Vty or virtual terminal lines are used to allow remote access to the router. A virtual terminal line is not associated with the auxiliary or console port. The router has five virtual terminal lines by default numbered 0 through 4. You can create additional virtual terminal lines if more than five concurrent remote console connections are desired. In most situations five default virtual terminal lines are enough.
Securing remote console access is critical because if it is compromised, an intruder can gain access to router configuration and can even modify it which compromises all other security features configured on the router. Vty lines are also protected using usernames and passwords but access lists can also be used as an additional security measure ensuring Vty lines can be accessed only from trusted hosts having specific IP addresses. Also remember to set identical access lists on all active virtual terminal lines because a user can connect to any of them.
The access-class command is used in line configuration mode to restrict incoming or outgoing connections between a virtual terminal line and the addresses in the access list. The following example defines an access list that denies incoming connections from all networks other than 172.16.0.0 on terminal lines 0 through 4.
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#access-list 10 permit 172.16.0.0 0.0.255.255
R1(config)#line vty 0 4
R1(config-line)#access-class 10 in
R1(config-line)#end
The show line command can be used to view at a glance all active virtual terminal lines and access lists applied to them.
R1#show line
Tty Line Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
* 0 0 CTY – – – – – 0 1 0/0 –
1 1 AUX 9600/9600 – – – – – 0 0 0/0 –
194 194 VTY – – – – 10 0 0 0/0 –
195 195 VTY – – – – 10 0 0 0/0 –
196 196 VTY – – – – 10 0 0 0/0 –
197 197 VTY – – – – 10 0 0 0/0 –
198 198 VTY – – – – 10 0 0 0/0 –
Line(s) not in async mode -or- with no hardware support:
2-193
Modifying Access Lists
While you are creating an access list or after it is created, you might want to delete an entry. You cannot delete an individual entry from a numbered access list. If you need to delete even a single entry from a numbered access list, you have to delete the whole access list using no access-list command and start over.
R1(config)#no access-list 1
R1(config)#end
R1#show access-list 1
R1#
It is a good strategy to copy the access list to Notepad before deleting it from router configuration. You can then modify the access list in Notepad before applying it again to router configuration.
However, you sure can delete an individual entry from a named access list using the no permit or no deny command. Let’s demonstrate this using the NoSales extended access list we created earlier, by deleting the second access list statement.
R1#show access-list NoSales
Extended IP access list NoSales
10 deny ip 172.18.0.0 0.0.255.255 host 172.16.40.10 log
20 permit tcp any any
R1#configure terminal
R1(config)#ip access-list extended NoSales
R1(config-ext-nacl)#no permit tcp any any
R1(config-ext-nacl)#end
R1#show access-list NoSales
Extended IP access list NoSales
10 deny ip 172.18.0.0 0.0.255.255 host 172.16.40.10 log
R1#
This is one good reason to prefer named access lists over numbered access lists from a practical standpoint.
Hints for Creating IP Access Lists
- Create an access list before applying it to an interface, because if you apply a yet non-existent access list to an interface and then proceed to configure the access list, the first access control entry (ACE) is put into effect as soon as you enter it, and the implicit deny statement that follows could immediately block traffic causing immediate access problems.
- An interface with an empty access list applied to it permits all traffic, so that’s another reason to configure an access list before applying it.
- Only one access list can be applied to an interface in each direction for any given protocol.
- All access lists need at least one permit statement; otherwise all packets are denied due to the implicit deny statement and no traffic passes at all.
- Because the software stops testing access control entries (ACEs) after it encounters the first match (to either a permit or deny statement), you will reduce the processing time and resource usage if you put statements that packets are most likely to match at the beginning of the access list. Place more frequently occurring conditions before less frequent conditions.
- Organize your access list so that more specific references in a network or subnet appear before more general ones.
- Use the statement permit any any if you want to allow all other packets not already denied by an earlier statement in the access list. Using the statement permit any any at the end of an access list, in effect, avoids denying all other packets with the implicit deny statement at the end of an access list. Do not make your first access list entry permit any any because all traffic will get through; no packets will reach subsequent testing and so even if there are deny statements after permit any any they will have no effect.
