An ACL is an ordered set of rules that you can use to filter traffic. Each rule specifies a set of conditions that a packet must satisfy to match the rule. When the device determines that an ACL applies to a packet, it tests the packet against the conditions of all rules. The first matching rule determines whether the packet is permitted or denied. If there is no match, the device applies the applicable default rule. The device continues processing packets that are permitted and drops packets that are denied.You can use ACLs to protect networks and specific hosts from unnecessary or unwanted traffic. For example, you could use ACLs to disallow HTTP traffic from a high-security network to the Internet. You could also use ACLs to allow HTTP traffic but only to specific sites, using the IP address of the site to identify it in an IP ACL.
ACL Types and Applications
•IPv4 ACLs—The device applies IPv4 ACLs only to IPv4 traffic.
•IPv6 ACLs— The device applies IPv6 ACLs only to IPv6 traffic.
•MAC ACLs—The device applies MAC ACLs only to non-IP traffic.
•Security-group ACLs (SGACLs)—The device applies SGACLs to traffic tagged by Cisco TrustSec.
IP and MAC ACLs have the following three types of applications:
•Port ACL—Filters Layer 2 traffic
•Router ACL—Filters Layer 3 traffic
•VLAN ACL—Filters VLAN traffic
IPv4, IPv6, and MAC ACLs allow you to identify traffic by protocol. For your convenience, you can specify some protocols by name. For example, in an IPv4 or IPv6 ACL, you can specify ICMP by name.You can specify any protocol by number. In MAC ACLs, you can specify protocols by the Ethertype number of the protocol, which is a hexadecimal number. For example, you can use 0x0800 to specify IP traffic in a MAC ACL rule.In IPv4 and IPv6 ACLs, you can specify protocols by the integer that represents the Internet protocol number. For example, you can use 115 to specify Layer 2 Tunneling Protocol (L2TP) traffic.
Per-User ACLs
Per-user ACLs are fully defined on the authentication
server. Each element in a per-user ACL
is defined as a RADIUS Vendor Specific Attribute (VSA). The authentication server returns the VSAs in
the RADIUS Access-Accept that it sends to the switch after a successful
authentication. Since the entire ACL is
returned in a single RADIUS packet, the maximum size for a per-user ACL is limited
by the 4096 byte maximum size for RADIUS packet mandated by RFC 2865.
Filter-ID ACLs
The ACEs for Filter-ID ACLs are defined on the switch as
extended access-lists. Only numbered
access-lists are allowed. The switch
will need to be configured with as many access-lists as there are
group-specific policies. For example,
ACL 100 would apply to Engineers, ACL 101 to Sales, etc. When a user authenticates, the authentication
server determines the group membership (e.g. Sales) and sends the appropriate
ACL number (101) using the Filter-ID attribute in the RADIUS
Access-Accept. Filter-ID is sent as the
standard IETF Filter-ID attribute (11).
When the switch receives the Filter-ID attribute, it applies the locally
defined ACL 101 to the port. Since ACLs
are locally defined as normal extended access-lists, there are no limits on
size (as long as the TCAM resources are not exhausted).
Downloadable ACLs
Downloadable ACLs are primarily defined on the
authentication server. After a
successful authentication, the authentication server returns the name of the
downloadable ACL with a version number.
If the switch does not have a cached version of the latest downloadable
ACL, it initiates a new RADIUS exchange to retrieve the elements of the ACL. ACLs that are downloaded via this method can
be split across multiple RADIUS packets and hence are not limited by the 4096
byte limit of a single RADIUS packet.Note: The Cisco ACS
server is required to support downloadable ACLs.
Policy-based ACLs
A PBACL is an ACL that contains one or more ACEs that
reference a security group in place of a source and/or destination
address. After a successful
authentication, the authentication server sends the user’s security group
information to the switch. The switch
then automatically updates the PBACL, replacing the security group with the IP
address of the authenticated host.
ACL Types and Applications
•IPv4 ACLs—The device applies IPv4 ACLs only to IPv4 traffic.
•IPv6 ACLs— The device applies IPv6 ACLs only to IPv6 traffic.
•MAC ACLs—The device applies MAC ACLs only to non-IP traffic.
•Security-group ACLs (SGACLs)—The device applies SGACLs to traffic tagged by Cisco TrustSec.
IP and MAC ACLs have the following three types of applications:
•Port ACL—Filters Layer 2 traffic
•Router ACL—Filters Layer 3 traffic
•VLAN ACL—Filters VLAN traffic
IPv4, IPv6, and MAC ACLs allow you to identify traffic by protocol. For your convenience, you can specify some protocols by name. For example, in an IPv4 or IPv6 ACL, you can specify ICMP by name.You can specify any protocol by number. In MAC ACLs, you can specify protocols by the Ethertype number of the protocol, which is a hexadecimal number. For example, you can use 0x0800 to specify IP traffic in a MAC ACL rule.In IPv4 and IPv6 ACLs, you can specify protocols by the integer that represents the Internet protocol number. For example, you can use 115 to specify Layer 2 Tunneling Protocol (L2TP) traffic.
Per-User ACLs
Per-user ACLs are fully defined on the authentication
server. Each element in a per-user ACL
is defined as a RADIUS Vendor Specific Attribute (VSA). The authentication server returns the VSAs in
the RADIUS Access-Accept that it sends to the switch after a successful
authentication. Since the entire ACL is
returned in a single RADIUS packet, the maximum size for a per-user ACL is limited
by the 4096 byte maximum size for RADIUS packet mandated by RFC 2865.
Filter-ID ACLs
The ACEs for Filter-ID ACLs are defined on the switch as
extended access-lists. Only numbered
access-lists are allowed. The switch
will need to be configured with as many access-lists as there are
group-specific policies. For example,
ACL 100 would apply to Engineers, ACL 101 to Sales, etc. When a user authenticates, the authentication
server determines the group membership (e.g. Sales) and sends the appropriate
ACL number (101) using the Filter-ID attribute in the RADIUS
Access-Accept. Filter-ID is sent as the
standard IETF Filter-ID attribute (11).
When the switch receives the Filter-ID attribute, it applies the locally
defined ACL 101 to the port. Since ACLs
are locally defined as normal extended access-lists, there are no limits on
size (as long as the TCAM resources are not exhausted).
Downloadable ACLs
Downloadable ACLs are primarily defined on the
authentication server. After a
successful authentication, the authentication server returns the name of the
downloadable ACL with a version number.
If the switch does not have a cached version of the latest downloadable
ACL, it initiates a new RADIUS exchange to retrieve the elements of the ACL. ACLs that are downloaded via this method can
be split across multiple RADIUS packets and hence are not limited by the 4096
byte limit of a single RADIUS packet.Note: The Cisco ACS
server is required to support downloadable ACLs.
Policy-based ACLs
A PBACL is an ACL that contains one or more ACEs that
reference a security group in place of a source and/or destination
address. After a successful
authentication, the authentication server sends the user’s security group
information to the switch. The switch
then automatically updates the PBACL, replacing the security group with the IP
address of the authenticated host.
No comments:
Post a Comment