Filtering by Application

Problem

You want to filter access to certain applications.

Solution

Extended IP access-lists can also filter based on application information, such as protocol and port numbers:

Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#access-list 151 permit tcp any any eq www Router1(config)#access-list 151 deny tcp any any gt 1023 Router1(config)#access-list 151 permit icmp any any Router1(config)#access-list 151 permit udp any any eq ntp Router1(config)#access-list 151 deny ip any any Router1(config)#interface Serial0/1 Router1(config-if)#ip access-group 151 in Router1(config-if)#exit Router1(config)#end Router1#

 

Discussion

This example shows how to construct an Extended IP ACL to filter traffic based on application. In Recipe 19.1, we showed how to use Extended IP ACLs to match on any combination of source and/or destination IP addresses. But the Extended IP ACL also allows you to match on just about anything in the IP packet header.

The first argument after the permit or deny keyword represents the IP protocol number:

Router1(config)#access-list 151 permit tcp any any eq www

In this case, we want to match a TCP-based application, so we have used the keyword tcp in this position. This field represents the IP protocol number, which is an 8-bit value. TCP is protocol number 6, UDP is 17, and ICMP uses protocol number 1. The IANA has registered 134 different protocol numbers. You can find the complete list of registered IP protocols online at http://www.iana.org/assignments/protocol-numbers. Cisco supplies helpful mnemonics for several of these protocols, such as the tcp, udp, and icmp keywords used in the example, so you don't have to remember the protocol numbers. Table 19-2 shows all of the IP protocols for which Cisco supplies mnemonic keywords. You can always use the protocol number in decimal form if you prefer, but the router will replace it with the mnemonic in its configuration file.

Table 19-2. I P protocol numbers and their Extended ACL keywords

Protocol number Keyword Description
1 icmp Internet Control Message Protocol
2 igmp Internet Gateway Message Protocol
4 ipinip IP in IP tunnel protocol
6 tcp Transmission Control Protocol
9 igrp Interior Gateway Routing Protocol
17 udp User Datagram Protocol
21 nos KA9Q tunnel protocol
47 gre Generic Routing Encapsulation tunnel protocol
50 esp IPSec Encapsulation Security Payload
51 ahp IPSec Authenticating Header Protocol
88 eigrp Enhanced Interior Gateway Routing Protocol
89 ospf Open Shortest Path First routing protocol
103 pim Protocol Independent Multicast protocol
108 pcp IP Payload Compression Protocol

And, as we showed in Recipe 19.1, you can match on any IP protocol number by simply using the keyword ip.

After the IP protocol number or keyword are the source and destination IP addresses. We described how to use these fields in Recipe 19.1. Recall that the address keyword any is a shorthand that stands for an address of 0.0.0.0 with a wildcard pattern of 255.255.255.255.

Following each address is an optional field where you can specify particular protocol information such as port numbers. In the following example, we match on TCP port 80, which is used by the HTTP protocol. The router has a set of mnemonics for TCP and UDP port numbers, which we list below. These are similar to the protocol number mnemonics mentioned in Table 19-2. In this case, the mnemonic for port 80 is www:

Router1(config)#access-list 151 permit tcp any any eq www

Notice that the keywords eq www appear after the destination IP address, rather than the source IP address. This is because we are looking for the destination TCP port number. If you need to match on a source port number instead, you could simply move these keywords to follow the source IP address:

Router1(config)#access-list 151 permit tcp any eq wwwany

And, of course, you can always match on both:

Router1(config)#access-list 151 permit tcp any eq wwwanyeq www

Note, however, that this ACL will only score a correct match if both source and destination TCP port numbers match. If you wanted to match HTTP traffic between any two devices, and you didn't know which device had initiated the TCP session, you would need to include two separate lines like this:

Router1(config)#access-list 151 permit tcp any anyeq www Router1(config)#access-list 151 permit tcp any eq wwwany

