Sunday, July 14, 2013

CCIE DC: ACL's on Nexus 7k, 5k and 1k

Hey Guys!

First of all with this blog post I can officially say ccierants.com has made 200,000 visitors! Thanks so much it's great to know that some people are finding my posts useful!

Let's get down to business.

In your blueprint for CCIE DC, you will notice the following topic: IP ACL's, MAC ACL's and VLAN ACL's.

They are similar to configure on N1Kv, N5k and N7k with some important differences that we will go over.

Let's get started!

First of all, your usual way of defining an access-list is relatively intact: we don't need the standard or extended keyword anymore though, which is great!

N5k(config)# ip access-list ?
  WORD                             List name (Max Size 64)
  match-local-traffic (no abbrev)  Enable access-list matching for locally generated traffic

N5k(config)# ip access-list ccierants


Awesome stuff, we can see we have some other ACL's we can create too:

N5k(config)# ipv6 access-list 
N5k(config)# mac access-list 

The usual permit, deny etc is all as you would expect, sequence numbers are supported as you would also expect, and we can remove entries using no as we would have before.

We can configure the usual stuff we might expect in an ACL:

N5k(config-acl)# show access-list ccierants

IPV4 ACL ccierants
        statistics per-entry
        1 remark 200,000 hits! Yay!
        10 permit tcp any any eq 22
        17 permit ip any any



So you can see we have remarks, like we are used to, sequence numbers, and a new command "Statistics per-entry" which tells the ACL to update the counters for every packet that matches.

Let's see what we can do with our new ACL:

IPV4 ACL ccierants
        statistics per-entry
        1 remark 200,000 hits! Yay!
        2 deny icmp 10.0.0.132/32 10.0.0.3/32 log 

        3 deny icmp 10.0.0.132/32 any log
        10 permit tcp any any eq 22
        17 permit ip any any
        20 permit ip any any


(You will notice we can use prefix notation in our ACL's now too, yay!)

OK, so let's go ahead and apply this to an interface.

N5k(config-if)# show run int mgmt0

interface mgmt0
  ip access-group ccierants in
  ip address 10.0.0.55/24

!

Here I have applied the ACL to the mgmt interface (A Layer 3 interface) and the syntax is probably very similar to what you are used to.

N5k(config-if)# show access-list ccierants

IPV4 ACL ccierants
        statistics per-entry
        1 remark 200,000 hits! Yay!
        2 deny icmp 10.0.0.132/32 10.0.0.3/32 log [match=0]
3 deny icmp 10.0.0.132/32 any log [match=3]         10 permit tcp any any eq 22 [match=101]
        17 permit ip any any [match=24]
        20 permit ip any any [match=0]



I have sent three pings to the mgmt interface on the nexus and as we can see, it has been matched 3 times. If we didn't have statistics per-entry we wouldn't be able to collect this info

Here is a very cool command to see all the ACL's applied across the system at once:

N5k(config-acl)# show access-lists summary

IPV4 ACL ccierants
        Total ACEs Configured:5
        Configured on interfaces:   
                mgmt0 - ingress (Router ACL)
        Active on interfaces:   
                mgmt0 - ingress (Router ACL)
N5k(config-acl)# 



So far pretty straight forward right? Yep fortunately this is not a difficult topic!

OK let's do something a little different, in this example we are going to apply a L3 ACL to a L2 (Port) Interface!!!


N5k(config-acl)# int eth1/8
N5k(config-if)# ip port access-group ccierants in
ERROR: policy rule not supported



Oops! on this platform (Nexus 5010) it appears something in our ACL is too complicated for it, let's make it a simple ACL:


N5k(config-if)# ip access-list ccierants
N5k(config-acl)# 3 deny icmp 10.0.0.132/32 any
N5k(config-acl)# int eth1/1
N5k(config-if)# ip port access-group ccierants in
N5k(config-if)# ip access-list ccierants
N5k(config-acl)# 2 deny icmp 10.0.0.132/32 10.0.0.32/32
N5k(config-acl)# no 2
N5k(config-acl)# 2 deny icmp 10.0.0.132/32 10.0.0.32/32 logERROR: policy rule not supported



This is our hiccup, we can't support logging on the ACL (at least on this platform) so keep that in mind!

Now we have our ACL applied, i want to make sure you understand the significance of the port keyword, because you can really get yourself in trouble.

Observe the following:

N5k(config-if)# show run int eth1/8

interface Ethernet1/8
  ip access-group ccierants out
  switchport access vlan 10
  spanning-tree port type edge
  speed 1000



Looks pretty good hey? quite simple, it's an L2 port with an access-list (incorrectly) applied, but to the untrained eye it probably looks perfectly fine.

Without logging being supported, it's a little trickier to tell if your ACL's are actually applying.

Thankfully there is a handy command on NX-OS that I showed you earlier that can give you this important information to make sure your ACL is actually blocking traffic.



