24.3 Service ACLs
These sections describe Service ACLs:
24.3.1 Service ACL Description
Service ACL enforcement is a feature added to a control plane service (the SSH server, the SNMP server, routing protocols, etc) that allows the switch administrator to restrict the processing of packets and connections by the control plane processes that implement that service. The control plane program run by the control plane process checks already received packets and connections against a user configurable access control list (ACL), a Service ACL. The Service ACL contains permit and deny rules matching any of the source address, destination address, and TCP or UDP ports of received packets or connections. After receiving a packet or connection, the control plane process evaluates the packet or connection against the rules of the Service ACL configured for the control plane process, and if the received packet or connection matches a deny rule the control plane process drops or closes it without further processing.
Control Plane Process Enforced Access Control enables the system administrator to restrict which systems on the network can access the services provided by the switch. Each service has its own access control list, giving the system administrator fine grained control over access to the switch's control plane services. The CLI for this uses the familiar pattern of access control lists assigned for a specific purpose, in this case for each control plane service.
24.3.2 Configuring Service ACLs and Displaying Status and Counters
24.3.2.1 SSH Server
To apply the SSH server Service ACLs for IPv4 and IPv6 traffic, use the ip access-group (Service ACLs) and ipv6 access-group (Service ACLs) commands in mgt-ssh configuration mode as shown below.
(config)# management ssh
(config-mgmt-ssh)# ip access-group <acl_name> [vrf <vrf_name>] in
(config-mgmt-ssh)# ipv6 access-group <acl_name> [vrf <vrf_name>] in
In EOS 4.19.0, all VRFs are required to use the same SSH server Service ACL. The Service ACL assigned without the vrf keyword is applied to all VRFs where the SSH server is enabled.
To display the status and counters of the SSH server Service ACLs, use the following commands.
(switch)>show management ssh ip access-list
(switch)>show management ssh ipv6 access-list
24.3.2.2 SNMP Server
To apply the SNMP server Service ACLs to restrict which hosts can access SNMP services on the switch, use the snmp-server community command as shown below.
(config)# snmp-server community <community-name> [view <viewname>] [ro | rw] <acl_name>
(config)# snmp-server community <community-name> [view <viewname>] [ro | rw] ipv6 <ipv6_acl_name>
24.3.2.3 EAPI
To apply Service ACLs to the EOS application programming interface (EAPI) server, use the ip access-group (Service ACLs) and ipv6 access-group (Service ACLs) commands as shown below.
(config)#management api http-commands
(config-mgmt-api-http-cmds)#vrf <vrf_name>
(config-mgmt-api-http-cmds-vrf-<vrf>)#ip access-group <acl_name>
(config-mgmt-api-http-cmds-vrf-<vrf>)#ipv6 access-group <ipv6_acl_name>
Note To configure a Service ACL for the EAPI server in the default VRF, use the vrf default command to enter the per-VRF configuration mode for the default VRF before using the ip access-group (Service ACLs) or ipv6 access-group (Service ACLs) command.
To display the status and counters of the EAPI server Service ACLs, use the following commands.
(switch)> show management api http-commands ip access-list
(switch)> show management api http-commands ipv6 access-list
24.3.2.4 BGP
To apply Service ACLs for controlling connections to the BGP routing protocol agent, use the ip access-group (Service ACLs) and ipv6 access-group (Service ACLs) commands as shown below.
(config)# router bgp <asn>
(config-router-bgp)# ip access-group <acl_name>
(config-router-bgp)# ipv6 access-group <ipv6_acl_name>
(config-router-bgp)# vrf <vrf_name>
(config-router-bgp-vrf-<vrf>)# ip access-group <acl_name>
(config-router-bgp-vrf-<vrf>)# ipv6 access-group <ipv6_acl_name>
To display the status and counters of the BGP routing protocol Service ACLs, use the following commands.
(switch)> show bgp ipv4 access-list
(switch)> show bgp ipv6 access-list
24.3.2.5 OSPF
To apply Service ACLs for controlling packets processed by the OSPF routing protocol agent, use the ip access-group (Service ACLs) and ipv6 access-group (Service ACLs) commands as shown below.
