Configure and verify ACLs in a network environment

Exam: Cisco 200-301 - Cisco Certified Network Associate (CCNA)

In this particular chapter we will explain how one can configure network security using ACLs (access control lists). This configuration is done using commands and tables that are often reffered to as access list. One pre requisite is that you must have installed advanced software image on your switch. Anyone can configure the network security using CMS (cluster management suite) or CLI (command line interface). You will get a step by step online guide on how to install CMS. There is an option to filter the inbound traffic. The filtering can be done using the TCP/UDP applications.

When you use packet filtering it will automatically limit the network traffic and will also reduce the network use by some users. ACL has the ability to easily filter the traffic that is passing through the switch. It can also allow or deny some packets from passing through. The ACL is designed in such a way that the permit and deny options come in a sequence. If there is some restriction the switch will automatically drop the packet else will allow the packet to move on.

The ACL is vital. If it is not configured then all the packets that are passing will be allowed in the network and the situation may go out of control. With the help of ACL it becomes much easy to control the traffic and ensure that crucial information do not go out. For example you can allow email traffic to move out but you cannot just allow the telnet traffic to move out can you? The ACLs can be very effectively used to block the inbound traffic.

It is the ACE (access control entry) that is present in every ACL that allows or denies the packet. Some of the ACL that the switch supports are:

  1. Filter layer 2 traffic in an Ethernet ACL.
  2. The IP ACLs can also filter IP traffic.
  3. It can also support TCP and user datagram protocol (UDP).

The ACLs can be applied on any interface that allows inbound directions. The ACL will match the packets with the entries made in the ACL. If the packet matches the entries it will be allowed else it will be denied right away. The IP packets can also be fragmented as and when they cross the network. When the fragmentation happensthen the packets containsfour layer information and this information. It contains the UDP and TCP port numbers; it also contains the ICMP type code and other vital information. In some cases ACE’s will not even check the four layered information.

You must keep in mind that only one ACL can be attached to one interface. When you configure a ACL you must keep in mind that all the ACE in the in one ACL must have a similar user-defined mask. One can also apply any number of system defined masks. The catalyst 2950 switch is consistent with Cisco catalyst switch.

The catalyst 2950 switch do not support the following features:

  1. IP accounting.
  2. Reflexive ACLs.
  3. Bridge group ACLs and others.

Named and Numbered are the two types of ACL that is known. We will now be discussing each of them in details so that you get a better idea about them.

Named ACL

You can also identify an ACL with a name that is an alphanumeric in nature. This allows the network administrator to use names to identify the access list. This makes them easy to remember and also work on. You can also reorder the statement and add new words to the statement in the named list. You must keep in mind that all IP access list will not accept a named ACL. The standard ACL and extended ACL cannot have the same name. There is a possibility to remove lines from a named ACL this is exactly why it is more preferred to a numbered ACL.

The named ACL allows the user the following features:

  • Non-contiguous ports
  • TCP flag filtering
  • IP options filtering
  • It can also delete entries in named ACL

Some commands accept only numbered access and some only named access.

Numbered ACL

The numbered are not very popular as they are not as user friendly as the new named ACLs. The time that is needed to edit a numbered ACL is huge. However, you must have a good idea of the numbered ACL as they are often used in the old deployments. One must know how to use these as you may come across these. Numbered ACLs can be used to make simple ACLs. Some network administrators use a combination of named and numbered ACL. Typically to configure a numbered ACL you need to copy the existing ACL into a notepad. Then you must remove or insert the lines that you want. After that you need to paste back these edited ACL in order to use them once again. This can be a time consuming task. When the reboot the computer the ACLs can renumber themselves this is a point that you must have in mind.

Log option

Logging enabled ACL allows the users to get an insight into the traffic. This can be CPU intensive and can also affect the function of the network device in a negative manner. The log input options directly apply to the ACE. This can also lead to the logging of the packets that affect the ACE. The first packet that is logged in via log input option will automatically generate a syslog message.