N5k(config-if)# show access-list summary

IPV4 ACL ccierants
        Total ACEs Configured:4
        Configured on interfaces:   
                mgmt0 - ingress (Router ACL)
                Ethernet1/1 - ingress (Port ACL)
                Ethernet1/8 -  egress (Router ACL)        Active on interfaces:                    mgmt0 - ingress (Router ACL)
                Ethernet1/1 - ingress (Port ACL)

N5k(config-if)#


Note two things there guys! First of all, it's showing as CONFIGURED on the interface, but it shows as a Router ACL, this is not a routed port, this is a normal port.

You can then see, that it does not show ACTIVE on the interface!

This tells you it's not actually going to block anything, as our ping can attest to:


C:\Users\peter revill> ping 10.0.0.3 -t

Pinging 10.0.0.3 with 32 bytes of data:
Reply from 10.0.0.3: bytes=32 time 1ms TTL=255
Reply from 10.0.0.3: bytes=32 time 1ms TTL=255
Reply from 10.0.0.3: bytes=32 time 1ms TTL=255

Ping statistics for 10.0.0.3:
    Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms




So remember, to get a port-ACL to actually work we need to apply it to the port!

N5k(config-if)# int eth1/8
N5k(config-if)# ip port access-group ccierants ?
  in  Inbound packets

You will note you can only apply this in the inbound direction

now let's take a look:


N5k(config-if)# show access-list summary

IPV4 ACL ccierants
        Total ACEs Configured:4
        Configured on interfaces:   
                mgmt0 - ingress (Router ACL)
                Ethernet1/1 - ingress (Port ACL)
                Ethernet1/8 -  egress (Router ACL)
                Ethernet1/8 - ingress (Port ACL)
        Active on interfaces:   
                mgmt0 - ingress (Router ACL)
                Ethernet1/1 - ingress (Port ACL)
                Ethernet1/8 - ingress (Port ACL)


Now the ACL should be effective....


C:\Users\peter revill>ping 10.0.0.3 -t

Pinging 10.0.0.3 with 32 bytes of data:
Request timed out.

Yep, effective! Hooray!


OK, so you can also apply your ACL to your vty line's as you would expect, great thing on NXOS now is it's just line vty, don't have to specify number's and all that jazz.


N5k(config)# line vty
N5k(config-line)# access-class ?
  WORD  List name (Max Size 64)

N5k(config-line)# access-class ccierants ?
  in   Inbound packets
  out  Outbound packets

N5k(config-line)# access-class ccierants in 


It's worth noting that when you apply a port ACL you can actually apply it to a trunk, and it will take effect for all traffic on that trunk, let's give it a shot by reversing the direction of the ACL above, and applying it on our trunk interface (interface eth1/1):

Change the ACL:

N5k# show access-list ccierants

IPV4 ACL ccierants
        3 deny icmp any 10.0.0.132/32
        10 permit tcp any any eq 22
        17 permit ip any any
        20 permit ip any any


Apply to our trunk:

N5k(config)# int eth1/1
N5k(config-if)# ip port access-group ccierants in


Check it's applied correctly and active:

N5k(config-if)# show access-list summary

IPV4 ACL ccierants
        Total ACEs Configured:4
        Configured on interfaces:   
                mgmt0 - ingress (Router ACL)
                Ethernet1/1 - ingress (Port ACL)
        Active on interfaces:   
                mgmt0 - ingress (Router ACL)
                Ethernet1/1 - ingress (Port ACL)


Is it effective even though our Eth1/1 interface is a trunk?

C:\Users\peter revill>ping 10.0.0.3

Pinging 10.0.0.3 with 32 bytes of data:
Request timed out.
Request timed out.

Ping statistics for 10.0.0.3:
    Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),


It sure is! Very cool, we can actually block traffic across all the VLAN's on a trunk port with this.

Does anyone know if this functionality is available on the Catalyst Series? If so which switches? keen to hear from anyone who might know!


Let's talk now about MAC ACL's and VLAN ACL's, the word VLAN ACL I think is a little disingenuous, because your actually just applying an IP or MAC ACL to a VLAN. What this does is all traffic that is bridged over the VLAN by the switch is checked against this VLAN ACL filter and either dropped or forwarded to the port on that VLAN.


