IPv4 Access Control Lists (ACLs) > Overview

  

 next

Overview

Types of IPv4 ACLs

A permit or deny policy for IPv4 traffic you want to filter can be based on source address alone, or on source address plus other factors.

Standard ACL

Use a standard ACL when you need to permit or deny IPv4 traffic based on source address only. Standard ACLs are also useful when you need to quickly control a performance problem by limiting IPv4 traffic from a subnet, group of devices, or a single device. This can block all IPv4 traffic from the configured source, but does not hamper IPv4 traffic from other sources within the network.

A standard ACL uses an alphanumeric ID string or a numeric ID of 1 through 99. Specify a single host, a finite group of hosts, or any host.

Extended ACL

Use an extended ACL when simple IPv4 source address restrictions do not provide the sufficient traffic selection criteria needed on an interface. Extended ACLs allow use of the following criteria:

  • source and destination IPv4 address combinations

  • IPv4 protocol options

Extended, named ACLs also offer an option to permit or deny IPv4 connections using TCP for applications such as Telnet, http, ftp, and others.

ACL applications

ACL filtering is applied to IPv4 traffic as follows:

Static port ACL

Any inbound IPv4 traffic on that port.

Dynamic port ACL

On a port having an ACL assigned by a RADIUS server to filter an authenticated client’s traffic, filters inbound IPv4 and IPv6 traffic from that client.

For information on RADIUS-assigned ACLs, see RADIUS Services Support on HP Switches.

VLAN ACL (VACL)

On a VLAN configured with a VACL, inbound IP traffic, regardless of whether it is switched or routed. On a multinetted VLAN, this includes inbound IPv4 traffic from any subnet.

VACL applications

VACLs filter any IPv4 traffic entering the switch on a VLAN configured with the "VLAN" ACL option.

Syntax:

vlan <vid> ip access-group <identifier> vlan

For example, in VACL filter application to IPv4 traffic entering the switch, you would assign a VACL to VLAN 2 to filter all inbound switched or routed IPv4 traffic received from clients on the 10.28.20.0 network. In this instance, routed traffic received on VLAN 2 from VLANs 1 or 3 would not be filtered by the VACL on VLAN 2.

VACL filter application to IPv4 traffic entering the switch

VACL filter application to IPv4 traffic entering the switch
[NOTE: ]

NOTE: The switch allows one VACL assignment configured per VLAN. This is in addition to any other ACL applications assigned to the VLAN or to ports in the VLAN.

Static port ACL and RADIUS-assigned ACL applications

An IPv4 static port ACL filters any IPv4 traffic inbound on the designated port, regardless of whether the traffic is switched or routed.

RADIUS-assigned (dynamic) port ACL applications

Dynamic (RADIUS-assigned) port ACLs are configured on RADIUS servers and can be configured to filter IPv4 traffic inbound from clients authenticated by such servers.

802.1X user-based and port-based applications

User-Based 802.1X access control allows up to 32 individually authenticated clients on a given port. Port-Based access control does not set a client limit, and requires only one authenticated client to open a given port; it is recommended for applications where only one client at a time can connect to the port.

  • If you configure 802.1X user-based security on a port and the RADIUS response includes a RADIUS-assigned ACL for at least one authenticated client, then the RADIUS response for all other clients authenticated on the port must also include a RADIUS-assigned ACL. Inbound IP traffic on the port from a client that authenticates without receiving a RADIUS-assigned ACL will be dropped and the client will be de-authenticated.

  • Using 802.1X port-based security on a port where the RADIUS response includes a dynamic port ACL, only the first client to authenticate can use the port. Traffic from other clients will be dropped.

Multiple ACLs on an interface

The switch allows multiple ACL applications on an interface (subject to internal resource availability). This means that a port belonging to a given VLAN "X" can simultaneously be subject to all of the following:

  • One static port ACL for any IPv4 or IPv6 traffic entering the switch on the port.

