|
|
This chapter describes how to configure and maintain access control lists. Access control lists are used to permit or deny incoming calls or outgoing calls on an interface of the LightStream 1010 ATM switch.
The access control list is used by the Asynchronous Transfer Mode (ATM) signaling software to filter setup messages on an interface based on destination, or source, or a combination of both destination and source. Access lists can be used to deny connections that are known to be security risks and permit all other connections, or to permit those connections that are considered acceptable and deny all the rest. For firewall implementation, denying access to security risks offers more control.
The LightStream 1010 ATM Switch Command Reference publication provides the complete syntax for every switch configuration command and describes the no form of each command.
During initial configuration perform the following steps to use access control to filter setup messages:
Step 1 Create template alias. This allows you to use real names instead of ATM addresses in your ATM filter expressions.
Step 2 Create the ATM filter set or filter expression based on the requirements.
Step 3 Associate the filter set or filter expression to an interface using the atm access-group command.
Step 4 Confirm the configuration.
The following sections describe access control configuration, including examples:
Configure an ATM template alias using the following commands in global configuration. Use the no form of the command to delete the specified alias:
| Task | Command |
|---|---|
At the privileged EXEC prompt, enter configuration mode from the terminal. | |
Configure a global ATM address template alias. | atm template-alias name template |
| 1This command is documented in the LightStream 1010 ATM Switch Command Reference publication. |
name ---The name for the template alias.
template---An ATM NSAP address template that might be a single ATM NSAP address which matches itself or contains wildcards and/or a prefix or suffix that allows a single template to match many addresses.
The symbols used for wildcards and prefix/suffix are as follows:
The following example creates a template alias named training with the ATM address template 47.1328 and using ellipse (...) to fill in the trailing 4-bit hexadecimal digits in the address:
Switch#config t
Switch(config)#atm template-alias training 47.1328...
The following example creates a template alias named bit_set with the ATM address template 47.9f9.(1*0*).88ab... that matches the four addresses that begin with the following:
Switch(config)#atm template-alias bit_set 47.9f9(1*0*).88ab...
The following example creates a template alias named byte_wise with the ATM address template 47.9*F8.33... that matches all ATM addresses that begin with the following sixteen prefixes:
Switch(config)#atm template-alias byte_wise 47.9*F8.33...
Use the show running-config command to display template alias configuration:
| Task | Command |
|---|---|
Display a summary of ATM filter set. | show running-config |
The following example displays the templates aliases configured in the previous examples:
Switch#show running-config
Building configuration... Current configuration: ! version 11.2 no service pad service udp-small-servers service tcp-small-servers ! hostname Switch ! ! username dtate ip rcmd remote-username dplatz atm template-alias training 47.1328... atm template-alias bit_set 47.9f9(1*0*).88ab... atm template-alias byte_wise 47.9*f8.33... ! <Information Deleted> Switch#
To create an ATM address filter or time-of-day filter, use the atm filter-set command. Use the no form of the command to delete the specified ATM filter-set:
| Task | Command |
|---|---|
At the privileged EXEC prompt, enter configuration mode from the terminal. | |
Configure a global ATM address filter set. | atm filter-set name [index number] [permit|deny] {address-template|time-of-day {anytime |start-time end-time} } |
| 1This command is documented in the LightStream 1010 ATM Switch Command Reference publication. |
The following example creates a filter named filter_1 that permits access to the specific ATM address 47.0000.8100.1234.0003.c386.b301.0003.c386.b301.00:
Switch(config)#atm filter-set filter_1 permit 47.0000.8100.1234.0003.c386.b301.0003.c386.b301.00
The following example creates a filter named filter_2 that denies access to the specific ATM address 47.000.8100.5678.0003.c386.b301.0003.c386.b301.00 but allows access to all other ATM addresses:
Switch(config)#atm filter-set filter_2 deny 47.0000.8100.5678.0003.c386.b301.0003.c386.b301.00
Switch(config)#atm filter-set filter_2 permit default
The following example creates a filter named filter_3 that denies access to all ATM addresses that begin with the prefix 47.840F but permits all other calls:
Switch(config)#atm filter-set filter_3 deny 47.840F...
