of IP, source port, destination port, etc., can to achieve very fine control, extended not only to read the ACL IP header source address / destination address, but also to read the header in the fourth layer of the source port and destination port, the IP ACL in the absence of hardware acceleration cases, will consume a large amount of CPU resources.
int vlan 1 / / / no ip access-group 1 out / / / exit / / / no access-list 1: abolition of access-list 1, for non-named ACL, you can only need this one to can be canceled. Note that to cancel or modify an ACL, you must first application of the interface in its application to no out first, otherwise it will lead to very serious consequences.
tcp host 10.1.6.66 any eq telnet: matching condition. full format: protocol source address source wildcards [relationship] [source port] destination address the purpose of wildcards [relationship] [destination port]. which agreement may be IP, TCP, UDP, EIGRP, etc., in [] are optional field. only in the agreement for the tcp / udp protocol port numbers, etc. have to be useful. relations can be eq (equal), neq (not equal), lt (greater than), range (range) and so on. the port number is generally 1-65535, for the well-known ports, such as 23 (service called telnet), etc. can use the service name instead. source port and destination port, said all ports are not defined.
up after the application of this ACL, users have begun to call to BS-ing, because they can not access the Internet, is where the problem out of it?
Note: All the ACL, by default, from a security point of view, implicit in the final sentence will deny any (standard ACL) or deny ip any any (extended IP ACL). so do not know to which port will use the business case, the best in the ACL final with a permit ip any any, here is the access-list 101 permit ip any any .
'd be able to access Internet users now, but we have found that poor network can telnet to the ordinary user or the top of his SWA, SWA because of the above have a number of network interfaces, and use the extended ACL will consume a lot of resources. there any simple way to control user access to network devices Telnet, without consuming too many resources? which requires the use to:
access network equipment, how to control their own technical
Let us first take down just all ACL configuration (specific configuration strategy, and readers will not think I was lying to royalties.), and then on each network device are configured as follows:
access-list 1 permit host 10.1.6.66
line vty 0 4 (part of the equipment is 15)
access-class 1 in
should do it, telnet to access the devices are line vty, use the following in the line vty access-class associated with the ACL group, in keywords that control access to the connection.
that simple? wk, Ah you is not playing us, why should a big circle around? rotten eggs and rotten tomatoes started in 70 of the head top of the mad fly. (5555555, even only the ACL would like to speak to understand the basics of some of the thing). After just configured, we can sort out a simple ACL configuration steps by:
u analysis requirements clearly needs to find what you want to protect or control in what; To facilitate configuration, preferably in tabular form. in the back will be an example of this.
u of eligible data flow path, finding the most suitable Position control;
u write ACL, and ACL applied to the interface;
u test and modify the ACL.
A company's leaders know that when the network is able to control general access to users after network equipment Our poor network seems very difficult to receive a lot of requirements. leadership requires network:
The IP ACL
segment due to the recent server machine, always being with telnet, rsh and other means of attack, we only staff to open web server (10.1.2.20) provided by the http, FTP server (10.1.2.22) FTP services provided and the database server (10.1.2.21:1521). Well, we started to configure, but we just wrote half of the ACL was found in front of the problem seems to have written a few words, a no command input into, the entire ACL no, alas, all have to again, does it mean that there is no way around it? Yes, here I need to use:
named IP acl provides two main advantages are:
l solution ACL problem of insufficient numbers.
l free to delete the ACL in a statement, without having to delete the entire ACL.
