What specific name is given to describe a security policy based on access control lists?

C H A P T E R  22

Configuring Access Control Lists (ACLs)

This chapter describes how to configure the Access Control Lists (ACLs).

This chapter contains the following topics:

  • Section , Understanding Access Control Lists
  • Section , Configuring Access Control Lists

Understanding Access Control Lists

Access Control Lists (ACLs) are a collection of permit and deny conditions, called rules, that provide security by blocking unauthorized users and allowing authorized users to access specific resources.

ACLs can also provide traffic flow control, restrict contents of routing updates, and decide which types of traffic are forwarded or blocked. Normally ACLs reside in a firewall router or in a router connecting two internal networks.

You can set up ACLs to control traffic at Layer 2, Layer 3, or Layer 4. MAC ACLs operate on Layer 2. IP ACLs operate on Layers 3 and 4.

Features

ACL support features include Flow-based Mirroring and ACL Logging.

  • Flow-based mirroring is the ability to mirror traffic that matches a permit rule to a specific physical port or LAG. Flow-based mirroring is similar to the redirect function, except that in flow-based mirroring a copy of the permitted traffic is delivered to the mirror interface while the packet itself is forwarded normally through the device. You cannot configure a given ACL rule with mirror and redirect attributes.
  • ACL Logging provides a means for counting the number of “hits” against an ACL rule. When you configure ACL Logging, you augment the ACL deny rule specification with a ‘log’ parameter that enables hardware hit count collection and reporting. FASTPATH uses a fixed five minute logging interval, at which time trap log entries are written for each ACL logging rule that accumulated a non-zero hit count during that interval. You cannot configure the logging interval.

Using ACLs to mirror traffic is called flow-based mirroring because the traffic flow is defined by the ACL classification rules. This is in contrast to port mirroring, where all traffic encountered on a specific interface is replicated on another interface.

Limitations

The following limitations apply to ACLs. These limitations are platform dependent.

  • Maximum of 100 ACLs.
  • Maximum rules per ACL is 8-10.
  • The system supports ACLs set up for inbound traffic only.
  • You can configure mirror or redirect attributes for a given ACL rule, but not both.
  • The system does not support MAC ACLs and IP ACLs on the same interface.
  • A hardware platform may support a limited number of counter resources, so it may not be possible to log every ACL rule. You can define an ACL with any number of logging rules, but the number of rules that are actually logged cannot be determined until the ACL is applied to an interface. Furthermore, hardware counters that become available after an ACL is applied are not retroactively assigned to rules that were unable to be logged (the ACL must be un-applied then re-applied). Rules that are unable to be logged are still active in the ACL for purposes of permitting or denying a matching packet.
  • The order of the rules is important: when a packet matches multiple rules, the first rule takes precedence. Also, once you define an ACL for a given port, all traffic not specifically permitted by the ACL is denied access.

MAC ACLs

MAC ACLs are Layer 2 ACLs. You can configure the rules to inspect the following fields of a packet (limited by platform):

  • Source MAC address
  • Source MAC mask
  • Destination MAC address
  • Destination MAC mask
  • VLAN ID
  • Class of Service (CoS) (802.1p)
  • Ethertype

L2 ACLs can apply to one or more interfaces.

Multiple access lists can be applied to a single interface - sequence number determines the order of execution.

You can assign packets to queues using the assign queue option.

IP ACLs

IP ACLs classify for Layers 3 and 4.

Each ACL is a set of up to ten rules applied to inbound traffic. Each rule specifies whether the contents of a given field should be used to permit or deny access to the network, and may apply to one or more of the following fields within a packet:

  • Destination IP with wildcard mask
  • Destination L4 Port
  • Every Packet
  • IP DSCP
  • IP Precedence
  • IP TOS
  • Protocol
  • Source IP with wildcard mask
  • Source L4 port
  • Destination Layer 4 port

Configuring Access Control Lists


  To Configure ACLs

1. Create a MAC ACL by specifying a name.

2. Create an IP ACL by specifying a number.

3. Add new rules to the ACL.

4. Configure the match criteria for the rules.

5. Apply the ACL to one or more interfaces.

Setting Up an IP ACL via CLI

The script in this section shows you how to set up an IP ACL with two rules, one applicable to TCP traffic and one to UDP traffic. The content of the two rules is the same. TCP and UDP packets will only be accepted by the Sun Netra CP3240 switch if the source and destination stations have IP addresses that fall within the defined sets.

FIGURE 22-1 IP ACL Example Network Diagram


What specific name is given to describe a security policy based on access control lists?