Switch(config)#atm filter-set filter_3 permit default
In the following example, the first filter set, filter_4, has its first filter configured to permit all addresses and its second filter, configured to deny access to all addressees that begin with the prefix 47.840F. Since the default filter matches all addresses, the second filter is never used. Addresses that begin with prefix 47.840F are also be permitted.
Switch(config)#atm filter-set filter_4 permit default
Switch(config)#atm filter-set filter_4 deny 47.840F...
The following example creates a filter named filter_5 that denies access to all ATM addresses described by the ATM template alias bad_users:
Switch(config)#atm filter-set filter_5 deny bad_users
Switch(config)#atm filter-set filter_5 permit default
The following example configures a filter-set named tod1, with an index of 2, to deny calls between 11:15 AM and 22:45 PM:
Switch(config)#atm filter-set tod1 index 2 deny time-of-day 11:15 22:45
Switch(config)#atm filter-set tod1 index 3 permit time-of-day anytime
The following example configures a filter-set named tod1, with an index of 4, to permit calls anytime:
Switch(config)#atm filter-set tod1 index 4 permit time-of-day anytime
The following example configures a filter-set named tod2, to deny calls between 8:00 PM and 6:00 AM:
Switch(config)#atm filter-set tod2 deny time-of-day 20:00 06:00
Switch(config)#atm filter-set tod2 permit time-of-day anytime
The following example configures a filter-set named tod2, to permit calls anytime:
Switch(config)#atm filter-set tod2 permit time-of-day 3:30 3:30
Once a filter-set is created using the previous configuration commands, it must be associated with an interface as an access group to actually filter any calls. See the section "Configure ATM Interface Access Control" to configure an individual interface with an access group.
To delete an ATM filter-set, use the no form of the atm filter-set command.
| Task | Command |
|---|---|
At the privileged EXEC prompt, enter configuration mode from the terminal. | |
Delete a global ATM address filter set. | no atm filter-set name [index number] |
| 1This command is documented in the LightStream 1010 ATM Switch Command Reference publication. |
This example performs the following filter-set delete functions:
Step 1 Displays the existing filter-sets using the show atm filter-set command.
Step 2 Changes to EXEC configuration mode.
Step 3 Deletes the specific filter-set tod1 index 1.
Step 4 Deletes the entire filter-set tod2.
Step 5 Displays the modified filter-sets using the show atm filter-set command.
Switch#show atm filter-set
ATM filter set tod1 deny From 11:15 Hrs Till 22:45 Hrs index 2 permit From 0:0 Hrs Till 0:0 Hrs index 4 ATM filter set tod2 deny From 20:0 Hrs Till 6:0 Hrs index 1 permit From 3:30 Hrs Till 3:30 Hrs index 2 Switch#config term
Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#no atm filter-set tod1 index 2
Switch(config)#no atm filter-set tod2
Switch(config)#^Z
Switch# %SYS-5-CONFIG_I: Configured from console by console Switch#show atm filter-set
ATM filter set tod1 permit From 0:0 Hrs Till 0:0 Hrs index 4 Switch#
The following commands create global ATM filter expressions:
| Task | Command |
|---|---|
At the privileged EXEC prompt, enter configuration mode from the terminal. | |
Define a simple filter expression with only one term and no operators. | atm filter-expr name term |
Define a filter expression using the operator and. | atm filter-expr name [destination | source | src] term1 and [destination | source | src] term2 |
Define a filter expression using the operator not. | atm filter-expr name [destination | source | src] not term |
Define a filter expression using the operator or. | atm filter-expr name [destination | source | src] term1 or [destination | source | src] term2 |
Define a filter expression using the operator xor. | atm filter-expr name [destination | source | src] term1 xor [destination | source | src] term2 |
Delete a filter. | [no] atm filter-expr name |
| 1This command is documented in the LightStream 1010 ATM Switch Command Reference publication. |
name---The name of the ATM filter expression.
term---Can be either of the following:
destination --- Test destination address
source --- Test source address
src --- Test source address
For commands with two terms, the evaluation sequence is from left to right of the expression, for example, commands using logical operators or, and, and xor.
