Access Control Lists Security
Today I will discuss about Access Control Lists Security issue. A switch with either no access control list (ACL) or a permissive ACL applied to its interfaces allows broad access for TCP/IP connections (e.g., FTP, telnet, DNS, HTTP, SNMP, ICMP) through the switch to any system (e.g., critical server) on the protected network. [boxads]
In preparation for implementing ACLs, categorize systems attached to the switches into groups that use the same network services. Grouping systems this way helps reduce the size and complexity of associated ACLs.
ACLs can permit or deny each packet based on the first access control statement that the packet matches. There are different types of access control lists: Port Access Control List (PACL), Router Access Control List (RACL) and VLAN Access Control List (VACL).
- 1. Port Access Control List (PACL)
PACLs are used to restrict the packets allowed into a given port. There are two types of PACLs, IP PACLs based on IP access lists and MAC PACLs based on MAC access lists. IP PACLs only filter packets with an IP ether type. Creating a standard or extended IP access list and applying the access list to a switchport interface is all that is required to implement IP PACLs.
Given an IOS that supports Unicast MAC Filtering, the following Access Control Lists Security commands are an example of using PACLs to restrict port access to one specific MAC address and IP access to one specific IP address from that MAC address.
Switch(config)# mac access-list extended host-mac
Switch(config-ext-macl)# permit host 0000.0101.0011 any
Switch(config-ext-macl)# exit
Switch(config)# ip access-list extended host-ip
Switch(config-ext-nacl)# permit ip host 10.1.101.11 any
Switch(config-ext-nacl)# exit
Switch(config)# interface fa0/2
Switch(config-if)# mac access-group host-mac in
Switch(config-if)# ip access-group host-ip in
Another way to use PACLs is in place of static MAC addresses and port security. Allowed MAC and IP addresses could be pooled and viewed from a switch wide perspective. Consider the following Access Control Lists Security commands as an example of this pooled addressing security.
Switch(config)# mac access-list extended mac-device-list
Switch(config-ext-macl)# permit host 0000.0101.0011 any
Switch(config-ext-macl)# permit host 0000.0101.0012 any
Switch(config-ext-macl)# permit host 0000.0101.0013 any
Switch(config-ext-macl)# permit host 0000.0101.0014 any
Switch(config-ext-macl)# permit host 0000.0010.0003 any
Switch(config-ext-macl)# permit host 0000.0020.0005 any
Switch(config)# ip access-list extended ip-device-list
Switch(config-ext-nacl)# permit ip host 10.1.101.11 any
Switch(config-ext-nacl)# permit ip host 10.1.101.12 any
Switch(config-ext-nacl)# permit ip host 10.1.101.13 any
Switch(config-ext-nacl)# permit ip host 10.1.101.14 any
Switch(config-ext-nacl)# permit ip host 10.1.10.3 any
Switch(config-ext-nacl)# permit ip host 10.1.20.5 any
Switch(config)# interface range fa0/1 – 24
Switch(config-if-range)# ip access-group ip-device-list in
Switch(config-if-range)# mac access-group mac-device-list in
- 2. Router Access Control List (RACL)
A RACL can restrict packets into or out of a given Layer 3 interface. A RACL is configured and applied identically to a router ACL, except a RACL is applied to a VLAN interface.
Switch(config)# access-list 1 remark Simple Example
Switch(config)# access-list 1 permit any
Switch(config)# interface vlan 6
Switch(config-if)# ip access-group 1 in
[bodyads]
- 3. VLAN Access Control List (VACL)
VACLs use VLAN Maps that are configured like route-maps on routers. VLAN Maps can be applied to filter all traffic into, through and out of a specific VLAN. The same VLAN Map filters bridged, inbound and outbound packets for the VLAN. The following Access Control Lists Security example will block all TCP packets from VLAN 6 while allowing all other packets through.
Switch(config)# no access-list 101
Switch(config)# access-list 101 remark Simple TCP Example
Switch(config)# access-list 101 permit tcp any any
Switch(config)# vlan access-map vlan6-map 10
Switch(config-access-map)# match ip address 101
Switch(config-access-map)# action drop
Switch(config-access-map)# exit
Switch(config)# vlan access-map vlan6-map 20
Switch(config-access-map)# action forward
Switch(config-access-map)# exit
Switch(config)# vlan filter vlan6-map vlan-list 6