Share this
Configure Network Security Using an ACL in SVI Environments
by Darin Knobbe on Aug 13, 2020 1:45:00 PM
Network security is as important now than ever with data getting bigger and more precious. As network security helps businesses reduce the risk of data theft and disturbance in production network operations, it is key to understand your security environment. An access control list (ACL) provides the network security in your routing and switching environments through a rule or series of rules that can permit or deny data traffic from the network layer. Today, we will look at ACL concepts as well as troubleshooting common cases that you may see.
A quick note before we dive in. Where there are no specific prerequisites for applying ACL in the network, it should be done with professional network/security engineers. This feature is in Cisco IOS software releases 8.3 or later, and uses packet filtering. Packet filtering is a firewall technique used to control network access by monitoring outgoing and incoming packets while allowing them to pass or halt based on the source and destination Internet Protocol (IP) addresses, protocols, and ports. We can set the configuration (as you'll see below) to IP filter traffic in Cisco layer 3 switches, such as the Nexus switches, between two different SIV's/VLANs. Let's dive in!
Why ACL in Networks
The ACLs work by blocking specified traffic to enhance the performance of the network. A strong security is provided though blocking packets that are destined to sensitive areas in the network. Determination of the type of traffic to forward based on the protocols takes places to then deny certain users access to the internet while allowing others. Please note that we are not focusing on access list types today, but if you would like to access more information, click here to get in touch!
The example we will use today uses a PivIT environment with Nexus switches. We will show you a couple of rules to you can use, but you can add or remove rules from the default network ACL. When rules are added or removed they are automatically applied to the subnets that the ACL is associated with. Parts of a network ACL rule include:
- Rule Number
- Type
- Protocol
- Port Range
- Source
- Destination
- Allow/Deny
Access control lists are a principal element in securing your network, and understanding their function is essential to achieving their best effectiveness. Below are a few rules and configurations to help gain the knowledge and understanding around ACLs and basic rules to apply.
Before we get started with the specific configurations, ask yourself a couple of questions:
- Do I have the time to handle configurations?
- Do I have the bandwidth to configure my devices?
If you answered "No" to these questions, consider PivIT's SmartHands through EXTEND. Hire an engineer to take on these basic configurations and more. Click below to learn more about SmartHands.
Step-by-Step Configurations
We have created one VLAN (154) in both Nexus switches. In the diagram below, you can also check the recommended way to configure SVI in the Cisco 9500 series switches to get the maximum output. Note: The configurations below can only be done on Cisco Nexus Layer 3 switches.
Step 1. Create VLAN in both Nexus Core Switches
Core 1 Configurations:
Core 2 Configurations:
Step 2. Create SVI on both Nexus Core Switches
A Switched Virtual Interface (SVI) is a routed interface in IOS representing the IP addressing space for a particular VLAN connected to this interface. There is no physical interface for the VLAN, and the SVI provides the Layer 3 processing for packets from all switch ports associated with the VLAN.
With SVIs the switch will use a virtual Layer 3 interface to route traffic to another Layer 3 interface thus eliminating the need for a physical router. VLANs reduce the load on a network by dividing a LAN into smaller segments and keeping local traffic within a VLAN. However, because each VLAN has its own domain, a mechanism is needed for VLANs to pass data to other VLANs without passing the data through a router. We'll now show those configurations to create the SVI.
Core 1 Configurations:
Core 2 Configurations:
Step 3. Create Access List to Block All Traffic from VLAN 154
Before configuring the ACL rule, verify the inter VLAN communication between the two VLANs. Below is what the verification should look like.
Now we'll block the inter VLAN traffic between two VLANs through an ACL rule, but first we will create the access list.
Next, we need to apply this access list in VLAN 154 SVI. This makes it to where both VLANs cannot communicate with each other. If we do not apply the access list in SVI, the case will not work.
Step 4. ACL Cases
Scenario 1: No one can access VLAN 154 through 8080 port
Scenario 2: Block ICMP from VLAN 154
Scenario 3: Support 888 port for 10.0.121.15 IP address
Scenario 4: Show access list commands
About PivIT Global
PivIT Global provides the support you need through infrastructure, maintenance, and professional services. Contact us today to chat more about configuring an ACL in SVI environments or how we can support you through our third-party maintenance and professional services offerings.