So we can kill two birds with one stone let's investigate both MAC ACL's and VLAN ACL's together


So let's create our MAC ACL

N5k(config-mac-acl)# show mac access-lists

MAC ACL ccierantsmac
        10 deny 28cf.da00.428f 0000.0000.0000 10bf.487d.c043 0000.0000.0000 ip 

       20 permit any any
N5k(config-mac-acl)#


You can see here that we specified a source and destination mac address, and the ip keyword at the end is the ethernet protocol that is blocked between them, we could have ommitted this keyword to just deny all ethernet traffic between the hosts, but I wanted to show this option is available :)

N5k(config-mac-acl)# statistics ?
  per-entry  Collect stats for each ACL entry




We have the same statistics per-entry command under these ACL's that we have in IP ACL's. Note also that we can specify a wildcard mask like on an IP access-list but in this case we have specified just a single address, wildcards probably don't make as much sense with MAC addresses

For a test, before we continue I applied this to the interface:


N5k# show run int eth1/8

interface Ethernet1/8
  mac port access-group ccierantsmac
  switchport access vlan 10
  spanning-tree port type edge
  speed 1000


It showed up in our most useful of commands:


N5k# show access-list summary

IPV4 ACL ccierants
        Total ACEs Configured:4
        Configured on interfaces:   
                mgmt0 - ingress (Router ACL)
        Active on interfaces:   
                mgmt0 - ingress (Router ACL)
MAC ACL ccierantsmac
        Total ACEs Configured:2
        Configured on interfaces:   
                Ethernet1/8 - ingress (Port ACL)
        Active on interfaces:   
                Ethernet1/8 - ingress (Port ACL)
N5k#



So far so good, let's now create a new ACL for our VLAN access-map, that will look a little... different...

N5k(config)# mac access-list vlanacl
N5k(config-mac-acl)# permit 28cf.da00.428f 0000.0000.0000 10bf.487d.c043 0000.0000.0000 ip
N5k(config-mac-acl)# exit



In this we are configuring a PERMIT for the traffic we want to block....

 vlan access-map vlanacl
  match mac address vlanacl
  action drop

 !

The above config states: any traffic matching this ACL, Drop it.

vlan filter vlanacl vlan-list 10
 

 
 This line applies our filter.


Now, this mac ACL is now applied to our VLAN:


N5k(config-if)# show access-lists summary

IPV4 ACL ccierants
        Total ACEs Configured:4
        Configured on interfaces:   
                mgmt0 - ingress (Router ACL)
        Active on interfaces:   
                mgmt0 - ingress (Router ACL)
MAC ACL ccierantsmac
        Total ACEs Configured:2
        Configured on interfaces:
        Active on interfaces:
MAC ACL vlanacl
        Total ACEs Configured:1
        Configured on interfaces:
        Active on interfaces:
N5k(config-if)# 



Unfortunately it is a little TOO effective, because now all our traffic on this VLAN is being blocked, Why? Because the only sequence we have for the filter drops traffic as the option, the problem with this is that there is no traffic that will hit the forward action.

On a Nexus 7000, you can specify a sequence number, on a N5k However you cannot. This makes the VLAN ACL's somewhat less effective on the N5k!

The great thing about these ACL's is you can apply them on your N5k and N7k, note that you can also do this on a N1k, but you obviously don't have any layer 3 interfaces, so your ACL's are applied as port ACL's:

 

Your usual show access-list summary command is so useful!





Alright hopefully so far you have found this interesting and informative!

3 comments:

  1. great article as usual! many thanks!!

    ReplyDelete
  2. Hi Peter,

    Thanks for the tutorial.
    What is the order in which the ACL's are processed or have higher precedence? Router ACL -> VLAN ACL -> Port ACL?.
    For example, would an ACL on the Router will override the ACL in the VLAN or Port level?


    I'm having a problem where I applied correctly the ACL to the Port Interface.
    The Match counters increment, but the desired outcome (permit or deny) is still happening.

    For example:

    I have applied the ACL "TACACS" to permit only TACACS and ping, with an implicit deny at the end to to see the counters, to the port ETH1/10.

    Despite being shown as applied and active as a Port ACL, all other traffic beside Ping and TACACS are still getting through! They show up in the "deny ip any any" though.

    interface Ethernet1/10
    description MGMT - mykulm12wr02
    ip port access-group TACACS in
    switchport access vlan 10
    spanning-tree port type edge

    MYKULM12Core1# show ip acce sum
    IPV4 ACL TACACS
    Statistics enabled
    Total ACEs Configured: 12
    Configured on interfaces:
    Ethernet1/10 - ingress (Port ACL)
    Active on interfaces:
    Ethernet1/10 - ingress (Port ACL)


    MYKULM12Core1# show ip access TACACS

    IPV4 ACL TACACS
    statistics per-entry
    10 permit tcp any any eq tacacs [match=0]
    20 permit tcp any eq tacacs any [match=0]
    30 permit udp any any eq 1812 [match=0]
    40 permit udp any any eq 1813 [match=0]
    50 permit udp any any eq 1645 [match=0]
    60 permit udp any any eq 1646 [match=0]
    70 permit udp any eq 1812 any [match=0]
    80 permit udp any eq 1813 any [match=0]
    90 permit udp any eq 1645 any [match=0]
    100 permit udp any eq 1646 any [match=0]
    110 permit icmp any any [match=5]
    120 deny ip any any [match=154]
    MYKULM12Core1#

    ReplyDelete