Why do you use the Access Control List ACLs in the router?

What Is an Access Control List

An access control list [ACL] contains rules that grant or deny access to certain digital environments. There are two types of ACLs:

• Filesystem ACLs━filter access to files and/or directories. Filesystem ACLs tell operating systems which users can access the system, and what privileges the users are allowed.
• Networking ACLs━filter access to the network. Networking ACLs tell routers and switches which type of traffic can access the network, and which activity is allowed.

Originally, ACLs were the only way to achieve firewall protection. Today, there are many types of firewalls and alternatives to ACLs. However, organizations continue to use ACLs in conjunction with technologies like virtual private networks [VPNs] that specify which traffic should be encrypted and transferred through a VPN tunnel.

Reasons to use an ACL:

• Traffic flow control
• Restricted network traffic for better network performance
• A level of security for network access specifying which areas of the server/network/service can be accessed by a user and which cannot
• Granular monitoring of the traffic exiting and entering the system

Understanding Access Control Lists

Access Control Lists [ACLs] are a collection of permit and deny conditions, called rules, that provide security by blocking unauthorized users and allowing authorized users to access specific resources.

ACLs can also provide traffic flow control, restrict contents of routing updates, and decide which types of traffic are forwarded or blocked. Normally ACLs reside in a firewall router or in a router connecting two internal networks.

You can set up ACLs to control traffic at Layer 2, Layer 3, or Layer 4. MAC ACLs operate on Layer 2. IP ACLs operate on Layers 3 and 4.

Features

ACL support features include Flow-based Mirroring and ACL Logging.

• Flow-based mirroring is the ability to mirror traffic that matches a permit rule to a specific physical port or LAG. Flow-based mirroring is similar to the redirect function, except that in flow-based mirroring a copy of the permitted traffic is delivered to the mirror interface while the packet itself is forwarded normally through the device. You cannot configure a given ACL rule with mirror and redirect attributes.
• ACL Logging provides a means for counting the number of “hits” against an ACL rule. When you configure ACL Logging, you augment the ACL deny rule specification with a ‘log’ parameter that enables hardware hit count collection and reporting. FASTPATH uses a fixed five minute logging interval, at which time trap log entries are written for each ACL logging rule that accumulated a non-zero hit count during that interval. You cannot configure the logging interval.

Using ACLs to mirror traffic is called flow-based mirroring because the traffic flow is defined by the ACL classification rules. This is in contrast to port mirroring, where all traffic encountered on a specific interface is replicated on another interface.

Limitations

The following limitations apply to ACLs. These limitations are platform dependent.

• Maximum of 100 ACLs.
• Maximum rules per ACL is 8-10.
• The system supports ACLs set up for inbound traffic only.
• You can configure mirror or redirect attributes for a given ACL rule, but not both.
• The system does not support MAC ACLs and IP ACLs on the same interface.
• A hardware platform may support a limited number of counter resources, so it may not be possible to log every ACL rule. You can define an ACL with any number of logging rules, but the number of rules that are actually logged cannot be determined until the ACL is applied to an interface. Furthermore, hardware counters that become available after an ACL is applied are not retroactively assigned to rules that were unable to be logged [the ACL must be un-applied then re-applied]. Rules that are unable to be logged are still active in the ACL for purposes of permitting or denying a matching packet.
• The order of the rules is important: when a packet matches multiple rules, the first rule takes precedence. Also, once you define an ACL for a given port, all traffic not specifically permitted by the ACL is denied access.

MAC ACLs

MAC ACLs are Layer 2 ACLs. You can configure the rules to inspect the following fields of a packet [limited by platform]:

• Source MAC address
• Source MAC mask
• Destination MAC address
• Destination MAC mask
• VLAN ID
• Class of Service [CoS] [802.1p]
• Ethertype

L2 ACLs can apply to one or more interfaces.

Multiple access lists can be applied to a single interface - sequence number determines the order of execution.

You can assign packets to queues using the assign queue option.

IP ACLs

IP ACLs classify for Layers 3 and 4.

Each ACL is a set of up to ten rules applied to inbound traffic. Each rule specifies whether the contents of a given field should be used to permit or deny access to the network, and may apply to one or more of the following fields within a packet:

• Destination IP with wildcard mask
• Destination L4 Port
• Every Packet
• IP DSCP
• IP Precedence
• IP TOS
• Protocol
• Source IP with wildcard mask
• Source L4 port
• Destination Layer 4 port

1. Create a MAC ACL by specifying a name.

2. Create an IP ACL by specifying a number.

3. Add new rules to the ACL.

4. Configure the match criteria for the rules.

5. Apply the ACL to one or more interfaces.

Setting Up an IP ACL via CLI

The script in this section shows you how to set up an IP ACL with two rules, one applicable to TCP traffic and one to UDP traffic. The content of the two rules is the same. TCP and UDP packets will only be accepted by the Sun Netra CP3240 switch if the source and destination stations have IP addresses that fall within the defined sets.

FIGURE 22-1 IP ACL Example Network Diagram

Example 1: Create ACL 179 and Define an ACL Rule

After the mask has been applied, it permits packets carrying TCP traffic that matches the specified Source IP address, and sends these packets to the specified Destination IP address.

Example 2: Define the Second Rule for ACL 179

Define the rule to set similar conditions for UDP traffic as for TCP traffic.

Example 3: Apply the rule to Inbound Traffic on Port 1/0/2

Only traffic matching the criteria will be accepted.