named ACL is the major shortcomings in any position can not be achieved by adding a new ACL entry. such as the cases above, we used the following configuration:
ip access-list extend server-protect
permit tcp 10.1.0.0 0.0.255.255 host 10.1.2.20 eq www
permit tcp 10.0.0.0 0.0. 255.255 host 10.1.2.21 eq 1521
permit tcp 10.1.0.0 0.0.255.255 host 10.1.2.22 eq ftp
configuration here, we found that permit tcp 10.0.0.0 0.0.255.255 host 10.1.2.21 eq 1521 sentence with wrong, we have to give it to take down and re-configuration, OK, I like to simply make the following configuration:
ip access-list extend server-protect
no permit tcp 10.0.0.0 0.0.255.255 host 10.1 .2.21 eq 1521
permit tcp 10.1.0.0 0.0.0.255 host 10.1.2.21 eq 1521
exit
int vlan 2
ip access-group server-protect
on it. now named IP access-list configuration method explained as follows:
ip access-list extend server-access-limit: ip access-list is equivalent to using the number of access-list access-list in the paragraph. extend that is extended ACL (corresponding to, standard that the standard ACL). server-access-limit access-list is the name of the equivalent number of ACL based on the number field.
permit tcp 10.1.6.0 0.0.0.255 host 10.1. 2.21 eq 1521: This paragraph and use the number of access-list the meaning of the second half of the same composition by two operations and conditions.
fact, name-based IP ACL and a very good advantage is that for each an ACL to take a meaningful name, to facilitate future management and maintenance. So strongly recommended that you Tell me Ultra studio work are used in the actual name of the ACL.
further improve the protection of data on the server - ACL execution order then in the server segment of
the database server storing a large number of market information, market sector R & D department staff do not want access to the database server, after consultations, agreed that the leadership of R & D machine (IP address of 10.1. 6.33) can access to the database server. In this way, our server access to part of the segment as follows:
agreement
source address source port destination address
destination port < br> Operating
TCP
10.1/16
all
10.1.2.20/32
80
allow access
TCP
10.1/16
all the
10.1.2.22/32
21
allow access
TCP
10.1/16
all
10.1.2.21/32
1521
allow access
TCP
10.1.6/24
all
10.1.2.21/32
1521
prohibit access
TCP
10.1.6.33/32
all
10.1. 2.21/32
1521
allow access
IP
10.1/16
N / A
all
N / A
disable access
result, network management the back of the server-protect on the order of addition of two statements, the full ACL into the following form:
ip access-list extend server-protect
permit tcp 10.1.0.0 0.0.255.255 host 10.1.2.20 eq www
permit tcp 10.1.0.0 0.0.255.255 host 10.1.2.21 eq 1521
permit tcp 10.1.0.0 0.0.255.255 host 10.1.2.22 eq ftp
deny tcp 10.1.6.0 0.0.0.255 host 10.1.2.21 eq 1521
permit tcp host 10.1.6.33 host 10.1.2.21 eq 1521
done after the discovery did not play its due role, R & D department can still access all the machines to the database server. This is why? < br> As mentioned earlier, ACL's execution order is from top to bottom implementation of a package as long as a matching ACL statement encountered will stop after the execution of the following statements, in our the ACL, because the front has been A permit tcp 10.1.0.0 0.0.255.255 host 10.1.2.21 eq 1521 statement. intranets all access 10.1.2.21 port 1521 on all adopted here, with the two sentences is not to compare to the back. So do not lead up to to our purpose. should be server-protect the ACL in the following form to modify to meet our requirements:
ip access-list extend server-protect
permit tcp host 10.1.6.33 host 10.1.2.21 eq 1521 < br> deny tcp 10.1.6.0 0.0.0.255 host 10.1.2.21 eq 1521
permit tcp 10.1.0.0 0.0.255.255 host 10.1.2.21 eq 1521
permit tcp 10.1.0.0 0.0.255.255 host 10.1.2.20 eq www
permit tcp 10.1.0.0 0.0.255.255 host 10.1.2.22 eq ftp
This example tells us to write ACL, be sure to follow the most accurate statement that matches the ACL must write at the top of the principle, the only way to ensure that the ACL statements will not be useless.
time-based ACL
in ensuring the security of the server's data, the leadership is prepared for employee access control. requested during office hours (9:00 - 18:00) against the internal employees to browse internet, prohibit the use of QQ, MSN. but also in the June 1, 2003 to 2, all the time, are not allowed to carry out such operations. but at any time can be allowed to access the Internet in other ways . God, it can be so how life Yeah, but this arrangement since the leadership, they have to do as instructed.
