Dynamic ACL Application

  • 0
  • 1
  • Question
  • Updated 4 years ago
  • Answered
Hello,
i am working with dynamic ACLs and i have multiple ACLs for applications like RDP, HTTP, HTTPS is there any way i can reduce the number of lines in the following ACLs or i can specify multiple port numbers in one line. so i can reduce my configuration.
create access-list HTTP-IN "source-address 10.10.10.0/24;protocol tcp;destination-port 80" "count HTTP;permit"
create access-list HTTPS-IN "source-address 10.10.10.0/24;protocol tcp;destination-port 443" "count HTTPS;permit"
create access-list SSH-IN "source-address 10.10.10.0/24;protocol tcp;destination-port 22" "count SSH;permit"

configure access-list add HTTP-IN first vlan "V67_Server" ingress
configure access-list add HTTPS-IN last vlan "V67_Server" ingress
configure access-list add SSH-IN last vlan "V67_Server" ingress
Photo of Freiu

Freiu

  • 102 Points 100 badge 2x thumb

Posted 4 years ago

  • 0
  • 1
Photo of Paul Russo

Paul Russo, Alum

  • 9,694 Points 5k badge 2x thumb
Hello Freiu

You can add port ranges that may help in what you are trying to do

"You can specify multiple, single, or zero match conditions. If you do not specify a match condition, all"
"packets  match the rule entry. Commonly used match conditions are:"
"•  ethernet-source-address mac-address mask—Ethernet source address"
"•  ethernet-destination-address mac-address mask—Ethernet destination address  and mask"
"•  source-address prefix—IP source address  and mask"
"•  destination-address prefix—IP destination address  and mask"
"•  source-port [port|range]—TCP or UDP source port range"
"•  destination-port [port|range]—TCP or UDP destination port range"


By adding those ACLs using the CLI and the create access-list command those ACLs are what we call Dynamic.  Another way to do the ACLs is to use a policy file with all of the statements in the file and then you can apply that file as an ACL to the port or VLAN.  There is a great writeup on ACLs in the user guide.  In 15.6 version it is chapter 22

I hope that helps

P
Photo of Freiu

Freiu

  • 102 Points 100 badge 2x thumb
Hi Paul,
Thankyou for your reply, we cannot use policy files so have to do it with dynamic ACLs. for port ranges the range has to be continous like [source-port 23-27] but in my case i have specific ports that are not continuos like for FTP,SMTP,HTTP,RDP. what can i do in this case?
Photo of Paul Russo

Paul Russo, Alum

  • 9,694 Points 5k badge 2x thumb
Hello Freiu

I am sorry but I do not believe you can do multiple port values on the same line for example destination-port 80;22;443. 

The way the ACL works everything in the If part of the statement or the conditions is either match all or match any so think of it as everything is "and" or "or" so in this case the packet would have to have all three ports values.  If it is an "or" you could do destination-port 23; destination-port 443; destination port 80.  The ACL will do an "or" on each statement.  In this case you wouldn't be able to do subnet 10.10.10.0 and destination-port or destination-port. 

So there is no option for having an "and" and "or" statement in the same ACL.

I hope this is clear

P
Photo of Freiu

Freiu

  • 102 Points 100 badge 2x thumb
Hi Paul,
are Network Zones supported in Dynamic ACLs?

create access-list TestCompressedout "destination-zone zone1;source-port 80" "count HTTP;permit"
Photo of Paul Russo

Paul Russo, Alum

  • 9,694 Points 5k badge 2x thumb
Hey Freiu

No I don't believe source-zones and destination-zones are not supported in dynamic ACLs.

When I try and execute a dynamic ACL with a zone it errors out.

P
Photo of Freiu

Freiu

  • 102 Points 100 badge 2x thumb
Paul, Thanks for your help!!