You can see all of the possible mnemonic keywords simply by using the online help facility:

Router1(config)#access-list 151 permit tcp any eq ? <0-65535> Port number bgp Border Gateway Protocol (179) chargen Character generator (19) cmd Remote commands (rcmd, 514) daytime Daytime (13) discard Discard (9) domain Domain Name Service (53) echo Echo (7) exec Exec (rsh, 512) finger Finger (79) ftp File Transfer Protocol (21) ftp-data FTP data connections (20) gopher Gopher (70) hostname NIC hostname server (101) ident Ident Protocol (113) irc Internet Relay Chat (194) klogin Kerberos login (543) kshell Kerberos shell (544) login Login (rlogin, 513) lpd Printer service (515) nntp Network News Transport Protocol (119) pim-auto-rp PIM Auto-RP (496) pop2 Post Office Protocol v2 (109) pop3 Post Office Protocol v3 (110) smtp Simple Mail Transport Protocol (25) sunrpc Sun Remote Procedure Call (111) syslog Syslog (514) tacacs TAC Access Control System (49) talk Talk (517) telnet Telnet (23) time Time (37) uucp Unix-to-Unix Copy Program (540) whois Nicname (43) www World Wide Web (HTTP, 80) Router1#

As with the IP protocol numbers listed in Table 19-2, you can substitute the decimal numerical value for any of these keywords, and the router will replace it with the keyword.

The IANA reserves the TCP port numbers 1024 and above for local and temporary applications. Many TCP implementations use these high numbered ports for source port numbers, and for temporary or ephemeral purposes. It is relatively common to see ACLs that restrict the use of these ports. We included a sample ACL rule in this recipe:

Router1(config)#access-list 151 deny tcp any any gt 1023

This command blocks all packets that have a destination port number greater than 1023 (that is, ports 1024 through 65535). Remember that TCP applications often use these high port numbers for source ports. So you need to be careful about traffic direction when you apply such an ACL.

There is a similar set of port numbers for UDP applications:

Router2(config)#access-list 151 permit udp any eq ? <0-65535> Port number biff Biff (mail notification, comsat, 512) bootpc Bootstrap Protocol (BOOTP) client (68) bootps Bootstrap Protocol (BOOTP) server (67) discard Discard (9) dnsix DNSIX security protocol auditing (195) domain Domain Name Service (DNS, 53) echo Echo (7) isakmp Internet Security Association and Key Management Protocol (500) mobile-ip Mobile IP registration (434) nameserver IEN116 name service (obsolete, 42) netbios-dgm NetBios datagram service (138) netbios-ns NetBios name service (137) netbios-ss NetBios session service (139) non500-isakmp Internet Security Association and Key Management Protocol (4500) ntp Network Time Protocol (123) pim-auto-rp PIM Auto-RP (496) rip Routing Information Protocol (router, in.routed, 520) snmp Simple Network Management Protocol (161) snmptrap SNMP Traps (162) sunrpc Sun Remote Procedure Call (111) syslog System Logger (514) tacacs TAC Access Control System (49) talk Talk (517) tftp Trivial File Transfer Protocol (69) time Time (37) who Who service (rwho, 513) xdmcp X Display Manager Control Protocol (177) Router2(config)#

So, for example, you could block all Sun RPC traffic, which includes important but chatty applications such as Network File System (NFS) as follows:

Router1(config)#access-list 151 deny udp any eq sunrpc any Router1(config)#access-list 151 deny udp any any eq sunrpc

Because we applied the UDP port number file separately to the source and destination ports, this will block RPC traffic going in either direction.

Once again, with UDP port numbers, as with TCP port numbers, the values from 1024 through 65535 are often used for temporary purposes such as source port numbers. So you can control the use of these port numbers with a similar ACL rule to the one we discussed above for high TCP port numbers:

Router1(config)#access-list 151 deny udp any any gt 1023

 

See Also

Recipe 19.1; Recipe 19.6

Категории