Configuring Network Security with ACL On Cisco Layer 3 Switch

by linknewnet.com Writer : Zheng Hong Trade

What is ACL?

ACL is the short of access control lists. On some types of proprietary computer-hardware (in particular routers and switches), an access-control list provides rules that are applied to port numbers or IP addresses that are available on a host or other layer 3, each with a list of hosts and/or networks permitted to use the service. Although it is additionally possible to configure access-control lists based on network domain names, this is a questionable idea because individual TCP, UDP, and ICMP headers do not contain domain names. Consequently, the device enforcing the access-control list must separately resolve names to numeric addresses. This presents an additional attack surface for an attacker who is seeking to compromise security of the system which the access-control list is protecting. Both individual servers as well as routers can have network ACLs. Access-control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to firewalls. Like firewalls, ACLs could be subject to security regulations and standards such as PCI DSS.

ACL access control lists are indispensable for building a security-compliant network, but configuring ACLs on Layer 3 switches is not known to some of the primary network administrators who are new to the enterprise. The following describes the test process for how to configure an ACL on a Cisco Layer 3 switch.
 
ACL chart

Switch configuration ACL

The local Vlan is configured on the Layer 3 switch to implement interworking between the lower VLANs of the lower access layer switches.
 
PC1 192.168.20.10 VLAN 192.168.20.1
 
PC2 192.168.30.20 VLAN 192.168.30.1
 
PC3 192.168.40.30 VLAN 192.168.40.1
 
PC4 192.168.50.40 VLAN 192.168.50.1
 
F0/1 192.168.70.2 (turn on routing function)
 
Configuration on the router
 
F0/0 192.168.60.1 PC5 192.168.60.50
 
F0/1 192.168.70.1

Experimental steps:

1. Add the corresponding PC to the VLAN on the Layer 2 switch.

View switch Switch0
 
Switch0(config)#show run
 
Interface FastEthernet0/1
 
Switchport access vlan 2
 
Interface FastEthernet0/2
 
Switchport access vlan 3
 
View switch Switch1
 
Switch1#show run
 
Interface FastEthernet0/3
 
Switchport access vlan 4
 
Interface FastEthernet0/4
 
Switchport access vlan 5

2. Configure the corresponding local VALN on the Layer 3 switch.

Switch(config)#inter vl 2
 
Switch(config-if)#ip add 192.168.20.1 255.255.255.0
 
Switch(config-if)#no shut
 
Switch(config)#inter vl 3
 
Switch(config-if)#ip add 192.168.30.1 255.255.255.0
 
Switch(config-if)#no shut
 
Switch(config)#inter vl 4
 
Switch(config-if)#ip add 192.168.40.1 255.255.255.0
 
Switch(config-if)#no shut
 
Switch(config)#inter vl 5
 
Switch(config-if)#ip add 192.168.50.1 255.255.255.0
 
Switch(config-if)#no shut
 
Switch(config-if)#exi
 
Enable the routing interface on the interface itnerface f0/1
 
Switch(config)#inter f0/1
 
Switch(config-if)#no switchport

3. Enable the relay link between the Layer 2 switch and the Layer 3 switch.

4. Configure dynamic routing protocol RIP on routers and Layer 3 switches.

Router(config)#router rip
 
Router(config)#network 192.168.60.0
 
Router(config)# network 192.168.70.0
 
Layer 3 switch configuration
 
Switch(config)#router rip
 
Switch(config-router)#ne
 
Switch(config-router)#network 192.168.70.0
 
Switch(config-router)#network 192.168.20.0
 
Switch(config-router)#network 192.168.30.0
 
Switch(config-router)#network 192.168.40.0
 
Switch(config-router)#network 192.168.50.0
 
Switch(config-router)#

5. Verify the interoperability of each PC

PC>ping 192.168.30.20
 
Pinging 192.168.30.20 with 32 bytes of data:
 
Request timed out.
 
Reply from 192.168.30.20: bytes=32 time=110ms TTL=126
 
Reply from 192.168.30.20: bytes=32 time=110ms TTL=126
 
Reply from 192.168.30.20: bytes=32 time=125ms TTL=126
 
Ping statistics for 192.168.30.20:
 
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
 
Approximate round trip in in milli-seconds:
 
Minimum = 110ms, Maximum = 125ms, Average = 115ms
 
PC>ping 192.168.40.30
 
Pinging 192.168.40.30 with 32 bytes of data:
 
Reply from 192.168.40.30: bytes=32 time=94ms TTL=126
 
Reply from 192.168.40.30: bytes=32 time=125ms TTL=126
 
Reply from 192.168.40.30: bytes=32 time=125ms TTL=126
 
Reply from 192.168.40.30: bytes=32 time=109ms TTL=126
 
Ping statistics for 192.168.40.30:
 
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
 
Approximate round trip in in milli-seconds:
 
Minimum = 94ms, Maximum = 125ms, Average = 113ms

6. Configure an ACL on the Layer 3 switch.

Note that if PCs with different VALNs cannot be interconnected, the applied interface should be the local Llan interface corresponding to the VLAN.
 
Setting PC1 cannot ping PC3 and PC4
 
Switch(config)#access-list 10 deny host 192.168.20.10
 
Applied to the interface
 
Switch(config)#inter vl 4
 
Switch(config-if)#ip access-group 10 out
 
Switch(config-if)#exi
 
Switch(config)#inter vl 5
 
Switch(config-if)#ip access-group 10 out
 
Switch(config-if)#
 
or it could be
 
Switch(config)#inter vl 2
 
Switch(config-if)#ip access-group 10 in
 
Switch(config-if)#
 
Note: The ACL is applied to the interface. From PC1 to PC3 and PC4, the data flow direction is entered through the local Vlan2 interface configured on the Layer 3 switch, and then the local Vlan4 configured on the Layer 3 switch goes out to PC3 and goes out from the local Vlan5. Arrive at PC4. Therefore, when configuring an ACL, you should pay attention to which interface the access control list is applied to.

7. Verification:

PC1 cannot ping PC3 and PC4
 
PC>ping 192.168.50.40
 
Pinging 192.168.50.40 with 32 bytes of data:
 
Request timed out.
 
Request timed out.
 
Ping statistics for 192.168.50.40:
 
Packets: Sent = 3, Received = 0, Lost = 3 (100% loss),
 
Control-C
 
^C
 
PC>ping 192.168.40.30
 
Pinging 192.168.40.30 with 32 bytes of data:
 
Request timed out.
 
Request timed out.
 
Request timed out.
 
Request timed out.
 
In this test, the routing interface mode is enabled on the lower interface of the Layer 3 switch, f0/5 and f0/6. As a result, the Vlan fails. Therefore, f0/5 and f0/6 cannot enable the route interface mode.
 
When configuring ACLs between Vlan 2, 3, 4, and 5, you must figure out the ingress and egress interfaces of data flows. Here, the data flows between Vlan 2, 3, 4, and 5 are on the Layer 3 switch. Configure the local VLAN interface.
 
In fact, the ACL principle is the same. As long as the difference between the ACL configured on the Layer 3 switch and the configuration on the router is clear, configuring the ACL on the Layer 3 switch is simple.

Linknewnet.com provides new and used Cisco switches, have any need for Cisco switch please feel free to contact us.