ACL over Loopback

OcNOS-SP : System Management Guide : System Management Configuration Guide : Access Control Lists Configurations : ACL over Loopback

ACL over Loopback

The loopback interface ACL feature provides basic security for management applications accessible through In-band interfaces.

Note: Refer to the command reference section for limitations, default behavior, and unsupported features.

Topology

Figure 22-43: ACL Loopback Topology

#configure terminal	Enter configure mode.
(config)#interface lo	Enter interface mode.
(config-if)#ip address 3.3.3.3/32 secondary	Assign the IPv4 secondary address.
(config-if)#ip address 4.4.4.4/32 secondary	Assign the IPv4 secondary address.
(config-if)#ip address 5.5.5.5/32 secondary	Assign the IPv4 secondary address.
(config-if)#ip address 6.6.6.6/32 secondary	Assign the IPv4 secondary address.
(config-if)#ip address 7.7.7.7/32 secondary	Assign the IPv4 secondary address.
(config-if)# exit	Exit interface mode.
(config)#commit	Commit the candidate configuration to the running configuration
(config)#ip access-list loopback	Create loopback access list
(config-ip-acl)# 10 permit tcp any host 3.3.3.3 eq telnet	Permit telnet session from any source with specific destination.
(config-ip-acl)# 20 deny tcp any host 4.4.4.4 eq telnet	Deny telnet session from any source with specific destination.
(config-ip-acl)# 30 permit tcp any host 5.5.5.5 eq ssh	Permit ssh session from any source with specific destination.
(config-ip-acl)# 40 deny tcp any host 6.6.6.6 eq ssh	Deny ssh session from any source with specific destination.
(config-ip-acl)# 50 deny udp any host 6.6.6.6 eq snmp	Deny udp from any source with specific destination.
(config-ip-acl)# 60 deny udp any host 7.7.7.7 eq ntp	Deny udp from any source with specific destination.
(config-ip-acl)#exit	Exit interface acl mode
(config)#commit	Commit the candidate configuration to the running configuration
(config)#interface lo	Enter interface lo mode
(config-if)#ip access-group loopback in	Associate loopback acl over lo interface
(config-if)#exit	Exit interface mode
(config)#commit	Commit the candidate configuration to the running configuration
(config)#exit	Exit config mode

Validation

#sh access-lists

IP access list loopback

10 permit tcp any host 3.3.3.3 eq telnet [match=12]

20 deny tcp any host 4.4.4.4 eq telnet [match=12]

30 permit tcp any host 5.5.5.5 eq ssh

40 deny tcp any host 6.6.6.6 eq ssh

50 deny udp any host 6.6.6.6 eq snmp [match=6]

60 deny udp any host 7.7.7.7 eq ntp

#sh ip access-lists summary

IPV4 ACL loopback

statistics enabled

Total ACEs Configured: 6

Configured on interfaces:

lo - ingress (Router ACL)

Active on interfaces:

lo - ingress (Router ACL)

Configured on line vty:

#sh running-config aclmgr

ip access-list loopback

10 permit tcp any host 3.3.3.3 eq telnet

20 deny tcp any host 4.4.4.4 eq telnet

30 permit tcp any host 5.5.5.5 eq ssh

40 deny tcp any host 6.6.6.6 eq ssh

50 deny udp any host 6.6.6.6 eq snmp

60 deny udp any host 7.7.7.7 eq ntp

interface lo

ip access-group loopback in

Last modified date: 10/19/2023