The IPv6 PACL (Port Access Control List) is basically a regular IPv6 access-list that is applied to a switchport (L2 interface). They only work inbound. Show
ConfigurationLet’s look at quick example. Here’s the topology we’ll use: We will use R1 and R2 to generate some IPv6 traffic and on SW1 we’ll configure the PACL.
Let’s enable HTTP server so that we have something to connect to:
Without an ACL, I can connect to the telnet server (enabled by default) and the HTTP server:
Let’s create an access-list that denies telnet traffic and permits everything else:
We can see the access-list we created with the show ipv6 access-list command:
You can also use show access-list without “ipv6” and it will show up. Let’s activate the access-list on the GigabitEthernet 0/1 interface that connects to R1:
Now, from R1 I’ll try to connect to the telnet and HTTP server on R2:
As you can see, telnet traffic is no longer permitted. Unfortunately, hits don’t show in the access-list:
There is the 4 command but it doesn’t seem to work for PACLs, it only works when you apply an access-list to a routed (L3) interface.Configurations Want to take a look for yourself? Here you will find the final configuration of each device. R1 1R2 2SW1 3ConclusionYou have now learned how to configure the IPv6 PACL (Port ACL) on a Cisco switch. I hope you enjoyed this lesson. If you have any questions feel free to leave a comment! An Access Control List (ACL) is a tool used to enforce IT security policies. It specifies which users or system processes (subjects) are granted access to resources (objects), as well as what operations are allowed on given objects. Any access attempt by a subject to an object which does not have a matching entry on the ACL configuration will be denied. This means that how you apply the access list determines what the access list actually does. There are many use cases for access lists. For example, if you apply your access list to…
For the purpose of this article, we’re going to be focusing on the access list applied to interfaces because this is the most common use case for an access list. For instance, you can configure an access list on a firewall interface to allow only certain hosts to access web-based resources on the Internet while restricting others. With the right combination of access lists, security managers gain the power they need to effectively enforce security policies. Operating systems, applications, firewall, and router configurations are dependent upon access control lists in order to function properly. When you create an access list on a router, it’s inactive until you tell that router what to do with it, and which direction of traffic you want the access list applied to—inbound or outbound. When an access list is applied to inbound packets on an interface, those packets are processed through the access list before being routed to the outbound interface. Any packets that are denied won’t be routed because they’re discarded before the routing process is invoked. When an access list is applied to outbound packets on an interface, those packets are routed to the outbound interface and then processed through the access list before being queued. Types of access listsThere are two main types of access lists: Standard ACL and Extended ACL. Standard ACLStandard ACLs are the oldest type of access control lists. They are used to filter network traffic by examining the source IP address in a packet. You create a standard IP access list by using the access-list numbers ranging from 1–99 or 1300–1999 (expanded range). By using these numbers, you’re telling the router that you want to create a standard IP access list, so the router will expect syntax specifying only the source IP address. Wildcards are used with access lists to specify an individual host, a network, or a certain range of networks. The wildcard mask tells the router which parts of an IP address need to match the access list and which do not. It then grants everything from that network either all or no access. Standard ACLs do not care about where the packets are going to, rather, they focus on where they’re coming from. When you need to decide based on both source and destination addresses, a standard access list won’t allow you to do that since it only decides based on the source address. The standard ACLs’ inability to look for a destination address renders it ineffective in such scenarios. This is where Extended ACL comes into play. Extended ACLExtended ACLs extend the functionalities of standard ACLs by looking at not just the source but also the destination. It allows you to specify the source and destination address as well as the protocol and TCP and UDP port numbers that identify them. By using extended access lists, you can effectively allow users access to a physical LAN and stop them from accessing specific hosts—or even specific services on those hosts. In medium to large enterprises, managing access lists can become difficult and complicated over time, especially as the quantity of numbered ACLs grows. In such scenarios, standard and extended access lists become unsuitable. This brings us to the concept of a named access list. Named ACLNamed access lists are just another way to create standard and extended access lists. It allows you to use names to both create and apply either standard or extended access lists. Named ACLs allows standard and extended ACLs to be given names instead