- While you are creating an access list or after it is created, you might want to delete an entry. You cannot de*lete an individual entry from a numbered access list; trying to do so will delete the entire access list. If you need to delete an entry, you have to delete the whole access list using no access-list command and start over. However, you sure can delete an individual entry from a named access list using the no permit or no deny command. This is one good reason to prefer named access lists over numbered access lists from a practical standpoint.
- In order to make individual entries or statements in an access list more scanable and easy to understand at a glance, you can write a helpful remark before or after any statement using the remark command.
- When trying to save router resources, remember that an inbound access list filters traffic before the routing table lookup. An outbound access list applies the filter conditions after the routing table lookup.
Switch Port Access Lists
Switch port access lists are ACLs configured on physical interfaces on a switch. Here are some facts you should not forget about port ACLs:
- Port ACLs support only inbound traffic filtering.
- Port ACLs can be configured as three types: standard, extended, and extended MAC.
- Port ACLs control IP traffic through standard or extended access lists while non-IP traffic is filtered through the use of extended MAC access lists.
Let’s define and verify an extended MAC access list:
SW1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#mac access-list ?
extended Extended Access List
SW1(config)#mac access-list extended ?
WORD access-list name
SW1(config)#mac access-list extended MY_MAC_LIST
SW1(config-ext-macl)#permit ?
H.H.H 48-bit source MAC address
any any source MAC address
host A single source host
SW1(config-ext-macl)#permit host ?
H.H.H 48-bit source MAC address
SW1(config-ext-macl)#permit host 00cd.38ab.4d35 ?
H.H.H 48-bit destination MAC address
any any destination MAC address
host A single destination host
SW1(config-ext-macl)#permit host 00cd.38ab.4d35 any
SW1(config-ext-macl)#deny any any
SW1(config-ext-macl)#end
SW1#show access-list
Extended MAC access list MY_MAC_LIST
permit host 00cd.38ab.4d35 any
deny any any
SW1#
It’s now time to apply the MAC ACL to a switch interface using mac access-group command:
SW1#configure terminal
SW1(config)#interface FastEthernet0/1
SW1(config-if)#mac access-group MY_MAC_LIST ?
in Apply to Ingress
SW1(config-if)#mac access-group MY_MAC_LIST in
SW1(config-if)#end
SW1#
Let’s try to understand what we just did. We created an extended MAC access list that we called MY_MAC_LIST, allowing incoming frames sourced only from a specific MAC address 00cd.38ab.4d35. This scenario makes sense if you have a desktop cabled to your switch port and you don’t want any other device connected to the same port by user.
In the last example, we defined an access list that made its filtering decision based on MAC addresses. Sometimes it is desirable to make permit or deny decisions based on the protocol carried inside Ethernet frames rather than source and/or destination MAC addresses.
SW1(config-ext-macl)#permit any any ?
<0-65535> An arbitrary EtherType in decimal, hex, or octal
aarp EtherType: AppleTalk ARP
amber EtherType: DEC-Amber
appletalk EtherType: AppleTalk/EtherTalk
cos CoS value
dec-spanning EtherType: DEC-Spanning-Tree
decnet-iv EtherType: DECnet Phase IV
diagnostic EtherType: DEC-Diagnostic
dsm EtherType: DEC-DSM
etype-6000 EtherType: 0x6000
etype-8042 EtherType: 0x8042
lat EtherType: DEC-LAT
lavc-sca EtherType: DEC-LAVC-SCA
lsap LSAP value
mop-console EtherType: DEC-MOP Remote Console
mop-dump EtherType: DEC-MOP Dump
msdos EtherType: DEC-MSDOS
mumps EtherType: DEC-MUMPS
netbios EtherType: DEC-NETBIOS
vines-echo EtherType: VINES Echo
vines-ip EtherType: VINES IP
xns-idp EtherType: XNS IDP
<cr>
You can specify either an EtherType code or protocol name if a corresponding keyword for your desired protocol is available.
Posts
0 comments:
Post a Comment