Network security is as important now than ever with data getting bigger and more precious. As network security helps businesses reduce the risk of data theft and disturbance in production network operations, it is key to understand your security environment. An access control list [ACL] provides the network security in your routing and switching environments through a rule or series of rules that can permit or deny data traffic from the network layer. Today, we will look at ACL concepts as well as troubleshooting common cases that you may see.
A quick note before we dive in. Where there are no specific prerequisites for applying ACL in the network, it should be done with professional network/security engineers. This feature is in Cisco IOS software releases 8.3 or later, and uses packet filtering. Packet filtering is a firewall technique used to control network access by monitoring outgoing and incoming packets while allowing them to pass or halt based on the source and destination Internet Protocol [IP] addresses, protocols, and ports. We can set the configuration [as you'll see below] to IP filter traffic in Cisco layer 3 switches, such as the Nexus switches, between two different SIV's/VLANs. Let's dive in!
Why ACL in Networks
The ACLs work by blocking specified traffic to enhance the performance of the network. A strong security is provided though blocking packets that are destined to sensitive areas in the network. Determination of the type of traffic to forward based on the protocols takes places to then deny certain users access to the internet while allowing others. Please note that we are not focusing on access list types today, but if you would like to access more information, click here to get in touch!
The example we will use today uses a PivIT environment with Nexus switches. We will show you a couple of rules to you can use, but you can add or remove rules from the default network ACL. When rules are added or removed they are automatically applied to the subnets that the ACL is associated with. Parts of a network ACL rule include:
- Rule Number
- Type
- Protocol
- Port Range
- Source
- Destination
- Allow/Deny
Access control lists are a principal element in securing your network, and understanding their function is essential to achieving their best effectiveness. Below are a few rules and configurations to help gain the knowledge and understanding around ACLs and basic rules to apply.
Step-by-Step Configurations
We have created one VLAN [154] in both Nexus switches. In the diagram below, you can also check the recommended way to configure SVI in the Cisco 9500 series switches to get the maximum output. Note: The configurations below can only be done on Cisco Nexus Layer 3 switches.
Step 1. Create VLAN in both Nexus Core Switches
Core 1 Configurations:
Core 2 Configurations:
Step 2. Create SVI on both Nexus Core Switches
A Switched Virtual Interface [SVI] is a routed interface in IOS representing the IP addressing space for a particular VLAN connected to this interface. There is no physical interface for the VLAN, and the SVI provides the Layer 3 processing for packets from all switch ports associated with the VLAN.
With SVIs the switch will use a virtual Layer 3 interface to route traffic to another Layer 3 interface thus eliminating the need for a physical router. VLANs reduce the load on a network by dividing a LAN into smaller segments and keeping local traffic within a VLAN. However, because each VLAN has its own domain, a mechanism is needed for VLANs to pass data to other VLANs without passing the data through a router. We'll now show those configurations to create the SVI.
Core 1 Configurations:
Core 2 Configurations:
Step 3. Create Access List to Block All Traffic from VLAN 154
Before configuring the ACL rule, verify the inter VLAN communication between the two VLANs. Below is what the verification should look like.
Now we'll block the inter VLAN traffic between two VLANs through an ACL rule, but first we will create the access list.
Next, we need to apply this access list in VLAN 154 SVI. This makes it to where both VLANs cannot communicate with each other. If we do not apply the access list in SVI, the case will not work.
Step 4. ACL Cases
Scenario 1: No one can access VLAN 154 through 8080 port
Scenario 2: Block ICMP from VLAN 154
Scenario 3: Support 888 port for 10.0.121.15 IP address
Scenario 4: Show access list commands
About PivIT Global
PivIT Global provides the support you need through infrastructure, maintenance, and professional services. Contact us today to chat more about configuring an ACL in SVI environments or how we can support you through our third-party maintenance and professional services offerings.
VLAN access-lists [VACL] are very useful if you want to filter traffic within the VLAN. Let me give you an example:
Let’s say I want to make sure that the two computers are unable to communicate with the server. You could use port-security to filter MAC addresses but this isn’t a very safe method.
I will show you how to configure a VACL so that the two computers won’t be able to reach the server. First we have to create an access-list:
SW1[config]#access-list 100 permit ip any host 192.168.1.100First step is to create an extended access-list. Traffic from any source to destination IP address 192.168.1.100 should match my access-list. This might look confusing to you because your gut will tell you to use “deny” in this statement…don’t do it though, use the permit statement!
