Data Center:Network:Cisco:Nexus:Security:Access Control List (ACL)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] so looking back at our slides we also see that we can use a Ciel's with the capture or the purpose of capturing force panning or monitoring ports in order to basically classify only certain types of traffic coming from a port so let's actually go out to command line and the the topology that we'll be using for today is fairly simple we'll use this and then a modification of this for our security and then next our QoS sections but we have our two Nexus 7 KS and five K's and we are basically going to take a look at just some basic layer 2 and layer 3 access lists so we're not gonna spend a lot of time on just basic access lists they really haven't changed too much with the you know obvious addition of if you're not used to using object groups for instance in 65 hundreds or something but we're gonna certainly spend a good amount of time when we get to the security group a CL and Trust SEC so here in our 7k and we're in the default VDC or 7k - we can certainly let's just make sure we have feature interface VLAN in case we want to put an s VI on we can go through and create IP access list and we'll just say something like we'll just give it let's just say l3 port and we'll the syntax really hasn't changed at all at 4-4 standard access list so permit deny the particular type of traffic that we're going to want to classify what protocol is it going to be IP ICMP is it going to be a routing protocol TIGR PR OSPF are we trying to classify GRE traffic but whatever whatever it is we want to particularly permit is it layer for tcp or UDP and of course we can you know do the same any host and then we can also use this address group so if we want to use things like address group this is where we'll go out and we'll first create these address groups with object groups so we can say object group and we'll say either IP or version six so we'll just create an ipv4 and we'll call it maybe let's say servers and so here within the address group we can choose that we want to first of all let me actually go back at this point we can eat either choose a dress so we're basing it on particular layer 3 addresses or port for ipv4 and 6 TCP UDP ports so we chose address we chose servers as our tag or name and we'll just say something like line 10 is the host of I don't know you know one dot one dot one dot 101 is one server xx is host or even entire network of maybe let's say 10.0.0.0 slash 24 something like that so we'll also create an object group for port and maybe we'll call this web based traffic so we'll say 10 is going to have basically be equal to greater than less than or not equal to or even a range of ports or our possible options here so let's say equal to port 80 equal to port 443 for SSL and I gave it a duplicate sequence number so we'll say 20 and then 30 maybe is a range maybe we want to do some Tomcat ports from 8,000 to 8 9 99 for instance so then we'll go back to our IP access list and let's say layer 3 port or we could call it something a little more meaningful probably would and we could say something like 10 permit let's say TCP and we want to say the address group of servers actually let's try this in Reverse let's do it let's say web and then the port group of servers so I'm actually giving it what should probably be considered an insane argument and it's going to the parser is going to correct me and say that the object group within the given name oops exists with a different type alright sorry so that's actually not the so basically what it's saying is that that the address group it web is not an address group it's a port group and servers is not a port group it's a address group so that's what we expected instead we want to say address group servers and I don't remember if that's part of command completion no it doesn't it doesn't bring that into the parser so you do have to spell it out properly and then port group of web so from those two any okay so there we have those and then we could apply that to any layer three port we could apply it to a no switch port interface and svi port channel as long as it was routed etc okay taking a look at VLAN ACLs we can create VLAN access maps so let's just call this a Vakil map and we'll give it the sequence of ten this again is not really any different from catalyst based of ackles if you're familiar with those so I might match an IP address that I would have probably already created let's say I want to match the IP address of and I have to give it a list name so we just created a list name woops going to hit copy let's just say layer 3 port and then I can give it an action so my action is going to be forward drop or redirect so maybe I want to say action forward and then I want to create VLAN access map V ACL map sequence 20 and I want to say match something else I would have how of course already had to create that an IP or Mac access list and then I could maybe give it the action of drop for instance if I want to permit all traffic and drop all the rest okay or I could just drop everything else by not necessarily matching anything I can also do something call statistics per entry so this basically allows me on a Vakil on a VLAN access list to be able to have a lot more granular ACL logging in that oal the optimized access logging okay so keep into mind the statistics per entry for V ACLs and the ability to get that granular a little bit more granular logging okay so and I didn't have a match rule so it's just deleting that last line and then when we want to apply this we would say VLAN filter and we would come up and say the name of the Vakil that we just created Vakil map and then apply it to a particular VLAN list so I actually don't think we have a show VLAN brief we only have VLAN one but if I had more than one VLAN here's where I could apply it to one or a list of multiple VLANs that I wanted