For commands using logical operators or, and, and xor the evaluation for the second term is conducted only when necessary. For example, the evaluation for the second term is omitted if the truth or falsehood can already be concluded from the evaluation for the first term.
The following example defines a simple filter expression that has only one term and no operators:
Switch(config)#atm filter-expr training filter_1
The following example defines a filter expression using the not operator:
Switch(config)#atm filter-expr training not filter_1
The third form defines a filter expression using the or operator:
Switch(config)#atm filter-expr training filter_2 or filter_1
The following example defines a filter expression using the and operator:
Switch(config)#atm filter-expr training filter_1 and source filter_2
The following example defines a filter expression using the xor operator:
Switch(config)#atm filter-expr training filter_2 xor filter_1
To subscribe an ATM interface or subinterface to an existing ATM filter set or filter expression use the following commands. Use the no form of the atm access-group command to delete an address access filter subscription on a specified interface or subinterface:
| Task | Command |
|---|---|
At the privileged EXEC prompt, enter configuration mode from the terminal. | |
Select the interface or subinterface to be configured. | interface atm card/sub_card/port [.vpt #] |
Configure an existing ATM address pattern matching filter expression. | atm access-group name [in | out] |
| 1This command is documented in the LightStream 1010 ATM Switch Command Reference publication. |
name---The name of the filter expression or filter set.
in---Indicates the filter should be applied to incoming SETUP message.
out---Indicates the filter should be applied to outgoing SETUP message. This is the default.
If neither in nor out is specified, the filter is applied to outgoing SETUP message.
The following example configures access control for outgoing calls on ATM interface 3/0/0:
Switch(config)#interface atm 3/0/0
Switch(config-if)#atm access-group training out
The following example configures access control for both outgoing and incoming calls on ATM interface 3/0/0:
Switch(config)#interface atm 3/0/0
Switch(config-if)#atm access-group training out
Switch(config-if)#atm access-group marketing in
Exec commands to display access control configuration are as follows:
| Task | Command |
|---|---|
Display a specific or a summary of ATM filter set. | show atm filter-set [name] |
Display a specific or a summary of ATM filter expression. | show atm filter-expr [name] |
The following command displays the configured ATM filters:
Switch#show atm filter-set
ATM filter set tod1 deny From 11:15 Hrs Till 22:45 Hrs index 2 permit From 0:0 Hrs Till 0:0 Hrs index 4 ATM filter set tod2 deny From 20:0 Hrs Till 6:0 Hrs index 1 permit From 3:30 Hrs Till 3:30 Hrs index 2 Switch#
The following command displays the configured ATM filter expressions:
Switch#show atm filter-expr
training = dest filter_1 Switch#
This section provides a complete access filter configuration example using the information described in the previous four sections:
Figure 12-1 is an example network configuration that is used in the following filter set configuration scenario:
The following example configures the Filter Switch, shown in Figure 12-1, to deny access to all calls received on ATM interface 1/0/0 from the workstations directly attached to the Lab Switch, but to allow all other calls. In other words, denying all calls if the calling party address begins with the prefix 47.0091.8100.0000.2222.2222.FFFF:
Filter Switch#config t
Enter configuration commands, one per line. End with CNTL/Z. Filter Switch(config)#atm template-alias lab-sw 47.0091.8100.0000.2222.2222.FFFF...
Filter Switch(config)#atm filter-set filter_1 deny lab-sw
Filter Switch(config)#atm filter-set filter_1 permit default
Filter Switch(config)#atm filter-expr exp1 src filter_1
Filter Switch(config)# Filter Switch(config)#interface atm 1/0/0
Filter Switch(config-if)#atm access-group exp1 in
Filter Switch(config-if)#^Z
Filter Switch#show atm filter-set
ATM filter set filter_1 deny 47.0091.8100.0000.2222.2222.ffff... index 1 permit default index 2 Filter Switch#show atm filter-expr
exp1 = src filter_1 Filter Switch#
Internet Protocol (IP) packet filtering helps control packet movement through the network. Such control can help limit network traffic and restrict network use by certain users or devices. To permit or deny packets from crossing specified IP interfaces, we provide access lists.
