Configure and verify ACLs in a network environment
Exam: 200-120 - CCNA Cisco Certified Network Associate CCNA (803)
In this particular chapter we will explain how one can configure network security using ACLs (access control lists). This configuration is done using commands and tables that are often reffered to as access list. One pre requisite is that you must have installed advanced software image on your switch. Anyone can configure the network security using CMS (cluster management suite) or CLI (command line interface). You will get a step by step online guide on how to install CMS. There is an option to filter the inbound traffic. The filtering can be done using the TCP/UDP applications.
When you use packet filtering it will automatically limit the network traffic and will also reduce the network use by some users. ACL has the ability to easily filter the traffic that is passing through the switch. It can also allow or deny some packets from passing through. The ACL is designed in such a way that the permit and deny options come in a sequence. If there is some restriction the switch will automatically drop the packet else will allow the packet to move on.
The ACL is vital. If it is not configured then all the packets that are passing will be allowed in the network and the situation may go out of control. With the help of ACL it becomes much easy to control the traffic and ensure that crucial information do not go out. For example you can allow email traffic to move out but you cannot just allow the telnet traffic to move out can you? The ACLs can be very effectively used to block the inbound traffic.
It is the ACE (access control entry) that is present in every ACL that allows or denies the packet. Some of the ACL that the switch supports are:
- Filter layer 2 traffic in an Ethernet ACL.
- The IP ACLs can also filter IP traffic.
- It can also support TCP and user datagram protocol (UDP).
The ACLs can be applied on any interface that allows inbound directions. The ACL will match the packets with the entries made in the ACL. If the packet matches the entries it will be allowed else it will be denied right away. The IP packets can also be fragmented as and when they cross the network. When the fragmentation happensthen the packets containsfour layer information and this information. It contains the UDP and TCP port numbers; it also contains the ICMP type code and other vital information. In some cases ACE’s will not even check the four layered information.
You must keep in mind that only one ACL can be attached to one interface. When you configure a ACL you must keep in mind that all the ACE in the in one ACL must have a similar user-defined mask. One can also apply any number of system defined masks. The catalyst 2950 switch is consistent with Cisco catalyst switch.
The catalyst 2950 switch do not support the following features:
- IP accounting.
- Reflexive ACLs.
- Bridge group ACLs and others.
Named and Numbered are the two types of ACL that is known. We will now be discussing each of them in details so that you get a better idea about them.
You can also identify an ACL with a name that is an alphanumeric in nature. This allows the network administrator to use names to identify the access list. This makes them easy to remember and also work on. You can also reorder the statement and add new words to the statement in the named list. You must keep in mind that all IP access list will not accept a named ACL. The standard ACL and extended ACL cannot have the same name. There is a possibility to remove lines from a named ACL this is exactly why it is more preferred to a numbered ACL.
The named ACL allows the user the following features:
- Non-contiguous ports
- TCP flag filtering
- IP options filtering
- It can also delete entries in named ACL
Some commands accept only numbered access and some only named access.
The numbered are not very popular as they are not as user friendly as the new named ACLs. The time that is needed to edit a numbered ACL is huge. However, you must have a good idea of the numbered ACL as they are often used in the old deployments. One must know how to use these as you may come across these. Numbered ACLs can be used to make simple ACLs. Some network administrators use a combination of named and numbered ACL. Typically to configure a numbered ACL you need to copy the existing ACL into a notepad. Then you must remove or insert the lines that you want. After that you need to paste back these edited ACL in order to use them once again. This can be a time consuming task. When the reboot the computer the ACLs can renumber themselves this is a point that you must have in mind.
Logging enabled ACL allows the users to get an insight into the traffic. This can be CPU intensive and can also affect the function of the network device in a negative manner. The log input options directly apply to the ACE. This can also lead to the logging of the packets that affect the ACE. The first packet that is logged in via log input option will automatically generate a syslog message.
The log options at the very end of the extended ACL will enable the following behaviour:
- Disable all logging
- You can return to the default login using the command 106023
- It can enable the message 106100 instead of the message 106023
When a packet matches the ACE then the ASA creates a flow entry that tracks the number of packets that were received in a given period of time.
We hope that this chapter on Configure and verify ACLs in a network environment will help you to understand the subject matter better.
Related IT Guides
- Configure and verify an ACLs to limit telnet and SSH access to the router
- Configure and verify DHCP (IOS Router)
- Configure and verify initial switch configuration including remote access management
- Configure and verify interVLAN routing (Router on a stick)
- Configure and verify VLANs
- Describe the types, features, and applications of ACLs
- Identify and correct common network problems
- Select the appropriate media, cables, ports, and connectors to connect switches to other network devices and hosts
- Select the Components Required to Meet a Network Specification
- Verify network status and switch operation using basic utilities