Configuring Network Security with ACL On Cisco Layer 3 Switch|LinkNewNet

New Products

New Promotion

-50%

C9500-40X-A

$4000 $2000

-29%

C9300-24T-A

$1750 $1250

-31%

DS-C9250I-K9

$1600 $1100

-38%

WS-C2960L-48PQ-LL

$800 $500

-42%

A9K-750W-AC

$600 $350

New Accessories

Configuring Network Security with ACL On Cisco Layer 3 Switch

Aug 09 , 2022 4387

What is ACL?

ACL is the short of access control lists. On some types of proprietary computer-hardware (in particular routers and switches), an access-control list provides rules that are applied to port numbers or IP addresses that are available on a host or other layer 3, each with a list of hosts and/or networks permitted to use the service. Although it is additionally possible to configure access-control lists based on network domain names, this is a questionable idea because individual TCP, UDP, and ICMP headers do not contain domain names. Consequently, the device enforcing the access-control list must separately resolve names to numeric addresses. This presents an additional attack surface for an attacker who is seeking to compromise security of the system which the access-control list is protecting. Both individual servers as well as routers can have network ACLs. Access-control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to firewalls. Like firewalls, ACLs could be subject to security regulations and standards such as PCI DSS.

ACL access control lists are indispensable for building a security-compliant network, but configuring ACLs on Layer 3 switches is not known to some of the primary network administrators who are new to the enterprise. The following describes the test process for how to configure an ACL on a Cisco Layer 3 switch.

Switch configuration ACL

The local Vlan is configured on the Layer 3 switch to implement interworking between the lower VLANs of the lower access layer switches.

PC1 192.168.20.10 VLAN 192.168.20.1

PC2 192.168.30.20 VLAN 192.168.30.1

PC3 192.168.40.30 VLAN 192.168.40.1

PC4 192.168.50.40 VLAN 192.168.50.1

F0/1 192.168.70.2 (turn on routing function)

Configuration on the router

F0/0 192.168.60.1 PC5 192.168.60.50

F0/1 192.168.70.1

Experimental steps:

1. Add the corresponding PC to the VLAN on the Layer 2 switch.

View switch Switch0

Switch0(config)#show run

Interface FastEthernet0/1

Switchport access vlan 2

Interface FastEthernet0/2

Switchport access vlan 3

View switch Switch1

Switch1#show run

Interface FastEthernet0/3

Switchport access vlan 4

Interface FastEthernet0/4

Switchport access vlan 5

2. Configure the corresponding local VALN on the Layer 3 switch.

Switch(config)#inter vl 2

Switch(config-if)#ip add 192.168.20.1 255.255.255.0

Switch(config-if)#no shut

Switch(config)#inter vl 3

Switch(config-if)#ip add 192.168.30.1 255.255.255.0

Switch(config-if)#no shut

Switch(config)#inter vl 4

Switch(config-if)#ip add 192.168.40.1 255.255.255.0

Switch(config-if)#no shut

Switch(config)#inter vl 5

Switch(config-if)#ip add 192.168.50.1 255.255.255.0

Switch(config-if)#no shut

Switch(config-if)#exi

Enable the routing interface on the interface itnerface f0/1

Switch(config)#inter f0/1

Switch(config-if)#no switchport

3. Enable the relay link between the Layer 2 switch and the Layer 3 switch.

4. Configure dynamic routing protocol RIP on routers and Layer 3 switches.

Router(config)#router rip

Router(config)#network 192.168.60.0

Router(config)# network 192.168.70.0

Layer 3 switch configuration

Switch(config)#router rip

Switch(config-router)#ne

Switch(config-router)#network 192.168.70.0

Switch(config-router)#network 192.168.20.0

Switch(config-router)#network 192.168.30.0

Switch(config-router)#network 192.168.40.0

Switch(config-router)#network 192.168.50.0

Switch(config-router)#

5. Verify the interoperability of each PC

PC>ping 192.168.30.20

Pinging 192.168.30.20 with 32 bytes of data:

Request timed out.

Reply from 192.168.30.20: bytes=32 time=110ms TTL=126

Reply from 192.168.30.20: bytes=32 time=110ms TTL=126

Reply from 192.168.30.20: bytes=32 time=125ms TTL=126

Ping statistics for 192.168.30.20:

Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),

Approximate round trip in in milli-seconds:

Minimum = 110ms, Maximum = 125ms, Average = 115ms

PC>ping 192.168.40.30

Pinging 192.168.40.30 with 32 bytes of data:

Reply from 192.168.40.30: bytes=32 time=94ms TTL=126

Reply from 192.168.40.30: bytes=32 time=125ms TTL=126

Reply from 192.168.40.30: bytes=32 time=125ms TTL=126

Reply from 192.168.40.30: bytes=32 time=109ms TTL=126

Ping statistics for 192.168.40.30:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip in in milli-seconds:

Minimum = 94ms, Maximum = 125ms, Average = 113ms

6. Configure an ACL on the Layer 3 switch.

Note that if PCs with different VALNs cannot be interconnected, the applied interface should be the local Llan interface corresponding to the VLAN.