Setting Up a MAC ACL via CLI

The following are examples of the commands used for the MAC ACLs feature.

Example 1: Set up a MAC Access List

CODE EXAMPLE 22-1 Set Up a MAC Access Label

Example 2: Specify MAC ACL Attributes

CODE EXAMPLE 22-2 Specify MAC ACL Attributes

Example 3: Configure MAC Access Group

CODE EXAMPLE 22-3 Configure MAC Access Group

Example 4: Set up an ACL with Permit Action

CODE EXAMPLE 22-4 Set Up ACL with Permit Action

Example 5: Show MAC Access Lists

CODE EXAMPLE 22-5 Show MAC Access Lists

Setting Up ACLs via Web Interface

The following web pages are used in the ACL feature.

FIGURE 22-2 MAC ACL Configuration Page - Create New MAC ACL

FIGURE 22-3 MAC ACL Configuration Page

FIGURE 22-4 MAC ACL Summary

FIGURE 22-5 MAC ACL Rule Configuration - Create New Rule

FIGURE 22-6 MAC ACL Rule Configuration Page - Add Destination MAC and MAC Mask

FIGURE 22-7 MAC ACL Rule Configuration Page - View the Current Settings

FIGURE 22-8 MAC ACL Rule Configuration Page - Add Destination MAC and MAC Mask

FIGURE 22-9 MAC ACL Rule Configuration Page - Add Destination MAC and MAC Mask

FIGURE 22-10 ACL Interface Configuration

FIGURE 22-11 IP ACL Configuration Page - Create a New IP ACL

FIGURE 22-12 IP ACL Configuration Page - Create a Rule and Assign an ID

FIGURE 22-13 IP ACL Configure IP ACL Rule Properties

FIGURE 22-14 IP ACL Rule Configuration Page - Rule with Protocol and Source IP Configuration

FIGURE 22-15 Attach IP ACL to an Interface

FIGURE 22-16 IP ACL Summary

© 2007 Diversified Technology, Inc. All Rights Reserved. © 2009 Sun Microsystems, Inc. All rights reserved.

Access Control List

Access Control List [ACL] refers to a specific set of rules used for filtering network traffic, especially in computer security settings. ACLs also allow specific system objects such as directories or file access to authorized users and denies access to unauthorized users.

ACLs are mainly found in network devices with packet filtering capabilities including routers and switches.

Access-Lists [ACL]

Access-list [ACL] is a set of rules defined for controlling network traffic and reducing network attacks. ACLs are used to filter traffic based on the set of rules defined for the incoming or outgoing of the network.

ACL features –

1. The set of rules defined are matched serial wise i.e matching starts with the first line, then 2nd, then 3rd, and so on.
2. The packets are matched only until it matches the rule. Once a rule is matched then no further comparison takes place and that rule will be performed.
3. There is an implicit deny at the end of every ACL, i.e., if no condition or rule matches then the packet will be discarded.
   

Once the access-list is built, then it should be applied to inbound or outbound of the interface:

• Inbound access lists –
  When an access list is applied on inbound packets of the interface then first the packets will be processed according to the access list and then routed to the outbound interface.
  
• Outbound access lists –
  When an access list is applied on outbound packets of the interface then first the packet will be routed and then processed at the outbound interface.
  

Types of ACL –
There are two main different types of Access-list namely:

1. Standard Access-list –
   These are the Access-list that are made using the source IP address only. These ACLs permit or deny the entire protocol suite. They don’t distinguish between the IP traffic such as TCP, UDP, HTTPS, etc. By using numbers 1-99 or 1300-1999, the router will understand it as a standard ACL and the specified address as the source IP address.
   
2. Extended Access-list –
   These are the ACL that uses source IP, Destination IP, source port, and Destination port. These types of ACL, we can also mention which IP traffic should be allowed or denied. These use range 100-199 and 2000-2699.

Also, there are two categories of access-list:

1. Numbered access-list – These are the access list that cannot be deleted specifically once created i.e if we want to remove any rule from an Access-list then this is not permitted in the case of the numbered access list. If we try to delete a rule from the access list then the whole access list will be deleted. The numbered access-list can be used with both standard and extended access lists.
   
2. Named access list – In this type of access list, a name is assigned to identify an access list. It is allowed to delete a named access list, unlike numbered access list. Like numbered access lists, these can be used with both standards and extended access lists.
   

Rules for ACL –

1. The standard Access-list is generally applied close to the destination [but not always].
2. The extended Access-list is generally applied close to the source [but not always].
3. We can assign only one ACL per interface per protocol per direction, i.e., only one inbound and outbound ACL is permitted per interface.
4. We can’t remove a rule from an Access-list if we are using numbered Access-list. If we try to remove a rule then the whole ACL will be removed. If we are using named access lists then we can delete a specific rule.
5. Every new rule which is added to the access list will be placed at the bottom of the access list therefore before implementing the access lists, analyses the whole scenario carefully.
6. As there is an implicit deny at the end of every access list, we should have at least a permit statement in our Access-list otherwise all traffic will be denied.
7. Standard access lists and extended access lists cannot have the same name.
   

Advantages of ACL –

• Improve network performance.
• Provides security as the administrator can configure the access list according to the needs and deny the unwanted packets from entering the network.
• Provides control over the traffic as it can permit or deny according to the need of the network.

Article Tags :

Computer Networks

Practice Tags :

Computer Networks

Read Full Article