Category Archives: Firewalls

Introduction to IOS IPv6 ACLs

This post quickly discusses simple Cisco IOS IPv6 Access Control Lists (ACLs). As summarized in the figure, the construction logic of the ACL is basically identical to the classic v4 ACLs (those that do not use object-groups). The permit (or deny) statements are created by specifying the following elements (in this order):

  • source of the traffic
  • destination of the traffic
  • services involved (from source to destination)

One noticeable difference refers to the way in which v6 ACLs are applied to interfaces: the correct command to accomplish that task is the ipv6 traffic -filter (and not something such as “ipv6 access-group”).

Basic Description of simple IOS IPv6 ACLs

** Notes:

  • Object-groups for v6 elements are not supported on IOS yet.
  • IOS supports IPv6 ACLs that allow filtering based on the v6 extension headers.

** Related Posts:

Leave a comment

Filed under English, Firewalls, IPv6, Security

User-based Access Control with the Cisco IOS Zone-based Policy Firewall

So far we have had some discussions about both the Zone-based Policy Firewall (ZFW) and user-based access control (as powered by IOS Auth-proxy functionality). It is now time to mix these two technologies to render auth-proxy stateful and produce the so-called User-based ZFW behavior.

Figure 1 summarizes the relevant settings to build such a scenario:

  • A Zone-based firewall policy is constructed using the classic ZFW building blocks. One noteworthy difference here is that the class-maps are also matching on the “user-group” parameter.
  • This user information is obtained after the router receives the “supplicant-group” Vendor Specific Attribute (VSA) from the RADIUS server. (The router learned the user credentials using Auth-proxy, pretty much in the same way as already examined in previous posts).

Figure 1: Combining the Cisco IOS Zone-based Policy Firewall with Auth-proxy

Figure 2 shows the details of Auth-proxy and RADIUS for this environment:
  • Instead of an ACE (or a DACL), the router now receives the supplicant-group
  • The router now has a local knowledge of user-to-group mappings

Figure 2: Auth-proxy and RADIUS information in the user-based ZFW scenario

** Topics for Study:

  • Contrast the pure auth-proxy diagrams of previous articles with the current post: can you spot the differences ? (What about the similarities ?)
  • Compare the RADIUS interactions between router (AAA client) and CS-ACS (AAA Server)
  • Notice that one of the class-maps now includes a “police” action. What does that mean ?

** Related Posts:

4 Comments

Filed under English, Firewalls, Identity, Security