Example 1: Create ACL 179 and Define an ACL Rule

After the mask has been applied, it permits packets carrying TCP traffic that matches the specified Source IP address, and sends these packets to the specified Destination IP address.


config  
access-list 179 permit tcp 192.168.77.0 0.0.0.255 192.168.77.3 0.0.0.0


Example 2: Define the Second Rule for ACL 179

Define the rule to set similar conditions for UDP traffic as for TCP traffic.


access-list 179 permit udp 192.168.77.0 0.0.0.255 192.168.77.3 0.0.0.255
exit


Example 3: Apply the rule to Inbound Traffic on Port 1/0/2

Only traffic matching the criteria will be accepted.


interface 0/2
  ip access-group 179 in
exit


Setting Up a MAC ACL via CLI

The following are examples of the commands used for the MAC ACLs feature.

Example 1: Set up a MAC Access List


CODE EXAMPLE 22-1 Set Up a MAC Access Label

(DTI SWITCH)	(Config)#mac access-list ?
 
extended	Configure extended MAC Access List parameters.
 
LVL7 FASTPATH Routing) 	(Config)#mac access-list extended ?
 
<name>	Enter access-list name up to 31 characters 	in length.rename	Rename MAC Access Control List.
 
(DTI SWITCH) 	(Config)#mac access-list extended mac1 ?
 
<cr>	Press Enter to execute the command.
 
(DTI SWITCH) 	(Config)#mac access-list extended mac1 

Example 2: Specify MAC ACL Attributes


CODE EXAMPLE 22-2 Specify MAC ACL Attributes

(DTI SWITCH) (Config)#mac access-list extended mac1
 
(DTI SWITCH) (Config-mac-access-list)#deny ?
 
<srcmac>                 Enter a MAC Address.
any                      Configure a match condition for all the source MAC
                         addresses in the Source MAC Address field.
 
(DTI SWITCH) (Config-mac-access-list)#deny any ?
 
<dstmac>                 Enter a MAC Address.
any                      Configure a match condition for all the destination
                         MAC addresses in the Destination MAC Address field.
bpdu                     Match on any BPDU destination MAC Address.
 
(DTI SWITCH) (Config-mac-access-list)#deny any 00:11:22:33:44:55 ?
 
<dstmacmask>             Enter a MAC Address bit mask.
 
(DTI SWITCH) (Config-mac-access-list)#deny any 00:11:22:33:44:55 00
:00:00:00:FF:FF ?
 
<ethertypekey>           Enter one of the following keywords to specify an
                         Ethertype (appletalk, arp, ibmsna, ipv4, ipv6, ipx,
                         mplsmcast, mplsucast, netbios, novell, pppoe, rarp).
<0x0600-0xffff>          Enter a four-digit hexadecimal number in the range of
                         0x0600 to 0xffff to specify a custom Ethertype value.
vlan                     Configure a match condition based on a VLAN ID.
cos                      Configure a match condition based on a COS value.
log                      Configure logging for this access list rule.
assign-queue             Configure the Queue Id assignment attribute.
<cr>                     Press Enter to execute the command.
 
(DTI SWITCH) (Config-mac-access-list)#deny any 00:11:22:33:44:55 00
:00:00:00:FF:FF log ?
assign-queue             Configure the Queue Id assignment attribute.
<cr>                     Press Enter to execute the command.
 
(DTI SWITCH) (Config-mac-access-list)#deny any 00:11:22:33:44:55 00:0
0:00:00:FF:FF log
 
(DTI SWITCH) (Config-mac-access-list)#exit
 
(DTI SWITCH) (Config)#exit
 
(DTI SWITCH) #

Example 3: Configure MAC Access Group


CODE EXAMPLE 22-3 Configure MAC Access Group

(DTI SWITCH) 	(Config)#interface 0/5
 
(DTI SWITCH) 	(Interface 0/5)#mac ?
 
access-group	Attach MAC Access List to Interface.
 
(DTI SWITCH) 	(Interface 0/5)#mac access-group ?
 
<name>	Enter name of MAC Access Control List.
 
(DTI SWITCH) 	(Interface 0/5)#mac access-group mac1 ?
 
in	Enter the direction <in>.
 
(DTI SWITCH) 	(Interface 0/5)#mac access-group mac1 in ?
 
<cr>	Press Enter to execute the command.
<1-4294967295>           	Enter the sequence number (greater than 0) to	rank direction.  A lower sequence number	has higher precedence.
 
(DTI SWITCH) (Interface 0/5)#mac access-group mac1 in 6 ?
 
<cr>                     	Press Enter to execute the command.
 
(DTI SWITCH) (Interface 0/5)#mac access-group mac1 in 6
 
 
(DTI SWITCH) (Interface 0/5)#exit
 
(DTI SWITCH) (Config)#exit
 
(DTI SWITCH) #

Example 4: Set up an ACL with Permit Action


CODE EXAMPLE 22-4 Set Up ACL with Permit Action

(DTI SWITCH) (Config)#mac access-list extended mac2
 
(DTI SWITCH) (Config-mac-access-list)#permit ?
 
<srcmac>                 Enter a MAC Address.
any                      Configure a match condition for all the source MAC
                         addresses in the Source MAC Address field.
 
(DTI SWITCH) (Config-mac-access-list)#permit any ?
 
