This router was initially configured thru SDM software and later modified by CCP. They created the following ACLs:
access-list 1 remark INSIDE_IF=Vlan1 access-list 1 remark CCP_ACL Category=2 access-list 1 permit any access-list 2 remark Auto generated by SDM Management Access feature access-list 2 remark CCP_ACL Category=1 access-list 2 permit 10.10.10.0 0.0.0.255 access-list 100 remark Auto generated by SDM Management Access feature access-list 100 remark CCP_ACL Category=1 access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq telnet access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq 22 access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq www access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq 443 access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq cmd access-list 100 permit udp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq snmp access-list 100 deny tcp any host 10.10.10.1 eq telnet access-list 100 deny tcp any host 10.10.10.1 eq 22 access-list 100 deny tcp any host 10.10.10.1 eq www access-list 100 deny tcp any host 10.10.10.1 eq 443 access-list 100 deny tcp any host 10.10.10.1 eq cmd access-list 100 deny udp any host 10.10.10.1 eq snmp access-list 100 permit ip any any access-list 101 remark Auto generated by SDM Management Access feature access-list 101 remark CCP_ACL Category=1 access-list 101 permit ip 10.10.10.0 0.0.0.255 any dialer-list 1 protocol ip permit no cdp run
To my uneducated guess the red ACL 101 virtually duplicates green ACL 2 and both of them negate the rest of ACLs. Is that correct? What is the best course of action regarding securing access to this router?
You have there different ACL. One rule is in ACL 2 and the other one is in ACL 101 and another set or rules in ACL 100...I don't see how can ACL 2 and 101 could negate each other or any other rule in other ACL. These are independent rules in different ACLs. Or I understood wrong your question?
Regarding your question about how to secure your device. Here would be a good start:
Your ACLs are all independant of each other. As such, ACL2 and ACL101 have no effect on ACL100. Think of them as namespaces. Access-lists are processed top-down only within the same access-list. Your router will not process Access-List 1, then Access-list 2, then Access-list 3 for the same traffic. You can only apply 1 ACL to a direction on any particular interface.
For example, if you wanted ACL100 to govern the traffic to your device, you would apply ACL100 to your inbound or outbound interface.
It can be easy in SDM to create multiple access lists without realizing what you are doing.
Access-list 2 is a standard access-list, and does not consider anything other than IP addresses and to permit or deny the traffic.
Access-list 100 & 101 are extended access-lists, and can consider the source IP, destination IP, protocol, and type of traffic (port #).
No they are not applied summarily. As the others have said they are treated as individual access-lists. They may or may not be in use on your router as we can't see because you haven't supplied the rest of the config. Access-lists can be used for all kinds of things other than simply deny or premitting traffic through an interface eg. QOS packet matching/NAT configurations/Policy Based Routing etc.
To see whether these acls are actually being used you need to look at the whole router config to see of they have been applied anywhere.
Does that mean that ACLs are applied only to certain interfaces and only in specific direction (in or out)?
I thought of them as sort of firewall where they were numbered for convenience, but applied summarily.
ACLs on routers are applied to interfaces with a direction. For example:
- You want to apply ACL 101 to traffic coming in from the internet towards your company. Your router has a WAN interface Serial0/0.
- You would do:
- conf t
- int s0/0
- ip access-group 101 in
This would look something like this:
interface Serial0/0 description WAN Interface
ip address 220.127.116.11 255.255.255.252 ip access-group 101 in
That will have all traffic coming inbound to that interface be passed through your access-list 101 before it is allowed to continue through the traffic path. Think of the number on the access-list as a unique identifier or name in the context of firewall ACLs. You may have a firewall ACL called "outside_access_in", and one called "inside_access_out" that serve two different purposes. All the traffic through the firewall does not pass through both access-lists, only the one that is applied to the specific interface.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...