Setting PC1 cannot ping PC3 and PC4

Switch(config)#access-list 10 deny host 192.168.20.10

Applied to the interface

Switch(config)#inter vl 4

Switch(config-if)#ip access-group 10 out

Switch(config-if)#exi

Switch(config)#inter vl 5

Switch(config-if)#ip access-group 10 out

Switch(config-if)#

or it could be

Switch(config)#inter vl 2

Switch(config-if)#ip access-group 10 in

Switch(config-if)#

Note: The ACL is applied to the interface. From PC1 to PC3 and PC4, the data flow direction is entered through the local Vlan2 interface configured on the Layer 3 switch, and then the local Vlan4 configured on the Layer 3 switch goes out to PC3 and goes out from the local Vlan5. Arrive at PC4. Therefore, when configuring an ACL, you should pay attention to which interface the access control list is applied to.

7. Verification:

PC1 cannot ping PC3 and PC4

PC>ping 192.168.50.40

Pinging 192.168.50.40 with 32 bytes of data:

Request timed out.

Request timed out.

Ping statistics for 192.168.50.40:

Packets: Sent = 3, Received = 0, Lost = 3 (100% loss),

Control-C

^C

PC>ping 192.168.40.30

Pinging 192.168.40.30 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

In this test, the routing interface mode is enabled on the lower interface of the Layer 3 switch, f0/5 and f0/6. As a result, the Vlan fails. Therefore, f0/5 and f0/6 cannot enable the route interface mode.

When configuring ACLs between Vlan 2, 3, 4, and 5, you must figure out the ingress and egress interfaces of data flows. Here, the data flows between Vlan 2, 3, 4, and 5 are on the Layer 3 switch. Configure the local VLAN interface.

In fact, the ACL principle is the same. As long as the difference between the ACL configured on the Layer 3 switch and the configuration on the router is clear, configuring the ACL on the Layer 3 switch is simple.

Linknewnet.com provides new and used Cisco switches, have any need for Cisco switch please feel free to contact us.

Next: WS-C2960-24TC-L Review - Cisco 2960 Switch

Tags: Configuration Cisco switch ACL

Related Blogs

Sep 26 , 2024

What is the difference between a router and a switch?

In the modern networking world, we often use routers and switches for networking, and they play an important role in network circulation in their respective fields. Due to the many similarities in the functions of these two devices, many people are confused about what exactly is a router? What is a switch is more or less confused. What are the differences between them? Today we will reveal them one by one.

Sep 21 , 2024

Creating and Deleting VLANs on Cisco Switches

In modern enterprise networks, VLANs play a very important role in network transmission. Administrators can use VLANs to divide a physical switch into multiple logical switches to simplify network management and improve network performance and security. As network administrators, learning how to create and delete VLANs on Cisco Catalyst switches is a must-have skill.

Sep 10 , 2024

Cisco 3750X Switch vs 3850 Switch, which is better for your business?

When choosing an enterprise switch, network administrators and IT engineers often encounter a situation where they are torn between two models, especially products with similar performance, such as the Cisco 3750X and 3850 series is a typical example. These two switches, as Cisco's classics, have a wide range of applications in the market. So, what is the difference between these two? And how are they related to each other?

Sep 04 , 2024

What is console cable? How to manage the switch easily through console cable?

In modern IT equipment management, the switch is the core of the network, and to manage it in the simplest way during daily use, it is indispensable to support the Console cable. Although many people do not understand this small cable, but it is the network administrator's daily work in the “secret weapon”. Whether you are configuring a device for the first time or troubleshooting a problem, the console cable is an indispensable networking tool.

Aug 29 , 2024

How do I connect a Cisco wireless AP to a wireless controller?

Wireless access points are primarily responsible for providing wireless signal coverage and connectivity, while wireless controllers are responsible for centrally managing and optimizing the performance and security of multiple access points. Used in combination, the two can build an efficient, stable and secure wireless network. How to connect wireless controller with wireless access point

Jul 05 , 2022

Cisco Catalyst 2960 Series Switches Overview

Cisco Catalyst 2960 series switches provide services for conventional office, branches, workspaces, medium-sized deployments and infrastructure networks. This series offers forwarding bandwidths up to 100-108 Gigabyte per second (Gbps) and switching bandwidth, which is full duplex up to 216 Gigabyte per second (Gbps). In addition, this series includes several other sub-series: Cisco 2960S, Cisco 2960X, Cisco 2960+, Cisco 2960L, and 2960XR.

Jul 05 , 2022

How To Upgrade IOS On Cisco 3560 Switches?

Do you want to upgrade Cisco 3560 switch IOS? It is very easy, you only need to do these 4 steps. Below are the details about how to do it.

Jul 05 , 2022

Top 9 Reasons for Network Switches Failure

The switch will inevitably encounter failures during normal use. Network switch failures can cause network downtime, affecting our business, production, and damage to our property, so we have to troubleshoot and repair the switch in the shortest possible time. Here we introduce you to the 9 common hardware and software failures of the switch.

Jul 06 , 2022

What Are the 4 Types of Network Switches?

The Internet of Everything is inseparable from the essential network equipment - switches, which will play a vital role in the networking of the Internet of Things. Below is an introduction to four network switch architectures, their types include Cascade Connection,Port Aggregation,Stacking,Layered.

Jul 06 , 2022

How Do I Troubleshooting Cisco Switches Hardware Issue

During the daily use of the switch, we may encounter some failures, the faults of the switch are mainly divided into two categories. The first type is a hardware failure, which is a problem on the hardware. The second type is software failure, which is a problem inside the switch. Now let's troubleshooting the hardware failure.