The log options at the very end of the extended ACL will enable the following behaviour:

  1. Disable all logging
  2. You can return to the default login using the command 106023
  3. It can enable the message 106100 instead of the message 106023

When a packet matches the ACE then the ASA creates a flow entry that tracks the number of packets that were received in a given period of time.

We hope that this chapter on Configure and verify ACLs in a network environment will help you to understand the subject matter better.

Related IT Guides

  1. 200-301 exam questions
  2. Configure and verify an ACLs to limit telnet and SSH access to the router
  3. Configure and verify Cisco NetFlow
  4. Configure and verify DHCP (IOS Router)
  5. Configure and verify EtherChannels
  6. Configure and verify initial switch configuration including remote access management
  7. Configure and verify interVLAN routing (Router on a stick)
  8. Configure and Verify IP SLA
  9. Configure and verify IPv4 Network Address Translation (NAT)
  10. Configure And Verify Manual and Autosummarization With Any Routing Protocol
  11. Configure and Verify Network Time Protocol (NTP)
  12. Configure and verify PPP
  13. Configure and verify static routing
  14. Configure and verify VLANs
  15. Configure And Verify VRF Lite
  16. Describe IP operations
  17. Describe the types, features, and applications of ACLs
  18. Identify and correct common network problems
  19. Recognize proposed changes to the network
  20. Select the appropriate media, cables, ports, and connectors to connect switches to other network devices and hosts
  21. Select the Components Required to Meet a Network Specification
  22. Troubleshoot Layer 2 protocols
  23. Troubleshoot passive interfaces
  24. Verify network status and switch operation using basic utilities
100% Money Back

How to Claim the Refund / Exchange?

In case of failure your money is fully secure by BrainDumps Guarantee Policy. Before claiming the guarantee all downloaded products must be deleted and all copies of BrainDumps Products must be destroyed.

Under What Conditions I can Claim the Guarantee?

Full Refund is valid for any BrainDumps Testing Engine Purchase where user fails the corresponding exam within 30 days from the date of purchase of Exam. Product Exchange is valid for customers who claim guarantee within 90 days from date of purchase. Customer can contact BrainDumps to claim this guarantee and get full refund at Exam failures that occur before the purchasing date are not qualified for claiming guarantee. The refund request should be submitted within 7 days after exam failure.

The money-back-guarantee is not applicable on following cases:

  1. Failure within 7 days after the purchase date. BrainDumps highly recommends the candidates a study time of 7 days to prepare for the exam with BrainDumps study material, any failures cases within 7 days of purchase are rejected because in-sufficient study of BrainDumps materials.
  2. Wrong purchase. BrainDumps will not entertain any claims once the incorrect product is Downloaded and Installed.
  3. Free exam. (No matter failed or wrong choice)
  4. Expired order(s). (Out of 90 days from the purchase date)
  5. Retired exam. (For customers who use our current product to attend the exam which is already retired.)
  6. Audio Exams, Hard Copies and Labs Preparations are not covered by Guarantee and no claim can be made against them.
  7. Products that are given for free.
  8. Different names. (Candidate's name is different from payer's name.)
  9. The refund option is not valid for Bundles and guarantee can thus not be claimed on Bundle purchases.
  10. Guarantee Policy is not applicable to CISSP, EMC, HP, Microsoft, PMI, SAP and SSCP exams as provides only the practice questions for these.
  11. Outdated Exam Products.
Get 10% Discount on Your Purchase When You Sign Up for E-mail

This is a ONE TIME OFFER. You will never see this Again

Instant Discount

Braindumps Testing Engine

10% OFF

Enter Your Email Address to Receive Your 10% OFF Discount Code Plus... Our Exclusive Weekly Deals

A confirmation link will be sent to this email address to verify your login.

* We value your privacy. We will not rent or sell your email address.
Your 10% Discount on Your Purchase

Save 10%. Today on all IT exams. Instant Download

Braindumps Testing Engine

Use the following Discount Code during the checkout and get 10% discount on all your purchases:


Start Shopping