Difference between revisions of "NetworkDeelACLs"
m |
m |
||
Line 12: | Line 12: | ||
# check to make sure that the CAM has not been exhausted and all ACLs actually have been applied. There should be '''no''' errors if you give the command: <tt>sho log</tt> | # check to make sure that the CAM has not been exhausted and all ACLs actually have been applied. There should be '''no''' errors if you give the command: <tt>sho log</tt> | ||
− | + | == Example ruleset == | |
The ruleset language looks an awful lot like the foundry syntax, but defines a couple of new constructs like subnetwork definitions, fixed pre- and post-fixes, and simple (non-recursive!) macros. For example | The ruleset language looks an awful lot like the foundry syntax, but defines a couple of new constructs like subnetwork definitions, fixed pre- and post-fixes, and simple (non-recursive!) macros. For example | ||
Line 54: | Line 54: | ||
! | ! | ||
end | end | ||
+ | |||
+ | == CAM and ACLs == |
Revision as of 07:11, 28 April 2009
Setting and applying ACLs on the deel and nikopn BigIron RX series
The ACLs on deel and nikopn can only be inbound, and should eb applied to all physical and virtual interfaces in a consistent way in order to be effective. Since deel contains many different kinds of networks, it is logically easier to think of the protected to be applied to the outbound direction, i.e. what kind of traffic you allow to flow towards a particular subnet, instead of thinkging aboutn the traffic allowed inbound. However, the outbound ACLs you would need to implement the logical idea are not supported on the BigIron-RX series hardware. Similarly, access-policy-groups cannot be used.
To offset this limitation, a translation utility (tr-acl) has been built to convert logical access control rules in a set of inbound-only ACLs to be used on the foundry. It converts a high-level description of all connected subnets and the list of access controls to be applied in a set of inbound ALCs, one for each subnet. Onle ACEs relevant to the connected subnet are actually put in the ACL, to limit it's total length. For this reason, the list of connected networks in the ruleset is critical!
To work in this way, you:
- write or update the high-level description. The one used for deel and nikopn is in the private SVN "ndpf" repository (ndpf/nl.nikhef.ndpf.config/router/ruleset.in or ruleset-nikopn.in). Make sure to commit and log changes
- run the tr-acl command: tr-acl ruleset.in > /tftpboot/deel-acl
- load the new ACLs in the router: cop tftp run 192.168.254.4 deel-acl
- apply them to the interfaces: conf t and ip rebind-acl all
- check to make sure that the CAM has not been exhausted and all ACLs actually have been applied. There should be no errors if you give the command: sho log
Example ruleset
The ruleset language looks an awful lot like the foundry syntax, but defines a couple of new constructs like subnetwork definitions, fixed pre- and post-fixes, and simple (non-recursive!) macros. For example
! ruleset for new deel router ! interface interconnect connects 192.16.186.164/30 connects 0.0.0.0/0 excludes 192.16.186.192/26 excludes 192.16.186.128/30 excludes 194.171.96.0/21 excludes 145.100.9.44/30 excludes 172.16.0.0/12 excludes 239.0.0.0/8 excludes 0.0.0.0/32 ! ban forged source IPs from entering ! do this once we configure IPs on our own VLANs prepend deny ip 194.171.96.0/21 any prepend deny ip 192.16.186.192/26 any end ! macro definitions stanza permit-webserver permit tcp $src $dest eq http permit tcp $src $dest eq ssl end ! ! actual rules start here ruleset ! ! always allow established connections but filter localdomain permit tcp any any established deny ip 127.0.0.0/8 any deny ip any 127.0.0.0/8 ! ! HTTP and SSL servers on gridsrv are accessible from anywhere $permit-webserver(src=any,dest=194.171.96.64/28) ! ! and deny all other traffic deny ip any any ! end