Document Managed by Network Operations

NetDB Documentation Navigation

1. Introduction
2. Network Contact Groups
3. Query Operations
4. Hostmaster Functions
   • Single Host Edits
   • Bulk Host Edits
   • XML Operations
5. Custom Access Control Lists
6. Errata

DISCLAIMER

• This document assumes the reader has a basic working knowledge of Cisco IOS Access Lists. If not, please read this document.
• TD will not provide support for basic ACL familiarity (ie 'how do I create this type of rule')
• All ACLs end with an IMPLICIT DENY (if you don't explicitly allow it in your ACL, it's not getting through)
• Network Operations reserves the right to remove an ACL should it create an operational problem (each line of an ACL uses layer 3 switch ASIC resources)
• It is very easy to HOSE YOUR NETWORK and USERS and consequently ENDANGER YOUR JOB with this tool if you do not know what you're doing

1. Summary

   The custom ACL system (part of NetDB) gives unit computing staff the ability to create and edit custom Cisco access control lists to be applied to the networks they control. This document will describe the procedure(s) by which unit computing staff may:

   • create and apply network-specific access control lists
   • create common, reusable ACL rules (ACL blocks) for insertion into network-specific access lists.
   • update an existing ACL
      
2. Tool Terms & Definitions
   • an ACL Rule is a line in a standard Cisco IOS access list. One or more of these comprise an Access List.
     • The image below represents a single ACL Rule

     
      

   • a NetIN or NetOUT is an access list applied to a single network in one direction
     • NetIN: Access List 'IN' to the router interface (traffic OUTBOUND FROM your network TO the router)
     • NetOUT: Access List 'OUT' from the router interface (traffic INBOUND TO your network FROM the router)
     • The NetIN and/or NetOUT for a network can be found in the 'details' page for that network

     
      

   • an ACL Block is a list of ACL rules associated with your NCG which can be included in a NetIN or NetOUT
     • used to automate applying common rules
     • ACL blocks can be found, created, editted and deleted in the user's NCG page under 'ACL Block List'

     
      

3. Procedure

   Workflow

   The following is a brief outline of how the ACL creation and application process occurs

   • UCS creates an ACL for a specific network (A NetIN or NetOUT), including previously created ACL Blocks if needed
   • UCS Notifies NOC of new ACL to be applied with time he/she would like ACL applied
   • NOC checks that ACL is being pushed to router, applies ACL to network interface at supplied time
   • UCS may then edit ACL in the future without NOC intervention if he or she so wishes

   Procedure

   The following is the procedure that should be followed when creating and submitting an ACL for application to a network. You may want to familiarize yourself with this procedure by creating a NetIN or NetOUT for a network you own but skipping the last step to avoid it's application.

   1. Plan out your ACL in advance
   2. Log into NetDB & Navigate to the network you'd like to create an ACL for
   3. click 'add NetIN' or 'add NetOUT' depending on whether the ACL will be applied 'inbound to' or 'outbound from' the network's router interface (respectively)
      • you may receive an error message. this is a bug. please ignore it and navigate back to the network detail page
      • Because of this bug you may need to refresh the network detail page to see your new NetIN or NetOUT
   4. Click on your new NetIN on the network detail page (This will bring you to the ACL detail page)
   5. Click 'edit' next to 'rules' (this will being you to the ACL edit page)
   6. Click 'add' underneath 'rules' (this will bring you to the rule creation page)
      • note: rules are created sequentially ascending from line #1 of the ACL. You can reorder later if need be.
   7. Select the type of rule you wish to add (according to your pre-planned access list)
   8. Select the correct details (source, destination, etc) and press the Submit Button
      • note: not all fields are necessary - you may have some blank lines
   9. Repeat until your ACL is complete
   10. After adding your last line, press the submit button on the 'Edit ACL Block' page
   11. Contact the Network Operations Center and request that your NetIN or NetOUT block be activated (please supply a time)

   Optional Steps

   The UCS may wish to automate some common ACL rulesets in ACL Blocks for later inclusion in multiple NetIN or NetOUT ACLs

   • ACL Block creation
     • To create an ACL Blcok, navigate to your NCG page and click 'add' under the 'ACL block list' header
     • Create ACL rules as described in steps 5 through 9
   • ACL Block inclusion
     • To include an ACL block within a NetIN, select the 'include_block' option from the pull-down menu in step 7 above
        
4. Examples

   Example 1: simple port block

   Henry the UCS wants a simple ACL applied inbound to a network he controls. Specifically, he would like to block port 445 inbound to all hosts on network 128.6.0.0/24.