You can use access lists in several ways:
This section summarizes how to create IP access lists and how to apply them.
An access list is a sequential collection of permit and deny conditions that apply to IP addresses. The LightStream 1010 software tests addresses against the conditions in an access list one by one. The first match determines whether the software accepts or rejects the address. Because the software stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the software rejects the address.
The two steps involved in using access lists are as follows:
Step 1 Create an access list by specifying an access list number and access conditions.
Step 2 Apply the access list to interfaces or terminal lines.
These steps are described in the next sections.
The software supports three styles of access lists for IP interfaces:
To create a standard access list, perform one of the following tasks in global configuration mode:
| Task | Command |
|---|---|
At the privileged EXEC prompt, enter configuration mode from the terminal. | |
Define a standard IP access list using a source address and wildcard. | access-list access-list-number {deny | permit} source [source-wildcard] |
Define a standard IP access list using an abbreviation for the source and source mask of 0.0.0.0 255.255.255.255. | access-list access-list-number {deny | permit} any |
| 1This command is documented in the LightStream 1010 ATM Switch Command Reference publication. |
To create an extended access list, perform one of the following tasks in global configuration mode:
| Task | Command |
|---|---|
At the privileged EXEC prompt, enter configuration mode from the terminal. | |
Define an extended IP access list number and the access conditions. Use the log keyword to get access list logging messages, including violations. | access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [established] [log] |
Define an extended IP access list using an abbreviation for a source and source wildcard of 0.0.0.0 255.255.255.255 and an abbreviation for a destination and destination wildcard of 0.0.0.0 255.255.255.255. | access-list access-list-number {deny | permit} protocol any |
Define an extended IP access list using an abbreviation for a source and source wildcard of source 0.0.0.0 and an abbreviation for a destination and destination wildcard of destination 0.0.0.0. | access-list access-list-number {deny | permit} protocol host source host destination |
Define a dynamic access list. | access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [established] [log] |
| 1This command is documented in the LightStream 1010 ATM Switch Command Reference publication. |
After an access list is created initially, any subsequent additions (possibly entered from the terminal) are placed at the end of the list. In other words, you cannot selectively add or remove access list command lines from a specific access list.
After an access list is created, you can apply it to one or more interfaces. Access lists can be applied on either outbound or inbound interfaces. The following two tables show how this task is accomplished for both terminal lines and network interfaces.
Perform the following task in line configuration mode:
| Task | Command |
|---|---|
At the privileged EXEC prompt, enter configuration mode from the terminal. | |
Select the line to be configured. | line [aux|console|vty] 0 |
Restrict incoming and outgoing connections between a particular virtual terminal line (into a device) and the addresses in an access list. | access-class access-list-number {in | out} |
| 1This command is documented in the LightStream 1010 ATM Switch Command Reference publication. |
Perform the following task in interface configuration mode:
| Task | Command |
|---|---|
At the privileged EXEC prompt, enter configuration mode from the terminal. | |
Select the interface or subinterface to be configured. | interface atm card/sub_card/port |
Control access to an interface. | ip access-group access-list-number {in | out} |
| 1This command is documented in the LightStream 1010 ATM Switch Command Reference publication. |
For inbound access lists, after receiving a packet, the LightStream 1010 software checks the source address of the packet against the access list. If the access list permits the address, the software continues to process the packet. If the access list rejects the address, the software discards the packet and returns an Internet Control Message Protocol (ICMP) Host Unreachable message.
For outbound access lists, after receiving and routing a packet to a controlled interface, the software checks the source address of the packet against the access list. If the access list permits the address, the software transmits the packet. If the access list rejects the address, the software discards the packet and returns an ICMP Host Unreachable message.
When you apply an access list (standard or extended) that has not yet been defined to an interface, the software will act as if the access list has not been applied to the interface and will accept all packets. Remember this behavior if you use undefined access lists as a means of security in your network.
