Switch ACL configuration exercise

In general network management, we all want to allow access from some connections, and prohibit access from other connections, however, many security tools lack the flexibility of basic communication traffic filtering and specific control measures required for network management. A layer-3 switch is powerful and has multiple network management methods. It has a built-in ACL (Access Control List). Therefore, we can use the ACL (Access Control List) to control Internet communication traffic. The following describes how to use Lenovo's L3 switch 3508GF to implement the ACL function.

Use standard ACL to Control Network Access

When we want to block all communication traffic from a certain network, allow all communication traffic from a specific network, or reject all communication traffic from a certain protocol cluster, you can use the standard access control list to achieve this goal. The standard access control list checks the source address of the data packet to allow or deny all traffic passing through the egress of the switch based on the network, subnet, or Host IP address.
The configuration statement of the standard ACL is:
Switch # access-list access-list-number1 ~ 99) {permit | deny} {anyA | source [source-wildcard-mask]} {any | destination [destination-mask]}
Example 1: Allow access from hosts on the 192.168.3.0 network:
Switch # access-list 1 permit 192.168.3.0 0.0.255
Example 2: Disable access from hosts on the 172.10.0.0 network:
Switch # access-list 2 deny 172.10.0.0 0.0.255.255
Example 3: Allow access from all IP addresses:
Switch # access-list 1 permit 0.0.0.0 255.255.255.255
Example 4: Disable communication between hosts 192.168.1.33:
Switch # access-list 3 deny 192.168.1.33 0.0.0.0
The above 0.0.0.255 and 0.0.255.255 are 32-bit anti-masks. 0 indicates "check the corresponding bit", and 1 indicates "do not check the corresponding bit ". For example, if the network segment 33.0.0.0 is used, the wildcard mask should be 0.20.255.

Use extended ACL to Control Network Access

The extended access control list checks both the source address of the data packet, the destination address of the data packet, and the specific protocol type and port number of the data packet. The extended access control list is more flexible and scalable. That is, you can allow communication traffic passing through certain protocols to the same address, and reject the passing of traffic using other protocols, you can flexibly design test conditions for ACL.
The complete command format for ACL extension is as follows:
Switch # access-list-number (100 ~ (199) {permit | deny} protocol {any | source [source-mask]} {any | destination [destination-mask]} [port-number]
Example 1: reject the subnet 192.168.3.0 ping from the vswitch to another subnet 192.168.4.0:
Switch # access-list 100 deny icmp 192.168.3.0 0.0.255 192.168.4.0 0.0.0.255
Example 2: Prevent subnet 192.168.5.0 from accessing the Internetwww service) and allow access from other subnets:
Switch # access-list 101 deny tcp 192.168.5.0 0.0.255 any www
Or enter Switch # access-list 101 deny tcp 192.168.5.0 0.0.255 any 80.
Example 3: Allow sending E-mail via vswitch from 192.168.6.0, and deny communication from all other sources:
Switch # access-list 101 permit tcp 192.168.6.0 0.0.255 any smtp

Port and VLAN-based ACL Access Control

The access control rules of the standard access control list and extended access control list are based on vswitches. If you only control a port of the vswitch, you can add this port to the above rules.
The configuration statement is:
Switch # acess-list port <port-id> <groupid>
For example, if port 4 of the vswitch is rejected from the IP address range 192.168.3.0, the configuration is as follows:
Switch # acess-list 1 deny 192.168.3.0 0.0.255
Switch # acess-list port 4 1 // Add port 4 to rule 1.
The VLAN-Based Access Control List is a simple access rule based on VLAN settings. It also sets traffic control to allow permit) or deny the switch to forward packets of a VLAN.
Configuration statement:
Switch # acess-list vlan <vlan-id> [deny | permit]
For example, data in vlan2 is denied:
Switch # access-list vlan2 deny
In addition, we can also check the established access control list by displaying commands, that is
Switch # show access-list
Example:
Switch # show access-list // display the ACL list;
ACL Status: Enable // The ACL Status is allowed;
Standard IP access list: // IP address access list;
GroupId 1 deny srcIp 192.168.3.0 any Active // disable network access of 192.168.3.0;
GroupId 2 permit any Active // allow access from other networks.
To cancel an existing access control list, use the following command format:
Switch # no access-list-number
Example: Cancel access list 1:
Switch # no access-list 1
Based on the preceding ACL settings, we have implemented a general control method for network security, so that layer-3 switches can be used as an important control point for network communication entrances and exits and play their due role. The correct configuration of the ACL Access Control List will play a part of the role of the firewall, especially for the prevention of attacks from the internal network, there is a function that is not implemented by the external dedicated firewall, this greatly improves the security performance of the LAN.

Getting started

ACL is the list of commands applied to the vswitch interface. These command lists are used to tell the vswitch which packets can be received and which packets need to be rejected. The receiving or rejection conditions can be determined by the source address, Destination Address, port number, and other conditions. It has three main functions:
◆ Restrict network traffic and improve network performance. For example, the ACL can specify the priority of this type of data packet based on the protocol of the data packet, and can be processed by the switch in the same case.
◆ Provides basic security measures for network access. For example, the ACL allows a host to access your resources, and the other host to access the same resource.
◆ At the switch interface, it is determined that the type of communication traffic is forwarded, and that type of communication traffic is blocked. For example, to prevent FTP communication, allow the network's E-mail to be passed.
After creating an access control list, you can restrict network traffic, improve network performance, and control communication traffic. This is also a basic security measure for network access. There are three main types of ACL access rules:
◆ Standard access control list, which can limit the access traffic of some IP addresses.
◆ Expanded the access control list to control access to certain applications.
◆ Access control lists based on ports and VLANs. You can control access to specific ports of a vswitch or the entire VLAN.