Access Control List

Access Control List

The right tool for the right job.

Vocab:
- ACL
- ACE
- VACL
- tACL (Transit)
- iACL (infrastructure)
- rACL (Receive)

! Anti-spoofing entries
R2(config)#access-list 110 deny ip host 55.44.33.195 any
R2(config)#access-list 110 deny ip host 55.44.33.200 any

! Deny special-use address sources
* Note:  Refer to RFC 3330 for more special use addresses [Link] 

R2(config)#access-list 110 deny ip host 0.0.0.0 any
R2(config)#access-list 110 deny ip 127.0.0.0 0.255.255.255 any
R2(config)#access-list 110 deny ip 192.0.2.0 0.0.0.255 any
R2(config)#access-list 110 deny ip 224.0.0.0 31.255.255.255 any

! --- Filter RFC 1918 space as source
R2(config)#access-list 110 deny ip 10.0.0.0 0.255.255.255 any
R2(config)#access-list 110 deny ip 172.16.0.0 0.15.255.255 any
R2(config)#access-list 110 deny ip 192.166.0.0 0.0.255.255 any

! Deny your space as source from entering your network
! Deploy only at the AS edge
R2(config)#access-list 110 deny ip 55.44.33.192 0.0.0.15 any

! Permit BGP
R2(config)#access-list 110 permit tcp host 12.23.34.45 host 55.44.33.195 eq bgp
R2(config)#access-list 110 permit tcp host 12.23.34.45 eq bgp host 55.44.33.195

! Deny access to internal infrastructure addresses
R2(config)#access-list 110 deny ip any host 55.44.33.195
R2(config)#access-list 110 deny ip any host 55.44.33.200

! Permit transit traffic
R2(config)#access-list 110 permit ip any any

! Verify Configuration

R2(config)#do show access-list 110
Extended IP access list 110
    10 deny ip host 55.44.33.195 any
    20 deny ip host 55.44.33.200 any
    30 deny ip host 0.0.0.0 any
    40 deny ip 127.0.0.0 0.255.255.255 any
    50 deny ip 192.0.2.0 0.0.0.255 any
    60 deny ip 224.0.0.0 31.255.255.255 any
    70 deny ip 10.0.0.0 0.255.255.255 any
    80 deny ip 172.16.0.0 0.15.255.255 any
    90 deny ip 192.166.0.0 0.0.255.255 any
    100 deny ip 55.44.33.192 0.0.0.15 any
    110 permit tcp host 12.23.34.45 host 55.44.33.195 eq bgp
    120 permit tcp host 12.23.34.45 eq bgp host 55.44.33.195
    130 deny ip any host 55.44.33.195
    140 deny ip any host 55.44.33.200

    150 permit ip any any

RFC 3330 : 
   Address Block             Present Use                       Reference
   ---------------------------------------------------------------------
   0.0.0.0/8            "This" Network                 [RFC1700, page 4]
   10.0.0.0/8           Private-Use Networks                   [RFC1918]
   14.0.0.0/8           Public-Data Networks         [RFC1700, page 181]
   24.0.0.0/8           Cable Television Networks                    
   39.0.0.0/8           Reserved but subject to allocation     [RFC1797]
   127.0.0.0/8          Loopback                       [RFC1700, page 5]
   128.0.0.0/16         Reserved but subject to allocation      
   169.254.0.0/16       Link Local                                   
   172.16.0.0/12        Private-Use Networks                   [RFC1918]
   191.255.0.0/16       Reserved but subject to allocation           
   192.0.0.0/24         Reserved but subject to allocation           
   192.0.2.0/24         Test-Net
   192.88.99.0/24       6to4 Relay Anycast                     [RFC3068]
   192.168.0.0/16       Private-Use Networks                   [RFC1918]
   198.18.0.0/15        Net Interconnect Device Benchmark Test [RFC2544]    
   223.255.255.0/24     Reserved but subject to allocation           
   224.0.0.0/4          Multicast                              [RFC3171]
   240.0.0.0/4          Reserved for Future Use        [RFC1700, page 4]

MacSec, VACLs, PACLs

MacSec, VACLs, PACLs :

- VLAN Access Control Lists (VLAN MAP)
- Port based Access Control Lists
- MACsec L2 Hop by Hop encryption 

### VLAN Access Control Lists (VLAN MAP)

SW2(config)#ip access-list extended UNWANTED-IP-PORT
SW2(config-ext-nacl)#permit tcp 10.1.2.0 0.0.0.255 any eq 456
SW2(config-ext-nacl)#permit udp 10.1.2.0 0.0.0.255 any eq 678
SW2(config-ext-nacl)#exit

SW2(config)#mac access-list extended UNWANTED-MAC
SW2(config-ext-macl)#permit host 0000.1234.5678 any
SW2(config-ext-macl)#exit

SW2(config)#ip access-list extended ALLOWED-TRAFFIC
SW2(config-ext-nacl)#permit ip any any
SW2(config-ext-nacl)#exit

SW2(config)#vlan access-map VACL 10
SW2(config-access-map)#match ip address UNWANTED-IP-PORT
SW2(config-access-map)#action drop
SW2(config-access-map)#exit
SW2(config)#vlan access-map VACL 20
SW2(config-access-map)#match ip address UNWANTED-MAC
SW2(config-access-map)#action drop
SW2(config-access-map)#exit
SW2(config)#vlan access-map VACL 30
SW2(config-access-map)#match ip address ALLOWED-TRAFFIC
SW2(config-access-map)#action forward
SW2(config-access-map)#exit

SW2(config)#vlan filter VACL vlan 55

### Port based Access Control Lists

! Create access list
SW2(config)#ip access-list extended NO-PING-TO-11
SW2(config-ext-nacl)#deny icmp any host 10.123.0.11
SW2(config-ext-nacl)#permit ip any any

! Check Ping 
root@kali:~# ping 10.123.0.11
it´s works!

! Apply this access control list on interface
SW2(config)#in fas 0/7
SW2(config-if)#ip access-group NO-PING-TO-11 in

! Check Ping again
root@kali:~# ping 10.123.0.11
not works!

### MACsec (Encription)

SW2(config)#in fastEthernet 0/24
SW2(config-if)#cts manual
SW2(config-if-cts-manual)#sap pmk ABCD
SW2(config-if-cts-manual)#do show run in fas0/24
interface FastEthernet0/24
 description LINK_TO_SW1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 cts manual
  sap pmk 00000000000000000000000000000000000000000000000000000000ABCD
end
* You have to configure the other side same like this

* Note: For More info use
SW2#show cts interface

* Note: MACsec is open standard
* Note: CTS = Cisco trustsec
* Note: SAP = Security Associate Protocol 
* Note: PMK = Pairwise Master Key