In the following example, network 36.0.0.0 is a Class A network whose second octet specifies a subnet; that is, its subnet mask is 255.255.0.0. The third and fourth octets of a network 36.0.0.0 address specify a particular host.
Using access list 2, the LightStream 1010 software would accept one address on subnet 48 and reject all others on that subnet. The last line of the list shows that the software would accept addresses on all other network 36.0.0.0 subnets.
Switch(config)#access-list 2 permit 36.48.0.3
Switch(config)#access-list 2 deny 36.48.0.0 0.0.255.255 Switch(config)#access-list 2 permit 36.0.0.0 0.255.255.255
Switch(config)#interface ethernet 2/0/0
Switch(config-if)#ip access-group 2 in
IP access lists contain implicit masks. For instance, if you omit the mask from an associated IP host address access list specification, 0.0.0.0 is assumed to be the mask. Consider the following example configuration:
Switch(config)#access-list 1 permit 0.0.0.0
Switch(config)#access-list 1 permit 131.108.0.0
Switch(config)#access-list 1 deny 0.0.0.0 255.255.255.255
For this example, the following masks are implied in the first two lines:
Switch(config)#access-list 1 permit 0.0.0.0 0.0.0.0
Switch(config)#access-list 1 permit 131.108.0.0 0.0.0.0
The last line in the configuration (using the deny keyword) can be left off, because IP access lists implicitly deny all other access. This is equivalent to finishing the access list with the following command statement:
Switch(config)#access-list 1 deny 0.0.0.0 255.255.255.255
The following access list only allows access for those hosts on the three specified networks. It assumes that subnetting is not used; the masks apply to the host portions of the network addresses. Any hosts with a source address that does not match the access list statements is rejected.
Switch(config)#access-list 1 permit 192.5.34.0 0.0.0.255
Switch(config)#access-list 1 permit 128.88.0.0 0.0.255.255
Switch(config)#access-list 1 permit 36.0.0.0 0.255.255.255
! (Note: all other access implicitly denied)
To specify a large number of individual addresses more easily, you can omit the address mask that is all zeros from the access-list global configuration command. Thus, the following two configuration commands are identical in effect:
Switch(config)#access-list 2 permit 36.48.0.3
Switch(config)#access-list 2 permit 36.48.0.3 0.0.0.0
In the following example, the first line permits any incoming Transmission Control Protocol (TCP) connections with destination ports greater than 1023. The second line permits incoming TCP connections to the simple mail transfer protocol (SMTP) port of host 128.88.1.2. The last line permits incoming ICMP messages for error feedback.
Switch(config)#access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 gt 1023
Switch(config)#access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq 25
Switch(config)#access-list 102 permit icmp 0.0.0.0 255.255.255.255 128.88.0.0 255.255.255.255
Switch(config)#interface ethernet 2/0/0
Switch(config-if)#ip access-group 102 in
For another example of using an extended access list, suppose you have a network connected to the Internet, and you want any host on an Ethernet to be able to form TCP connections to any host on the Internet. However, you do not want IP hosts to be able to form TCP connections to hosts on the Ethernet except to the mail (SMTP) port of a dedicated mail host.
SMTP uses TCP port 25 on one end of the connection and a random port number on the other end. The same two port numbers are used throughout the life of the connection. Mail packets coming in from the Internet will have a destination port of 25. Outbound packets will have the port numbers reversed. The fact that the secure system behind the switch will always be accepting mail connections on port 25 is what makes it possible to separately control incoming and outgoing services.The access list can be configured on either the outbound or inbound interface.
In the following example, the Ethernet network is a Class B network with the address 128.88.0.0, and the mail host's address is 128.88.1.2. The keyword established is used only for the TCP protocol to indicate an established connection. A match occurs if the TCP datagram has the acknowledgment (ACK) or RST bits set, which indicate that the packet belongs to an existing connection.
Switch(config)#access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 established
Switch(config)#access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq 25
Switch(config)#interface ethernet 2/0/0
|
|