Modified Extended ACL Deny Rule Behavior in VTY
Overview
The Access Control List refers to rules that allow or deny management protocols to control the network traffic, thus reducing network attacks from external sources.
Users can create Standard and Extended ACL rules and attach them to a virtual teletype (VTY) command line interface. These ACL rules are applied on both Management and Default virtual routing and forwarding (VRFs).
In the case of Standard ACLs, the permit/deny rules are applied only for management protocols such as Telnet/SSH/SSH-Netconf protocols (port numbers 22,23,830).
Extended ACL rules are applied as configured by the user, and it is not limited to management protocols only, unlike Standard ACLs.
When a user configures a rule with 'deny any any any' and attaches it to the VTY, it effectively blocks only the Telnet, SSH, and NetConf protocols on the control plane
For example, when a user configures a rule as below and attach them to VTY, If the deny ACL rule includes ’any’ value in protocol, only Telnet/SSH/SSH-NetConf protocols are denied.
ip access-list ssh-access
10 permit tcp 10.12.43.0/24 any eq ssh
20 deny any any any
Note: To deny any protocols other than Telnet/SSH/SSH-Netconf, create a deny rule with the specific protocol access on VTY. For example: To deny OSPF protocol from all the source and destination address, apply the rule, 10 deny ospf any any.
Feature Characteristics
In general, the VTY ACLs are more specific to management protocols. Hence, the Extended ACL “Any” rule translation is enhanced to allow management protocols as follows:
• If the deny ACL rule includes any value in protocol, only Telnet/SSH/SSH-Netconf protocols are denied.
• The permit ACL rule is unchanged.
Benefits
This feature allows the customer to define a Extended ACL deny rule only to the management protocol without impacting other control protocols.
Configure a separate Extended ACL deny rule to deny protocols other than Telnet, SSH, and NetConf.
Configuration
Refer to
Access Control Lists Configurations section in the
System Management Configuration guide, Release 6.4.1.
Implementation Examples
OcNOS#show running-config aclmgr
ip access-list ssh-access
10 permit tcp 10.12.43.0/24 any eq ssh
20 deny tcp 10.12.33.0/24 any eq 6513
30 deny any 10.12.34.0/24 any
40 deny any any any
!
line vty
ip access-group ssh-access in
#####iptables o/p######
root@OcNOS:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 10.12.43.0/24 anywhere tcp dpt:ssh
DROP tcp -- 10.12.33.0/24 anywhere tcp dpt:tls_netconf
DROP tcp -- 10.12.34.0/24 anywhere multiport dports ssh,telnet,ssh_netconf
DROP tcp -- anywhere anywhere multiport dports ssh,telnet,ssh_netconf
CLI Commands
Refer to Access Control List Commands (Standard) section of the System Management Configuration guide.
Abbreviations