Access Control Lists Security
Today I will discuss about Access Control Lists Security issue. A switch with either no access control list (ACL) or a permissive ACL applied to its interfaces allows broad access for TCP/IP connections (e.g., FTP, telnet, DNS, HTTP, SNMP, ICMP) through the switch to any system (e.g., critical server) on the protected network. [boxads]
In preparation for implementing ACLs, categorize systems attached to the switches into groups that use the same network services. Grouping systems this way helps reduce the size and complexity of associated ACLs.
ACLs can permit or deny each packet based on the first access control statement that the packet matches. There are different types of access control lists: Port Access Control List (PACL), Router Access Control List (RACL) and VLAN Access Control List (VACL).
- 1. Port Access Control List (PACL)
PACLs are used to restrict the packets allowed into a given port. There are two types of PACLs, IP PACLs based on IP access lists and MAC PACLs based on MAC access lists. IP PACLs only filter packets with an IP ether type. Creating a standard or extended IP access list and applying the access list to a switchport interface is all that is required to implement IP PACLs.
Given an IOS that supports Unicast MAC Filtering, the following Access Control Lists Security commands are an example of using PACLs to restrict port access to one specific MAC address and IP access to one specific IP address from that MAC address.
Switch(config)# mac access-list extended host-mac
Switch(config-ext-macl)# permit host 0000.0101.0011 any
Switch(config-ext-macl)# exit
Switch(config)# ip access-list extended host-ip
Switch(config-ext-nacl)# permit ip host 10.1.101.11 any
Switch(config-ext-nacl)# exit
Switch(config)# interface fa0/2
Switch(config-if)# mac access-group host-mac in
Switch(config-if)# ip access-group host-ip in