Share this
- Configuration Guides (47)
- Cisco Routers (29)
- Switches (27)
- Network Security (23)
- Cisco Switches (21)
- Routing Protocols (21)
- Routers (20)
- Cisco (19)
- Product Comparisons (19)
- Firewall (18)
- Cisco Security (17)
- Cisco Technical Information (17)
- IT Hardware Solutions (17)
- Network Protocols (17)
- Wireless (17)
- Security (15)
- OneCall (13)
- Servers (12)
- cisco asa (12)
- Cisco Wireless (11)
- Router Protocols (11)
- Cisco Catalyst (9)
- Cisco UCS (9)
- Upgrading Network (9)
- Cisco Servers (8)
- Product Highlight (8)
- Access Control Lists (7)
- Fortinet (7)
- Server Comparisons (7)
- Access Points (6)
- Arista Networks (6)
- OSPF (6)
- Wireless APs (6)
- Cisco ASR (5)
- Cloud Solutions (5)
- HPE-Aruba Wireless (5)
- Juniper Mist (5)
- Network Management (5)
- SD-WAN (5)
- Storage (5)
- Switch Comparison (5)
- Back To Basics (4)
- Cybersecurity (4)
- EIGRP (4)
- Firewall Architecture (4)
- HSRP (4)
- Juniper Networks (4)
- Network Automation (4)
- Network Servers (4)
- OEM Comparison (4)
- Aruba Central (3)
- Cisco Telephony (3)
- DHCP (3)
- DHCP Snooping (3)
- Dell EMC PowerEdge (3)
- Internet (3)
- Maintenance (3)
- Maintenance Renewal (3)
- Network Accessories (3)
- TPM (3)
- Telephony (3)
- aruba (3)
- Cisco NX-OS (2)
- Cisco Nexus (2)
- Dell Servers (2)
- Fortinet NGFWs (2)
- IT Trends (2)
- LAN Networks (2)
- Network Time Protocol (2)
- Palo Alto NGFWs (2)
- Rapid PVST+ (2)
- Remote Configuration (2)
- Software Defined Networking (2)
- WLAN (2)
- Ways to Save (2)
- fortigate (2)
- Asset Management (1)
- CPU Usage (1)
- Cisco AIR-CT (1)
- Cisco Aironet (1)
- Cisco DNA (1)
- Cisco ISR (1)
- Cisco Supervisor Engines (1)
- Cisco UCS Manager (1)
- Cognitive Campus (1)
- Cost of Downtime (1)
- Dell EMC Data Domain (1)
- Edge Switches (1)
- Fabric Extenders (1)
- GRE Tunnel (1)
- HPE BL (1)
- Juniper SRX (1)
- Nexus Switches (1)
- Nutanix (1)
- Optics (1)
- PowerEdge R740xd (1)
- STP Extension (1)
- Sparing Integrity Program (1)
- Switched Virtual Interface (1)
- TCP (1)
- UCS Fabric Interconnects (1)
- hyperconverge (1)
- April 2024 (2)
- March 2024 (1)
- February 2024 (2)
- January 2024 (1)
- December 2023 (1)
- November 2023 (2)
- October 2023 (1)
- September 2023 (3)
- August 2023 (5)
- July 2023 (2)
- June 2023 (4)
- May 2023 (5)
- April 2023 (8)
- March 2023 (7)
- February 2023 (5)
- January 2023 (2)
- December 2022 (3)
- November 2022 (3)
- October 2022 (8)
- September 2022 (9)
- August 2022 (9)
- July 2022 (8)
- June 2022 (9)
- May 2022 (5)
- April 2022 (3)
- March 2022 (1)
- February 2022 (2)
- November 2021 (2)
- October 2021 (1)
- September 2021 (2)
- August 2021 (2)
- July 2021 (3)
- June 2021 (2)
- May 2021 (4)
- April 2021 (4)
- March 2021 (2)
- February 2021 (1)
- January 2021 (2)
- December 2020 (2)
- November 2020 (2)
- October 2020 (2)
- September 2020 (2)
- August 2020 (4)
- July 2020 (5)
- June 2020 (4)
- May 2020 (6)
- April 2020 (2)
- March 2020 (1)
- February 2020 (2)
- January 2020 (2)
- December 2019 (1)
- May 2019 (2)
- April 2019 (5)
- February 2019 (1)
- January 2019 (3)
- December 2018 (1)
No Comments Yet
Let us know what you think