okay also we mentioned the hardware access list command for update default result permit so what this does is that again if there's not enough tkm memory in order to write the second ACL above the first two Hardware and basically use well assuming that you have the same amount of entries use twice as much t cam memory but certainly more to write the second list before the first and then D associate or unright all the first set of ACPs from the switch on chip or the ASIC we can result in a permit if the server determines that it can't perform anatomic access list and this has really done per application so as I go to apply an ACL to an individual port it's going to determine if it has the memory to do it and it will try to be atomic but if it cannot then the default is not to permit but we can certainly allow that the other option is that we can simply say no hardware access list update atomic so we can turn off atomic updates altogether and this is a system-wide global setting so if we do this then we have two unassociated manually or it will as we go and try to apply it it will take the other one off and then write the new one to the asic so potentially resulting in a security gap and a security policy gap also we talked about a CL base capture and the fact that you know if we want to do Hardware access list capture we can turn that on it's disabling the logging for all VDCs note that we're only doing this in the default VDC but it's turning on ACLs for the purpose of capturing we can create our ACL just as we would create any other ACL things that we are permitting is the interesting traffic that we want to capture things that we are denying we're not actually denying traffic but instead we're denying that from being interesting traffic so it's not captured and then we would just simply apply this to a particular monitor session so I would actually I'd apply this let's just go into an ACL so let's say IP access list cap and I might say that this is for capture session 1 and I would permit the traffic that was interesting you know maybe TCP any-any equaling 80 maybe permit TCP any-any equalling 443 so I want to and then deny IP any any nay ok and so I'm I want to classify I want to capture web based traffic either unencrypted or SSL encrypted and then I want to apply this to the interface so I go and apply it to the particular interface it's not actually blocking traffic because it's noted that it's for a capture session and then I would go out and let me just exit out here and say monitor session and specify that this monitor session is going to be used for the type of ACL so give it a monitor session destination and I would apply that ACL to the monitor session so that is one option that we have also something to keep in mind when it refers or when we are talking about blogging is that the way that we're going to deal with the logging and look at it we're gonna do let's go back to the command line and we're gonna do show log I P access list cache okay now we don't have any ACLs applied to anything right now but one of the things that we want to take a look at is there is when we when we look at the logging level we note that we have two different things that deal with ACL one is the ACL log and one is the ACL manager so the ACL manager is dealing with the ACLs specifically it's managing the ACLs and logging anything about them the other is basically the ACL log manager so it's actually dealing with the separate oal functionality of the logs itself and it's managing those processes so the ACL manager is dealing with the actual applications of the ACL and ACPs two ports and and and monitoring that process the ACL log manager is taking care of the logging feature and functions for that particular for all ACL so dealing with that oal process ok so we can specify let's say logging level ACL log let's say we want to see things at log severity three and we want to say ACL log match log level three so when we go to look any of the caching information we want to first of all tell it to log anything that comes in at severity level three and then for the actual ACL that we're looking at for the show show log I P access list cache command we want to match what we're seeing not only what was written but what we're seeing at severity level 3 and then we can also not only log to syslog but we can actually do logging to a particular log file and so we can specify a log file so a CL log file let's say a CL log file oops and then we have to specify and of course we would say if we wanted to log to that file at the same level that we were just specifying we were going to capture at and match then severity level 3 ok so basically any error levels we're not quite going down to debugging or even warnings or notifications but certainly any immediate emergencies alert critical and error level and then we're going to we could say show log and the particular log file that we want to take a look at we really haven't started logging anything we can also do a show log I P access list status and we can see what these three parameters that we mentioned in the slides specifically related to the logging IP access list cache command so we can specify the intro of the number of entries cached in software the interval at which to write these or the particular threshold at which we want to update the log file so there's really not too much that's different in a CL logging than there was in the cattle of 6500 with a few other things you know I mentioned the oal is the default really our only option for logging we can't disable it like we and is by the default and cat 6500 we can use this for capturing so that's very nice but this really takes care of what we can and need to do in ACLs on the Nexus 7 K [Music]

Info

Channel: IT-TALK IT-TALK

Views: 762

Rating: undefined out of 5

Keywords:

Id: uN6GEVdjFSE

Channel Id: undefined

Length: 17min 7sec (1027 seconds)

Published: Mon Nov 19 2018