   • Henry plans out his ACL in advance. He wants to block traffic inbound to his network from the router (see glossary section above - this is a NetOUT).
     • Line 1: block port 445 (both UDP and TCP)
     • Line 2: permit all other traffic
   • Henry logs into NetDB and finds his network (128.6.0.0/24) with the query tool
   • He clicks 'Add NetOUT'
   • His netout created, he clicks on it to begin editing
   • He clicks 'edit' next to 'Rules'.
   • He clicks 'add last' underneath 'Rules'.
   • Henry begins by creating his first ACL rule to block port 445:
     • under type he chooses 'TCP'
     • under action he chooses 'deny'
     • He wants 445 blocked from all hosts, so he clicks the 'Any' button to populate the source ip and mask fields
     • Source port (and its operator) is inconsequential to him so he leaves it blank
     • He wants 445 blocked to any host, so he clicks the 'Any' button to populate the destination ip and mask fields
     • He wants to block ONLY port 445, so he chooses 'eq' (equals) as the destination port operator
     • Finally, he fills in 445 as the destination port
     • The remaining fields are inconsequential to Henry so he leaves them blank and clicks 'Submit' and is returned to the rules page
   • He creates a second rule to deny UDP 445:
     • Henry chooses 'add last' to create the next ACL rule
     • Henry chooses UDP as the rule type and repeats the choices he made for the last rule
     • He submits this rule and verifies that it has been created
     • Henry creates a final 'permit any' rule:
     • Henry chooses 'add last' to create the final ACL rule
     • As Layer 4 traffic type is inconsequential he chooses IP as his type
     • He chooses 'permit' as the action
     • He fills in both source and destination ip and mask fields with the 'any' button
     • He clicks submit and verifies that his final rule was created.
   • At the 'rules' page, Henry verifies that all of his ACL lines are correct and as he intended, the clicks submit.
   • Henry calls or emails the NOC to have them activate his newly created ACL.
     from this point on, Henry can edit his NetOUT whenever he wants and the changes should propagate within the hour. No intervention by the NOC is necessary.

   Example 2: port block with ACL Blocks

   Mike the UCS manages the Basket-Weaving department's IT infrastructure. They have locations on both the New Brunswick and Newark campuses, each obviously on a different LAN. He has been ordered to stop his users from using AOL Instant Messenger. (for this example, assume AIM = TCP port 5190)

   • Mike plans out his ACL in advance. He wants to block traffic FROM his network TO the router (see glossary section above - this is a NetIN). As AIM needs to be blocked on multiple networks, Mike decides to create a common 'deny AIM' ACL block for easy inclusion into both NetINs. His 'deny AIM' ACL block will look like:
     • Line 1: block all TCP traffic with destination port 5190
     • Line 2: permit any
   • Mike Creates his 'deny AIM' ACL Block
     • Mike navigates to his NCG page (left menu option 'NCG Tree' -> Basket Weaving)
     • He clicks 'add' under 'ACL Block list'
     • He title's his ACL Block 'deny AIM' and clicks submit
     • Mike is returned to his NCG page. He clicks his new ACL block (Basket Weaving: deny AIM)
     • Mike adds a rule to deny traffic with a TCP destination port of 5190 (type=TCP, action=deny, Src port=5190)
     • After verifying that the line is correct, he submits the block (which saves it for later use)
   • Mike Creates and populates his New Brunswick NetIN
     • Mike navigates to his New Brunswick office's network page (does a network search in the query system)
     • Mike creates a NetIN as described in our first example
     • Mike includes his 'deny AIM' block (type=INCLUDE_BLOCK, ncg=Basket Weaving, block=deny AIM)
     • Mike finishes his NetIN with a permit any (type=IP, action=permit, Src/Dst=any)
     • Mike submits his NetIN
   • Mike Creates and populates his Newark NetIN
     • Mike navigates to his Newark office's network page (does a network search in the query system)
     • Mike creates a NetIN as described in our first example
     • Mike includes his 'deny AIM' block (type=INCLUDE_BLOCK, ncg=Basket Weaving, block=deny AIM)
     • Mike finishes his NetIN with a permit any (type=IP, Src/Dst=any)
     • Mike submits his NetIN
   • Mike contacts the NOC to have these new NetINs activated
     from this point on, Mike can edit his NetINs whenever he wants and the changes should propagate within the hour. No intervention by the NOC is necessary. Additionally, If Mike ever edits his 'deny AIM' ACL Block, those changes will propagate to all ACLs which reference that block.
      
5. Variables

   There are a few simple variables built into the ACL system that can provide extended functionality when creating ACL rules for use on multiple networks (currently only ACL Blocks). These variables are placed in the network and network mask fields of IP access list rules.

   • %nba%
     • network base address
     • when used in an ACL rule as a source or destination address, echoes the local network's base address
     • can be used in both NetINs/OUTs and ACL Blocks
   • %nwcm%
     • network wildcard mask
     • when used in an ACL rule as a source or destination address, echoes the local network's wildcard mask (the binary reverse of a subnet mask)
     • can be used in both NetINs/OUTs and ACL Blocks

     
      

     • The ACL rule above will permit all IP traffic with a source IP and Mask matching that of the local LAN to any IP destination (simple anti-spoofing!)
       

Back to NetDB Navigation