of numbers. They are more convenient than numbered access lists because you can specify a meaningful name that is easier to remember and associate with a task. You can reorder statements or add statements to a named access list. The name can be meaningful and indicative of the list’s purpose. This is particularly important for documentation and maintenance purposes. How access control lists workAccess list statements work pretty much like packet filters used to compare packets; or conditional statements such as if-then statements in computer programming. If a given condition is met, then a given action is taken. If the specific condition isn’t met, nothing happens and the next statement is evaluated. There are two key points on a router that a filtering decision has to be made as packets pass through the router:
ACL conditions can be applied to these locations. When ACL conditions are applied at the entrance to the router, it is called an inbound filter. When it is applied at the exit point, it is called an outbound filter. Inbound ACLs filter the traffic before the router decides-—and must be placed in the entrance interface. Outbound ACLs filter the traffic after the router decides-—and must be placed in the exit interface. An ACL filter condition has two actions: permit and deny. We can permit certain types of traffic while blocking others, or we can block certain types of traffic while allowing others. Once applied, ACL will filter every packet passing through the interface. This causes the firewall or router to analyze every packet passing through that interface in the specified direction and take the appropriate action. There are a few important rules that a packet follows when it’s being compared with an access list:
Basic networking concepts: What you need to knowBefore you can fully master the art of configuring and implementing access control list, you must understand two important networking concepts: Subnet mask and Wildcard mask. Subnet Mask: Subnet masks are used by a computer to determine if any computer is on the same given network or on a different network. An IPv4 subnet mask is a 32-bit sequence of ones (1’s) followed by a block of zeros (0’s). The ones designate the network prefix, while the trailing block of zeros designate the host identifier. In a subnet mask, it is the network bits-—the ones (1’s) that we most care about. In VLSM subnetting or CIDR notation, we use /24, which simply means that a subnet mask has 24 ones, and the rest are zeros. Binary NotationCIDR NotationDecimal NotationIP address11000000.00000000.00000010.10000010/24192.0.2.130Subnet mask11111111.11111111.11111111.00000000/24255.255.255.0 Table 1.0 IP address and subnet mask in binary and decimal format Wildcard mask: A wildcard mask is very similar to a subnet mask except that the ones and the zeros are flipped. It is the complete opposite of a subnet mask. Wherever there is a one (1), you replace it with a zero (0), and wherever there’s a zero (0), you replace it with a 1 (one). To calculate your wildcard mask from the subnet mask, just subtract your subnet mask from 255.255.255.255. For instance, if you are to subtract the /24 subnet mask from the above address, ie: 255.255.255.255 – 255.255.255.0 = 0.0.0.255. As you can see, you’d arrive at a wildcard mask of 0.0.0.255. If you are configuring an access list with an IP address that has a CIDR notation, you should use a wildcard mask. Table 2.0 IP address and subnet mask in binary and decimal format Please note the following when using a wildcard:
How to create a standard access listWith the above understanding, we will now show you how to create a standard access list. Now here is the syntax used for creating a standard access list: Router (config)# access-list (1-99) (permit | deny) source-addr (source-wildcard) The breakdown of the different parts of the syntax is as follows:
Binary NotationCIDR NotationDecimal NotationIP address11000000.00000000.00000010.10000010/24192.0.2.130Subnet mask11111111.11111111.11111111.00000000/24255.255.255.0Wildcard mask00000000.00000000.00000000.11111111/240.0.0.255 Table 2.0 IP address and subnet mask in binary and decimal format Please note the following when using a wildcard:
How to create a standard access listWith the above understanding, we will now show you how to create a standard access list. Now here is the syntax used for creating a standard access list: Router (config)# access-list (1-99) (permit | deny) source-addr (source-wildcard) The breakdown of the different parts of the syntax is as follows:
Figure 1.0 above shows an internetwork of two routers with three LANs including one serial WAN connection for a logistics company. As the network engineer for this company, you have been asked to use a standard access list to prevent users in the Admin unit from accessing the Operations server attached to the Remote_Router while allowing all other users access to that LAN. First and foremost, you need to figure out the access list wildcard (which is basically the inverse of the subnet mask) and where to place the access list. Standard access lists, by the rule of thumb, are placed closest to the destination—in this case, the E0 interface of the Remote_Router. So in order to achieve this implementation, we will configure an access control list and apply it on the E0 outbound interface of the Remote_Router. Here are the required parameters for this configuration.