<dstmac>                 Enter a MAC Address.
any                      Configure a match condition for all the destination
                         MAC addresses in the Destination MAC Address field.
bpdu                     Match on any BPDU destination MAC Address.
 
(DTI SWITCH) (Config-mac-access-list)#permit any any ?
 
<ethertypekey>           Enter one of the following keywords to specify an
                         Ethertype (appletalk, arp, ibmsna, ipv4, ipv6, ipx,
                         mplsmcast, mplsucast, netbios, novell, pppoe, rarp).
<0x0600-0xffff>          Enter a four-digit hexadecimal number in the range of
                         0x0600 to 0xffff to specify a custom Ethertype value.
vlan                     Configure a match condition based on a VLAN ID.
cos                      Configure a match condition based on a COS value.
log                      Configure logging for this access list rule.
assign-queue             Configure the Queue Id assignment attribute.
<cr>                     Press Enter to execute the command.
 
(DTI SWITCH) (Config-mac-access-list)#permit any any
 
(DTI SWITCH) (Config-mac-access-list)#

Example 5: Show MAC Access Lists


CODE EXAMPLE 22-5 Show MAC Access Lists

(DTI SWITCH) 	#show mac access-lists
Current number of all ACLs: 2	Maximum number of all ACLs: 100
 
MAC ACL Name Rules Direction Interface(s)
------------ ----- --------- ------------
mac1         1     inbound   0/5
mac2         1
 
(DTI SWITCH) #show mac access-lists mac1
 
MAC ACL Name: mac1
 
 
Rule Number: 1
Action......................................... deny
Destination MAC Address........................ 00:11:22:33:44:55
Destination MAC Mask........................... 00:00:00:00:FF:FF
Log............................................ TRUE
 
(DTI SWITCH) #

Setting Up ACLs via Web Interface

The following web pages are used in the ACL feature.

FIGURE 22-2 MAC ACL Configuration Page - Create New MAC ACL


FIGURE 22-3 MAC ACL Configuration Page

What specific name is given to describe a security policy based on access control lists?


FIGURE 22-4 MAC ACL Summary

What specific name is given to describe a security policy based on access control lists?


FIGURE 22-5 MAC ACL Rule Configuration - Create New Rule

What specific name is given to describe a security policy based on access control lists?


FIGURE 22-6 MAC ACL Rule Configuration Page - Add Destination MAC and MAC Mask

What specific name is given to describe a security policy based on access control lists?


FIGURE 22-7 MAC ACL Rule Configuration Page - View the Current Settings

What specific name is given to describe a security policy based on access control lists?


FIGURE 22-8 MAC ACL Rule Configuration Page - Add Destination MAC and MAC Mask

What specific name is given to describe a security policy based on access control lists?


FIGURE 22-9 MAC ACL Rule Configuration Page - Add Destination MAC and MAC Mask

What specific name is given to describe a security policy based on access control lists?


FIGURE 22-10 ACL Interface Configuration

What specific name is given to describe a security policy based on access control lists?


FIGURE 22-11 IP ACL Configuration Page - Create a New IP ACL

What specific name is given to describe a security policy based on access control lists?


FIGURE 22-12 IP ACL Configuration Page - Create a Rule and Assign an ID

What specific name is given to describe a security policy based on access control lists?


FIGURE 22-13 IP ACL Configure IP ACL Rule Properties

What specific name is given to describe a security policy based on access control lists?


FIGURE 22-14 IP ACL Rule Configuration Page - Rule with Protocol and Source IP Configuration

What specific name is given to describe a security policy based on access control lists?


FIGURE 22-15 Attach IP ACL to an Interface

What specific name is given to describe a security policy based on access control lists?


FIGURE 22-16 IP ACL Summary

What specific name is given to describe a security policy based on access control lists?


What specific name is given to describe a security policy based on access control lists?

© 2007 Diversified Technology, Inc. All Rights Reserved. © 2009 Sun Microsystems, Inc. All rights reserved.

What do you mean by access control list?

An access control list (ACL) contains rules that grant or deny access to certain digital environments. There are two types of ACLs: Filesystem ACLs━filter access to files and/or directories. Filesystem ACLs tell operating systems which users can access the system, and what privileges the users are allowed.

What is access control in security?

Access control is a fundamental component of data security that dictates who's allowed to access and use company information and resources. Through authentication and authorization, access control policies make sure users are who they say they are and that they have appropriate access to company data.

What are ACL rules?

ACLs are a collection of permit and deny conditions, called rules, that provide security by blocking unauthorized users and allowing authorized users to access specific resources. ACLs can block any unwarranted attempts to reach network resources. The WAP device supports up to 50 IPv4, IPv6, and MAC ACL rules.

What does ACL stand for and how is it used?

The anterior cruciate ligament (ACL) is one of the key ligaments that help stabilize the knee joint. The ACL connects the thighbone (femur) to the shinbone (tibia). It's most commonly torn during sports that involve sudden stops and changes in direction — such as basketball, soccer, tennis and volleyball.