(config)# router ospf <id>
(config-router-ospf)# ip access-group <acl_name>
(config-router-ospf)# ipv6 access-group <ipv6_acl_name>
When using VRFs, each per-VRF OSPF instance must be assigned its Service ACL explicitly.
To display the status and counters of the OSPF routing protocol Service ACLs, use the following commands.
(switch)> show ospf ipv4 access-list
(switch)> show ospf ipv6 access-list
24.3.2.6 PIM
To apply Service ACLs for controlling packets processed by the PIM routing protocol agent, use the access-group command as shown below.
(config)#router pim
(config-router-pim)#ipv4
(config-router-pim-ipv4)#access-group <acl_name>
(config-router-pim-ipv4)#vrf <vrf_name>
(config-router-pim-vrf-<vrf>)#ipv4
(config-router-pim-vrf-<vrf>-ipv4)#access-group <acl_name>
To display the status and counters of the PIM routing protocol Service ACLs, use the following commands.
(switch)> show ip pim access-list
24.3.2.7 IGMP
To apply Service ACLs for controlling packets processed by the IGMP management protocol agent, use the ip igmp access-group command as shown below.
(config)# router igmp
(config-router-igmp)# ip igmp access-group <acl_name>
(config-router-igmp)# vrf <vrf_name>
(config-router-igmp-vrf-<vrf>)# ip igmp access-group <acl_name>
To display the status and counters of the IGMP management protocol Service ACLs, use the following commands.
(switch)> show ip igmp access-list
24.3.2.8 DHCP Relay
To apply Service ACLs for controlling packets processed by the DHCP relay agent, use the ip dhcp relay access-group and ipv6 dhcp relay access-group commands as shown below.
(config)# ip dhcp relay access-group <acl_name> [vrf <vrf_name>]
(config)# ipv6 dhcp relay access-group <acl_name> [vrf <vrf_name>]
To display the status and counters of the DHCP relay agent Service ACLs, use the following commands.
(switch)> show ip dhcp relay access-list
(switch)> show ipv6 dhcp relay access-list
24.3.2.9 LDP
To apply Service ACLs for controlling packets and connections processed by the LDP MPLS label distribution protocol, use the ip access-group (Service ACLs) command as shown below.
(config)# mpls ldp
(config-mpls-ldp)# ip access-group <acl_name>
To display the status and counters of the LDP Service ACLs, use the following command.
(switch)> show mpls ldp access-list
24.3.2.10 LANZ
To apply Service ACLs for controlling connections accepted by the LANZ agent, use the ip access-group (Service ACLs) and ipv6 access-group (Service ACLs) commands as shown below.
(config)# queue-monitor streaming
(config-qm-streaming)# ip access-group <acl_name>
(config-qm-streaming)# ipv6 access-group <ipv6_acl_name>
To display the status and counters of the LDP Service ACLs, use the following command.
(switch)> show queue-monitor streaming access-lists
24.3.2.11 MPLS Ping and Traceroute
To apply Service ACLs for controlling connections accepted by the MPLS Ping agent, use the ip access-group (Service ACLs) and ipv6 access-group (Service ACLs) commands as shown below.
(config)# mpls ping
(config-mpls-ping)# ip access-group <acl_name> [vrf <vrf_name>]
(config-mpls-ping)# ipv6 access-group <ipv6_acl_name> [vrf <vrf_name>]
24.3.2.12 Telnet Server
To apply Service ACLs to the Telnet server, use the ip access-group (Service ACLs) and ipv6 access-group (Service ACLs) commands as shown below.
(config)# management telnet
(config-mgmt-telnet)# ip access-group <acl_name> [vrf <vrf_name>] in
(config-mgmt-telnet)# ipv6 access-group <ipv6_acl_name> [vrf <vrf_name>] in
In EOS 4.19.0, all VRFs are required to use the same Telnet server Service ACL. The Service ACL assigned without the vrf keyword is applied to all VRFs where the Telnet server is enabled.
To display the status and counters of the LDP Service ACLs, use the following commands.
(switch)>show management telnet ip access-list
(switch)>show management telnet ipv6 access-list