Category Archives: CCIE R&S

Access Controls Lists on Multilayer Cisco Catalyst Switches

CCIE Coaching, CCIE R&S, , ,

download

Did you ever stop and think about just how many options you have for controlling traffic in the data plane on a multilayer Cisco Catalyst switch?

Here is a recap of your options –

  • Port ACL (PACL) – this option is for your Layer 2 switchports. You can apply:
    • IP standard or extended ACLs for controlling IP traffic
    • MAC ACLs for controlling non-IP traffic
  • Router ACL (RACL) – this options is for your Layer 3 ports on the router. You can apply:
    • IP standard or extended ACLs for controlling IP traffic
  • VLAN ACL (VACL) – these are also referred to as VLAN Access Maps. You can apply:
    • IP VLAN maps are for controlling IP traffic
    • MAC VLAN maps are used for controlling non-IP traffic

For most of us – we are well-versed in IP extended and standard access control lists. It is the MAC ACLs of the PACL approach and the VACLs that we need the practice with. I will be sure to publish my CBT Nuggets on this subject on YouTube for all to enjoy.

IPv4 Access Lists in the CCIE Lab Exam

CCIE Coaching, CCIE R&S, , , ,

Security

I am getting ready for my Nugget on the above subject and I wanted to provide some thoughts and notes here on the blog on this important subject.

I am currently training for a half-marathon. Yes, and thanks for putting up with all of my RunKeeper Tweets on the subject. 🙂 With the training, there are certain metrics you need to hit in order to really determine if you can finish on race day. It is the same way the CCIE. One metric is ACLs. If you do not have them mastered, you are in big trouble on race day. Think about it, you use them for traffic filtering, and then traffic identification for a whole host of features on the devices. QoS, network management, the list goes on and on.

The traffic filtering part gets really scary. Drop one in that is not doctored up for the other traffic required in your lab scenario and you can easily break things well enough to fail. And when you are building the lists, you must really take your time to ensure that you are meeting their specific directions. Are you getting the EXACT traffic they want, in the correct direction?

Here is a list of tips and things to think about for this important topic. These are in no particular order:

  • Read so carefully if you need to build an ACL traffic filter. Often, you will be asked to block something extremely specific, for example, echo-replies. Should you block too generally, like requests and replies, you fail the task.
  • Drawing out the scenario on your scratch paper will often help you with what specifically to match and in what direction.
  • You certainly would want to avoid this in production, but in the lab it is fine to end your ACLs with deny ip any any log-input. This will allow you to see just what you broke in your lab with your ACL!
  • Remember that an outbound ACL will not impact traffic generated by that local router.
  • access-group is used for traffic filtering on your interfaces, while access-class is used for your VTY lines. Remember with the access-class out command, it is controlling where someone can Telnet out of your router AFTER they have already Telnetted into it.