Access Control Lists (ACLs)

Introduction

Access Control Lists (ACLs) are filters that routers use to control which, routing updates, or packets are permitted or denied, in or out, of a network. An ACL contains a sequential list of “permit” or deny statements (rules) that apply to IP packets originating or destined to hosts, IP addresses and upper-layer IP protocols.

An ACL tells the router what types of packets to: permit or deny. The router using the ACL does the following when it finds packets inbound to or outbound from a network:

  • If the router finds packets inbound or outbound categorized against the permit statements, the router forwards the packets to the next hop in the network.

  • If the router finds packets inbound or outbound categorized against the deny statements, the router blocks and drops the packets at the router’s interface. The packets cannot reach the intended destination host or IP address.

  • ACLs control traffic in one direction at a time, on an interface. To allow inbound and outbound traffic from a host, IP address, or for a protocol, you must create two ACLs, one for each direction, one for inbound and one for outbound traffic.

  • The precedence of the ACL commands is from top to bottom.

For example, If ACL is configured in Router as follows:

PERMIT OUTBOUND TCP ANY ANY 0 0 3

PERMIT INBOUND TCP ANY ANY 0 0 3

DENY BOTH ANY ANY ANY 0 0 3

Then, the Permit statements will over-ride the deny statements. That is, Outbound TCP packets from Router through interface 3 will be permitted first, after that, the Inbound TCP packets to Router through interface 3 will be permitted. All other packets through the third interface of Router will be denied in both directions.

Virtual LAN (VLAN)

Introduction

VLAN is called as virtual local area network, used in Switches and it operates at layer2 and Layer3. A VLAN, is a group of hosts which communicate as if they were attached to the same broadcast domain, regardless of their physical location.

For example, all workstations and servers used by a particular workgroup team can be connected to the same VLAN, regardless of their physical connections to the network or the fact that they might be intermingled with other teams. VLANs have the same attributes as physical LANs, but you can group end stations even if they are not physically located on the same LAN segment.

A VLAN behaves just like a LAN in all respects but with additional flexibility. By using VLAN technology, it is possible to subdivide a single physical switch into several logical switches. VLANs are implemented by using the appropriate switch configuration commands to create the VLANs and assign specific switch interfaces to the desired VLAN.

_images/Figure-1.png

Figure-1: Virtual local area network (VLAN)

Switches implement VLANs by adding a VLAN tag to the Ethernet frames as they enter the switch. The VLAN tag contains the VLAN ID and other information, which is determined by the interface from which the frame enters the switch. The switch uses VLAN tags to ensure that each Ethernet frame is confined to the VLAN to which it belongs based on the VLAN ID contained in the VLAN tag. The VLAN tags are removed as the frames exit the switch on the way to their destination.

Any port can belong to a VLAN, and unicast, broadcast, and multicast packets are forwarded and flooded only to end stations in that VLAN. Each VLAN is considered a logical network. Packets destined for stations that do not belong to the VLAN must be forwarded through a router. In the below screenshot, the stations in the development department are assigned to one VLAN, the stations in the marketing department are assigned to another VLAN, and the stations in the testing department are assigned to another VLAN.

_images/Figure-2.png

Figure-2: Hosts in one VLAN need to communicate with hosts in another VLAN.

When do we need a VLAN?

You need to consider using VLAN’s in any of the following situations:

  • You have more than 200 devices on your LAN.

  • You have a lot of broadcast traffic on your LAN.

  • Groups of users need more security are being slowed down by too many broadcasts.

  • Groups of users need to be on the same broadcast domain because they are running same applications or just make a single switch into multiple virtual switches.

VLAN ID

VLANs are identified by a VLAN ID (a number between 0 – 4095), with the default VLAN on any network being VLAN 2. Each port on a switch or router can be assigned to be a member of a VLAN (i.e., to allow receiving and sending traffic on that VLAN).

For example: On a switch, traffic that is sent to a port that is a member of VLAN2, may be forwarded to any other VLAN2 port on the switch, and it can also travel across a trunk port (connections between switches) to another switch and forwarded to all VLAN2 ports on that switch. Traffic will not be forwarded to ports that are on a different VLAN ID.

_images/Figure-3.png

Figure-3: Understanding Access and Trunk Links