Management ACL Overview

OcNOS-SP : System Management Guide : System Management Configuration Guide : Access Control Lists Configurations : Management ACL Overview

Management Port ACL can be used to provide basic level of security for accessing the management network. ACLs can also be used to decide which types of management traffic to be forwarded or blocked at the management port.

When configuring access list on a router or a switch, each access list needs to be identified by a unique name or a number. Each access list entry can have permit or deny actions. Each entry will be associated with a sequence number in the range of <1-268435453>. Lower the sequence number, higher the priority.

User should be able to configure the system to allow certain IP address for a protocol and don’t allow any other IP address matching for that protocol.

Note: If there is no match, the packet is dropped (implicit deny). Therefore, an ACL intended to deny a few selected packets should have at least one permit filter of lower priority; otherwise, all traffic is dropped because of the default implicit deny filter.

Topology

Figure 22-41: Management ACL Sample Topology

Management ACL Configuration

#configure terminal	Enter configure mode.
(config)#ip access-list mgmt	Create an IP access list named mgmt
(config-ip-acl)#permit tcp host 10.12.45.57 host 10.12.29.49 eq ssh	Create an access rule to permit TCP connection with source address 10.12.45.57 with destination address 10.12.29.49 on destination port equal to SSH.
(config-ip-acl)#permit tcp host 10.12.45.58 host 10.12.29.49 eq telnet	Create an access rule to permit TCP connection with source address 10.12.45.58 with Destination address 10.12.29.49 on destination port equal to Telnet.
(config-ip-acl)#permit udp any host 10.12.29.49 eq snmp	Create an access rule to permit UDP packet with any source address with Destination address 10.12.29.49 on destination port equal to SNMP.
(config-ip-acl)#permit udp any host 10.12.29.49 eq ntp	Create an access rule to permit UDP packet with any source address with Destination address 10.12.29.49 on destination port equal to NTP.
(config-ip-acl)#permit udp host 10.12.29.49 any eq snmptrap	Create an access rule to permit UDP packet with source address 10.12.29.49 with any Destination address on destination port equal to SNMPTrap.
(config-ip-acl)#permit tcp host 10.12.29.49 eq ssh host 10.12.45.57	Create an access rule to permit TCP connection with source address 10.12.29.49 on source port equal to ssh with Destination address 10.12.45.57 .
(config-ip-acl)#deny tcp host 10.12.45.58 host 10.12.29.49 eq ssh	Create an access rule to deny TCP connection with source address 10.12.45.58 with Destination address 10.12.29.49 on destination port equal to SSH.
(config-ip-acl)#deny tcp host 10.12.45.57 host 10.12.29.49 eq telnet	Create an access rule to deny TCP connection with source address 10.12.45.57 with Destination address 10.12.29.49 on destination port equal to Telnet.
(config-ip-acl)#exit	Exit access list mode.
(config)#hardware-profile filter egress-ipv4 enable	Enable hardware profile for the ACL.
(config)#commit	Commit the candidate configuration to the running configuration
(config)#interface eth0	Enter interface mode of Management Interface.
(config-if)#no switchport	Configure the interface as Layer 3.
(config-if)#ip address 10.12.29.49/24	Assign an IP address.
(config-if)#ip access-group mgmt in	Apply access group mgmt for inbound traffic to the interface.
(config-if)#commit	Commit the candidate configuration to the running configuration
(config-if)#end	Exit interface and configure mode.

Validation

Use the commands below to verify the match count. When a TCP connection for Destination Port SSH reach interface eth0 with source address 10.12.45.57, then the match count for access rule 10 increases equal to the number of packets sent.

#show ip access-lists mgmt

IP access list mgmt

10 permit tcp host 10.12.45.57 host 10.12.29.49 eq ssh [match=9]

20 permit tcp host 10.12.45.58 host 10.12.29.49 eq telnet

30 permit udp any host 10.12.29.49 eq snmp

40 permit udp any host 10.12.29.49 eq ntp

50 permit udp host 10.12.29.49 any eq snmptrap

60 permit tcp host 10.12.29.49 eq ssh host 10.12.45.57

70 deny tcp host 10.12.45.58 host 10.12.29.49 eq ssh

80 deny tcp host 10.12.45.57 host 10.12.29.49 eq telnet

default deny-all

When a TCP connection for Destination Port Telnet reach interface eth0 with source address 10.12.45.58, then the match count for access rule 20 increases equal to the number of packets sent.