The table below is a breakdown of the access-list commands to be used for this task. CommandRemarkRemote_Router#config tEnter global configuration modeRemote_Router(config)#access-list 10 deny 192.168.10.128 0.0.0.31Deny Admin LAN access to Operations serverRemote_Router(config)#access-list 10 permit anyAllow everyone else How to create an extended access listNext we will now show you how to create an extended access list. Here’s the command syntax for configuring an extended numbered access control list: Router (config)# access-list (100-199) (permit | deny) protocol source-addr (source-wildcard) (operator operand) destination-addr (destination-wildcard) (operator operand) (established) Router (config)# access-list {100-199} {permit | deny} protocol source-addr {source-wildcard} {operator operand} destination-addr {destination-wildcard} {operator operand} {established} The breakdown of the different parts of the above syntax is as follows:
As the network manager for the network shown in Figure 1.0 above, you have been asked to configure an access list that will stop FTP and Telnet access to the Operations server while allowing other protocols. This task involves the use of an extended access list. In order to achieve this implementation, we will configure an access control list using the FTP and telnet port numbers and apply it on the E0 outbound interface of the Remote_Router. Here are the required parameters for this configuration:
The table below is the breakdown of the access list commands and configurations that can be used to implement this task: CommandRemarkRemote_Router#config tEnter global configuration modeRemote_Router(config)#access-list 120 deny tcp any 192.168.10.192 0.0.0.31 eq 21Deny FTP access to the Operations server on interface E0Remote_Router(config)#access-list 120 deny tcp any 192.168.10.192 0.0.0.31 eq 23Deny telnet access to the Operations server on interface E0Remote_Router(config)#access-list 120 permit ip any anyAllow all other packets/protocols ConclusionACLs can be an effective tool for increasing the security posture of your organization. But always remember that no action will be taken until the access list is applied on an interface in a specific direction. However, if you are not careful enough, misconfigurations can occur. Any misconfigurations in network access policies on your firewall or router can lead to unwanted network exposure. However, with careful planning and adherence to best practices such as the principle of the least privilege and other important ACL rules, most of those issues can be avoided. Each of these rules has some powerful implications when filtering IP packets with access lists. Therefore bear in mind that creating effective access lists actually takes some practice. Access Control List FAQsIn which configuration would an outbound ACL placement be preferred over an inbound ACL placement?An outbound ACL should be used for an outbound interface. It will filter packets arriving from multiple inbound interfaces before the packets exit the interface. What configuration mode must you be in to create a new ACL?You need to be in privileged EXEC mode in order to create a new ACL. Get to this by entering the command enable. Which route map configuration command matches routes identified by an ACL or a prefix list?In order to configure a route map to match an ACL list, you first need to create the route map with the command: route-map name { permit | deny } [ sequence_number ] Next, issue the command: match ip address acl_id [ acl_id ] [...] [ prefix-list ] What is the command syntax to enter IPv6 ACL configuration mode?You can use IPv6 in an access list and get the router in IPv6 access list configuration mode with the command: What is port ACL?Port ACL. Port ACLs are similar to Router ACLs but are supported on physical interfaces and configured on Layer 2 interfaces on a switch. Port ACL supports only inbound traffic filtering. Port ACL can be configured as three type access lists: standard, extended, and MAC-extended.
What is access control list used for?Organizations can use access control lists (ACL) to secure data. One of the major reasons to use access control lists is to restrict unauthorized users from accessing business-sensitive information. It can also be used to control network traffic by limiting the number of users accessing files, systems, and information.
What is an example of an access control list?The most common examples of Access Control List include web servers, DNS servers, and remote access or VPN systems. The internal router of a DMZ contains stricter ACLs to protect the internal network from more specific attacks.
What is the difference between ACL and firewall?A firewall has one main use and purpose and that is to examine traffic passing through a part of the network and make decisions about what to let through and what to block. ACLs do stateless inspection, which means that the access list looks at a packet and has no knowledge of what has come before it.
|