Next step is to create the VACL. Mine is called “NOT-TO-SERVER”.
• Sequence number 10 will look for traffic that matches access-list 100. All traffic that is permitted in access-list 100 will match here. The action is to drop this traffic.
• Sequence number 20 doesn’t have a match statement so everything will match, the action is to forward traffic.
As a result all traffic from any host to destination IP address 192.168.1.100 will be dropped, everything else will be forwarded.
SW1[config]#vlan filter NOT-TO-SERVER vlan-list 10Last step is to apply the VACL to the VLANs you want. I apply mine to VLAN 10. Let’s see if this works or not…
Prerequisite – Virtual LAN [VLAN], Access-lists [ACL]
VLAN [Virtual LAN] is a concept in which we divide the broadcast domain into smaller broadcast domains logically at layer 2. If we create different VLANs then by default, a host from one VLAN can communicate with all the hosts residing in the same VLAN. If we want some hosts not able to reach other hosts within the same VLAN, then the concept of VLAN Access-list or Private VLAN can be used. [Access-list, is a set of various permit or deny conditions, used for packet filtering]
VLAN ACL [VACL] –
VLAN ACL is used to filter traffic of a VLAN [traffic within a VLAN i.e traffic for destination host residing in the same VLAN]. All packets entering the VLAN are checked against the VACL. Unlike Router ACL, VACL is not defined in a direction but it is possible to filter traffic based on the direction of the traffic by combining VACLs and Private VLAN features.
Procedure –
-
Define the standard or extended access list to be used in VACL –
An access list should be defined to identify the type of traffic and the hosts on which it is applied. -
Define a VLAN access map –
A VLAN access-map is defined in which hosts IP address will be matched [using the access-list defined] -
Configure an action clause in a VLAN access map sequence –
This will tell what action [forward or drop] should be taken on the traffic [defined in the VLAN access map] -
Apply the VLAN access map to the specified VLANs –
The last step in the configuration of VACL is to create a filter list specifying, on which VLAN the access map has been applied. -
Display VLAN access map information –
We can verify the information by using the command.
Configuration –
There is a switch named switch1 which is connected to 3 routers named Router1 [IP address-192.168.1.1/24], Router2 [IP address-192.168.1.2/24], and Router3 [IP address-192.168.1.3/24] as shown in the figure.
Configuring IP address on Router1.
Configuring IP address on Router2.
Router2[config]#int fa0/0 Router2[config-if]#ip address 192.168.1.2 255.255.255.0 Router2[config-if]#no shutConfiguring IP address on Router3.
In this task, we will deny traffic from Router1 to Router3 using VACL.
Configuring access-list on switch1 stating that all IP traffic should be allowed from host 192.168.1.1 to 192.168.1.3
switch1[config]#ip access-list extended My_access_list switch1[config-ext-nacl]#permit ip host 192.168.1.1 host 192.168.1.3Now, configuring VLAN access-map which states that match the IP address defined in access-list and take action of drop [which means traffic should not be allowed from 192.168.1.1 to 192.168.1.3].
switch1[config]#vlan access-map Mapping 10 switch1[config-access-map]#match ip address My_access_list switch1[config-access-map]#action drop switch1[config-access-map]#exitIn the first command, 10 is the sequence number of the access map. If we do not define any sequence number then it will automatically take 10 as a sequence number.
Now, for the traffic from Router1 [192.168.1.1] to Router3 [192.168.1.3], the traffic will be dropped but what about the traffic from Router2 to Router3?
The traffic from Router2 to Router3 will also get drop because no action is defined for this traffic [implicit deny]. Therefore, we have to define another rule stating that the other traffic should be allowed.
switch1[config]#vlan access-map Mapping 20 switch1[config-access-map]#action forward switch1[config-access-map]#exitIn the first command, 20 is the sequence number which means this rule will be checked after the first rule having sequence number 10.
At last, we will assign this access-map, named My_access_list, to a VLAN [here VLAN 1]
switch1[config]#vlan filter Mapping vlan-list 1To verify the configuration, use the command.
switch1#show vlan access-mapThis command will display the access map. This will display the name of the access-map, sequence number of the rule, and the access-list name [that has been used].
switch1#show vlan filterThis will display the VLANs which are filtered by the VLAN access map.
Article Tags :
Practice Tags :