#show ip access-lists mgmt

IP access list mgmt

10 permit tcp host 10.12.45.57 host 10.12.29.49 eq ssh

20 permit tcp host 10.12.45.58 host 10.12.29.49 eq telnet [match=10]

30 permit udp any host 10.12.29.49 eq snmp

40 permit udp any host 10.12.29.49 eq ntp

50 permit udp host 10.12.29.49 any eq snmptrap

60 permit tcp host 10.12.29.49 eq ssh host 10.12.45.57

70 deny tcp host 10.12.45.58 host 10.12.29.49 eq ssh

80 deny tcp host 10.12.45.57 host 10.12.29.49 eq telnet

default deny-all

When a UDP packet for Destination Port SNMP reach interface eth0 with any source address, then the match count for access rule 30 increases equal to the number of packets sent. Prior to this SNMP should be configured on Device (10.12.29.49).

Example:

snmp-server community SNMPTEST group network-admin vrf management

snmp-server host 10.12.6.86 traps version 2c SNMPTEST udp-port 162 vrf management

snmp-server enable snmp vrf management

#show ip access-lists mgmt

IP access list mgmt

10 permit tcp host 10.12.45.57 host 10.12.29.49 eq ssh

20 permit tcp host 10.12.45.58 host 10.12.29.49 eq telnet

30 permit udp any host 10.12.29.49 eq snmp [match=50]

40 permit udp any host 10.12.29.49 eq ntp

50 permit udp host 10.12.29.49 any eq snmptrap

60 permit tcp host 10.12.29.49 eq ssh host 10.12.45.57

70 deny tcp host 10.12.45.58 host 10.12.29.49 eq ssh

80 deny tcp host 10.12.45.57 host 10.12.29.49 eq telnet

default deny-all

When a UDP packet for Destination Port NTP reach interface eth0 with any source address, then the match count for access rule 40 increases equal to the number of packets sent. Prior to this NTP should be configured on Device (10.12.29.49).

Example:

ntp enable vrf management

ntp authenticate vrf management

ntp authentication-key 123 md5 swwx 7 vrf management

ntp trusted-key 123 vrf management

ntp server 10.12.45.36 vrf management

ntp server 10.12.16.16 prefer vrf management

ntp server 10.12.16.16 key 123 vrf management

#show ip access-lists mgmt

IP access list mgmt

10 permit tcp host 10.12.45.57 host 10.12.29.49 eq ssh

20 permit tcp host 10.12.45.58 host 10.12.29.49 eq telnet

30 permit udp any host 10.12.29.49 eq snmp

40 permit udp any host 10.12.29.49 eq ntp [match=1]

50 permit udp host 10.12.29.49 any eq snmptrap

60 permit tcp host 10.12.29.49 eq ssh host 10.12.45.57

70 deny tcp host 10.12.45.58 host 10.12.29.49 eq ssh

80 deny tcp host 10.12.45.57 host 10.12.29.49 eq telnet

default deny-all

When a TCP connection request for Destination Port SSH reach interface eth0 with source address 10.12.45.58, this should deny the connection and the match count for access rule 70 increases equal to the number of packets sent.

#show ip access-lists mgmt

IP access list mgmt

10 permit tcp host 10.12.45.57 host 10.12.29.49 eq ssh

20 permit tcp host 10.12.45.58 host 10.12.29.49 eq telnet

30 permit udp any host 10.12.29.49 eq snmp

40 permit udp any host 10.12.29.49 eq ntp

50 permit udp host 10.12.29.49 any eq snmptrap

60 permit tcp host 10.12.29.49 eq ssh host 10.12.45.57

70 deny tcp host 10.12.45.58 host 10.12.29.49 eq ssh [match=1]

80 deny tcp host 10.12.45.57 host 10.12.29.49 eq telnet

default deny-all

When a TCP connection request for Destination Port Telnet reach interface eth0 with source address 10.12.45.57, this should deny the connection and the match count for access rule 80 increases equal to the number of packets sent.

#show ip access-lists mgmt

IP access list mgmt

10 permit tcp host 10.12.45.57 host 10.12.29.49 eq ssh

20 permit tcp host 10.12.45.58 host 10.12.29.49 eq telnet

30 permit udp any host 10.12.29.49 eq snmp

40 permit udp any host 10.12.29.49 eq ntp

50 permit udp host 10.12.29.49 any eq snmptrap

60 permit tcp host 10.12.29.49 eq ssh host 10.12.45.57

70 deny tcp host 10.12.45.58 host 10.12.29.49 eq ssh

80 deny tcp host 10.12.45.57 host 10.12.29.49 eq telnet[match=1]

default deny-all

To enable SNMPTRAPS, apply the ACL outbound to the Management interface.