First, let us analyze the demand for internet browsing is now largely carried out using the http or https access, the standard port is TCP/80 port and TCP/443, MSN uses TCP/1863 port, QQ login will be used to TCP/UDP8000 these two ports, there may be used to communicate to the udp/4000. And the software can support for proxy servers, proxy servers currently deployed in the main TCP 8080, TCP 3128 (HTTP proxy) and TCP1080 (socks) on the three ports. This needs the following table:
application
agreement
source address destination address source port destination port
operating
IE
TCP
10.1/16
all
80
all
restrict access
IE
TCP
10.1/16
all
443
all
restrict access
MSN
TCP
10.1/16
All
1863
all
restrict access
QQ
TCP
10.1/16
all
8000
all
restrict access
QQ < br> UDP
10.1/16
all
8000
all
restrict access
QQ
UDP
10.1/16
all
all the
4000
restrict access
HTTP proxy
TCP
10.1/16
all
8080
all
restrict access
HTTP proxy
TCP
10.1/16
all
3128
all
restrict access
Socks
TCP
10.1/16
all
1080
all
restrict access
All other
IP
10.1/16
N / A
all
N / A
allow access
then, let's take a look at ACL should Which location targeting approach? as is Internet access control, a company involved in all segments, which are the ACL on the Internet into the company's exit. In the RTA on the following configuration to to meet the requirements of the leadership:
time-range TR1
absolute start 00:00 1 June 2003 end 00:00 3 June 2003
periodic weekdays start 9:00 18:00
exit
ip access-list extend internet_limit
deny tcp 10.1.0.0 0.0.255.255 any eq 80 time-range TR1
deny tcp 10.1.0.0 0.0.255.255 any eq 443 time-range TR1
deny tcp 10.1. 0.0 0.0.255.255 any eq 1863 time-range TR1
deny tcp 10.1.0.0 0.0.255.255 any eq 8000 time-range TR1
deny udp 10.1.0.0 0.0.255.255 any eq 8000 time-range TR1
deny udp 10.1.0.0 0.0.255.255 any eq 4000 time-range TR1
deny tcp 10.1.0.0 0.0.255.255 any eq 3128 time-range TR1
deny tcp 10.1.0.0 0.0.255.255 any eq 8080 time-range TR1
deny tcp 10.1.0.0 0.0.255.255 any eq 1080 time-range TR1
permit ip any any
int s0 / 0
ip access-group internet_limit out
or int fa0 / 0
ip access-group internet_limit in
or the ACL configuration on the SWA, and int vlan 3
ip access-group internet_limit out
Oh, now let's look at the list of time-based access What are the new elements in it:
time-range TR1: define a new time frame, which timeframe TR1 is taken for a name.
absolute: the absolute time. only once. can is defined as any point during the year 1993-2035. the use of specific use? command.
Periodic: the time for the periodic re-use definition of the scope. full format the date for the periodic start time end time keyword. which Date keyword is defined as follows:
Monday
Wednesday Tuesday Monday
Tuesday, Wednesday, Thursday
Friday
Thursday, Friday, Saturday
Sunday week
Saturday
daily every day from Monday to Friday
weekend
weekdays weekend
access-list 101 deny ip 10.1.0.0 0.0.255.255 any time-range TR1: Note that this one last time-range TR1, so this ACL statement and associated time-range TR1, that this statement in the time-range TR1 defined only work within the time frame.
Note: The location is given in three configurations to help you on in a deep understanding of / out the difference. acl is connected to flow from a (in) or out (out) packet filtering router.
network to ask a question, it?. services
Linux: / etc / services
in the services file for the application can not find the port, you can run programs before and after the application is running netstat nap to find the port number used.
use of IP ACL to achieve ...
No comments:
Post a Comment