Table of Contents
Advertisement
Configuring Access Control Lists (ACLs)
Configuring Access Control Lists (ACLs)
•
•
•
The Cisco SCE platform can be configured with Access Control Lists (ACLs), which are used to permit
or deny incoming connections on the management interface. An access list is an ordered list of entries,
each consisting of an IP address and an optional wildcard "mask" defining an IP address range, and a
permit/deny field.
The order of the entries in the list is important. The default action of the first entry that matches the
connection is used. If no entry in the Access List matches the connection, or if the Access List is empty,
the default action is deny.
Configuration of system access is done in two stages:
1.
2.
Creating an access list is done entry by entry, from the first to the last.
When the system checks for an IP address on an access list, the system checks each line in the ACL for
the IP address, starting at the first entry and moving towards the last entry. The first match that is detected
(that is, the IP address being checked is found within the IP address range defined by the entry)
determines the result, according to the permit/deny flag in the matched entry. If no matching entry is
found in the ACL, access is denied.
You can create up to 99 ACLs. ACLs can be associated with system access on the following levels:
•
•
It is possible to configure several management services to the same ACL, if this is the desired behavior
of the Cisco SCE platform.
If no ACL is associated to a management service or to the global IP level, access is permitted from all
IP addresses.
Cisco SCE 8000 10GBE Software Configuration Guide
5-32
Adding Entries to an ACL, page 5-33
Removing an ACL, page 5-33
Defining a Global ACL, page 5-34
Creating an access list.
("Adding Entries to an ACL" section on page
Associating the ACL with a management service. (See
page
5-34.)
Global (IP) level: If a global list is defined using the ip access-class command, when a request
comes in, the Cisco SCE platform first checks if there is permission for access from that IP address.
If not, the Cisco SCE does not respond to the request. Configuring the Cisco SCE platform to deny
a certain IP address would preclude the option of communicating with that address using any
IP-based protocol including Telnet, FTP, ICMP, RPC, SSH, and SNMP. The basic IP interface is
low-level, blocking the IP packets before they reach the interfaces.
Service level: Access to each management service (Telnet, SNMP, and SSH) can be restricted to an
ACL. Interface-level lists are, by definition, a subset of the global list defined. If access is denied at
the global level, the IP will not be allowed to access using one of the interfaces. Once an ACL is
associated with a specific management service, that service checks the ACL to find out if there is
permission for a specific external IP address trying to access the management interface.
Use the following CLI commands to assign an ACL to the specified management service:
–
Telnet–access-class in
–
SSH—ip ssh access-class
–
SNMP—snmp-server community
Chapter 5
Configuring the Management Interface and Security
5-33).
"Defining a Global ACL" section on
OL-30621-02
Advertisement
Chapters
Table of Contents