#configure terminal	Exit access list mode.
(config)#interface eth0	Enter interface mode of Management Interface.
(config-if)#ip access-group mgmt out	Apply access group mgmt for outbound traffic to the interface.
(config-if)#commit	Commit the candidate configuration to the running configuration
(config-if)#end	Exit interface and configure mode.

When a UDP packet for Destination Port SNMPTrap sends out of interface eth0 with any Destination address, then the match count for access rule 50 increases equal to the number of packets received. Prior to this SNMPTrap should be configured on Device (10.12.29.49) to listen to port 162.

Example:

snmp-server community SNMPTEST group network-admin vrf management

snmp-server host 10.12.6.86 traps version 2c SNMPTEST udp-port 162 vrf management

snmp-server enable snmp vrf management

#show ip access-lists mgmt

IP access list mgmt

10 permit tcp host 10.12.45.57 host 10.12.29.49 eq ssh

20 permit tcp host 10.12.45.58 host 10.12.29.49 eq telnet

30 permit udp any host 10.12.29.49 eq snmp

40 permit udp any host 10.12.29.49 eq ntp

50 permit udp host 10.12.29.49 any eq snmptrap [match=5]

60 permit tcp host 10.12.29.49 eq ssh host 10.12.45.57

70 deny tcp host 10.12.45.58 host 10.12.29.49 eq ssh

80 deny tcp host 10.12.45.57 host 10.12.29.49 eq telnet

default deny-all

When an ACL is applied on interface eth0 outbound and inbound together, then we must configure an ACL to establish a TCP connection between source 10.12.29.49 with source Port SSH to destination address 10.12.45.57. When a TCP connection is established on port SSH, then the match count for access rule 10 and 60 increases equal to the number of packets sent and received.

#show ip access-lists mgmt

IP access list mgmt

10 permit tcp host 10.12.45.57 host 10.12.29.49 eq ssh [match=9]

20 permit tcp host 10.12.45.58 host 10.12.29.49 eq telnet

30 permit udp any host 10.12.29.49 eq snmp

40 permit udp any host 10.12.29.49 eq ntp

50 permit udp host 10.12.29.49 any eq snmptrap

60 permit tcp host 10.12.29.49 eq ssh host 10.12.45.57[match=9]

70 deny tcp host 10.12.45.58 host 10.12.29.49 eq ssh

80 deny tcp host 10.12.45.57 host 10.12.29.49 eq telnet

default deny-all

Note: Use the command clear ip access-list counters to clear the statistics of all ACLs or clear ip access-list <access-list name> counters to clear statistics of a particular ACL.

#show access-lists

IP access list mgmt

10 permit tcp host 10.12.45.57 host 10.12.29.49 eq ssh

20 permit tcp host 10.12.45.58 host 10.12.29.49 eq telnet

30 permit udp any host 10.12.29.49 eq snmp

40 permit udp any host 10.12.29.49 eq ntp

50 permit udp host 10.12.29.49 any eq snmptrap

60 permit tcp host 10.12.29.49 eq ssh host 10.12.45.57

70 deny tcp host 10.12.45.58 host 10.12.29.49 eq ssh

80 deny tcp host 10.12.45.57 host 10.12.29.49 eq telnet

#show access-lists summary

IPV4 ACL mgmt

statistics enabled

Total ACEs Configured: 8

Configured on interfaces:

eth0 - ingress (Router ACL)

Active on interfaces:

eth0 - ingress (Router ACL)

#show access-lists expanded

IP access list mgmt

10 permit tcp host 10.12.45.57 host 10.12.29.49 eq ssh

20 permit tcp host 10.12.45.58 host 10.12.29.49 eq telnet

30 permit udp any host 10.12.29.49 eq snmp

40 permit udp any host 10.12.29.49 eq ntp

50 permit udp host 10.12.29.49 any eq snmptrap

60 permit tcp host 10.12.29.49 eq ssh host 10.12.45.57

70 deny tcp host 10.12.45.58 host 10.12.29.49 eq ssh

80 deny tcp host 10.12.45.57 host 10.12.29.49 eq telnet

default deny-all [match=4]

Last modified date: 10/19/2023