  • One static VACL for IPv4 or IPv6 traffic for VLAN “X” entering the switch on the port.

  • One dynamic (RADIUS-assigned) port ACL applied to inbound IPv4 traffic for each authenticated client on the port.

Features common to all ACL applications

  • Any ACL canhave multiple entries (ACEs).

  • You can apply any one ACL to multiple interfaces.

  • All ACEs in an ACL configured on the switch are automatically sequenced (numbered). For an existing ACL, entering an ACE without specifying a sequence number automatically places the ACE at the end of the list. Specifying a sequence number inserts the ACE into the list at the specified sequential location.

    • Automatic sequence numbering begins with "10" and increases in increments of 10. You can renumber the ACEs in an ACL and also change the sequence increment between ACEs.

    • The CLI remark command option allows you to enter a separate comment for each ACE.

  • A source or destination IPv4 address and amask, together, can define a single host, a range of hosts, or all hosts.

  • Every ACL populated with one or more explicit ACEs includes an Implicit Deny as the last entry in the list. The switch applies this action to any packets that do not match other criteria in the ACL. For standard ACLs, the Implicit Deny is deny any. For extended ACLs, it is deny ip any any.

  • In any ACL, you can apply an ACL log function to ACEs that have an explicit "deny" action. The logging occurs when there is a match on a "deny" ACE. The switch sends ACL logging output to Syslog, if configured, and, optionally, to a console session.

You can create ACLs for the switch configuration using either the CLI or a text editor. The text-editor method is recommended when you plan to create or modify an ACL that has more entries than you can easily enter or edit using the CLI alone.

General steps for planning and configuring ACLs

  1. Identify the ACL action to apply. As part of this step, determine the best points at which to apply specific ACL controls. For example, you can improve network performance by filtering unwanted IPv4 traffic at the edge of the network instead of in the core. Also, on the switch itself, you can improve performance by filtering unwanted IPv4 traffic where it is inbound to the switch instead of outbound.

    Traffic source ACL application
    IPv4 or IPv6 traffic from a specific, authenticated client dynamic port ACL (RADIUS-assigned ACL) for inbound IP traffic from an authenticated client on a port[a]
    IPv4 traffic entering the switch on a specific port static port ACL (static-port assigned) for any inbound IPv4 traffic on a port from any source
    switched or routed IPv4 traffic entering the switch on a specific VLAN VACL (VLAN ACL)

    [a] For more on this option, see RADIUS Services Support on HP Switches, and also the documentation for your RADIUS server.

  2. Identify the traffic types to filter.

    • The SA and/or the DA of traffic you want to permit or deny. This can be a single host, a group of hosts, a subnet, or all hosts.

    • Traffic of a specific IPv4 protocol type (0-255)

    • Any TCP traffic (only) for a specific TCP port or range of ports, including optional control of connection traffic based on whether the initial request should be allowed

    • All UDP traffic or UDP traffic for a specific UDP port

    • All ICMP traffic or ICMP traffic of a specific type and code

    • All IGMP traffic or IGMP traffic of a specific type

    • Any of the above with specificprecedence and/or ToS settings

  3. Design the ACLs for the control points (interfaces) selected. When using explicit "deny" ACEs, optionally use the VACL logging feature for notification that the switch is denying unwanted packets.

  4. Configure the ACLs on the selected switches.

  5. Assign the ACLs to the interfaces you want to filter, using the ACL application (static port ACL) appropriate for each assignment.

  6. Test for desired results.
[CAUTION: ]

CAUTION: Regarding the use of source routing: Source routing is enabled by default on the switch and can be used to override ACLs. For this reason, if you are using ACLs to enhance network security, the recommended action is to use the no ip source-route command to disable source routing on the switch. (If source routing is disabled in the running-config file, the show running command includes “no ip source-route” in the running-config file listing.)

prev

 

up

 next

IPv4 Access Control Lists (ACLs) 

home

 IPv4 static ACL operation

Copyright © 2015 Hewlett-Packard Development Company, L.P.