CCNA - TCS Project, Semester 3 Access Control Lists

Access Control Lists

As with any network, security is one of the most important things to consider. Access Control Lists allow us to filter the flow of traffic allowed to go in and out of our network. This will provide a basis of security.

Reasons For ACLs

Limit Network Traffic: Our ACL is used to permit email, DNS and established web traffic to enter and allowing only those three types of traffic to get out of the student VLAN. This makes less traffic on the network so there is more bandwidth available for the needs of our network.
Flow Control: This reduces the contents of routing updates to our routers to limit information about specific networks from propagating through the network.
Basis of Security: Allow only what we want in and out of our network so the risk of hackers like Bittner breaking into our network is less. We allow only email, DNS, and established web traffic to enter and allow these three types of traffic to get out of the student VLAN.

At the district level we will implement a double firewall using ACLs. The router that is attached to the internet will block all incoming traffic from the internet except for extablished HTTP, DNS, and email traffic. That same router will also let out DNS, email and HTTP traffic. The router that is attached to the district network will allow the same kind of traffic as the router connected to the internet and block all other traffic.
For a visual layout of the district ACL implementation, click here.

On the school level, we will implement something similar. Our access list allows only DNS and email to get into the administrative vlan. It allows anyone from the administrative vlan to go into anything in the student vlan. The router blocks anything from outside the school to come in except for established HTTP, DNS and Email traffic.
For a visual layout of the school ACL implementation, click here.

Here is the command line:

Router(config)# access-list 101 permit ip 10.1.4.0 0.0.0.255 10.2.4.0 0.0.0.255
Router(config)# access-list 101 permit tcp 10.1.4.0 0.0.0.255 any eq 25
Router(config)# access-list 101 permit tcp 10.1.4.0 0.0.0.255 any eq 53
Router(config)# access-list 101 permit udp 10.1.4.0 0.0.0.255 any eq 53
Router(config)# access-list 101 permit tcp 10.1.4.0 0.0.0.255 any eq 80
Router(config)# config int e0
Router(config-if)# ip access-group 101 in

Router(config)# access-list 102 permit tcp 10.2.4.0 0.0.0.255 10.1.4.0 0.0.0.255 eq 25
Router(config)# access-list 102 permit tcp 10.2.4.0 0.0.0.255 10.1.4.0 0.0.0.255 eq 53
Router(config)# access-list 102 permit udp 10.2.4.0 0.0.0.255 10.1.4.0 0.0.0.255 eq 53
Router(config)# access-list 102 deny tcp 10.2.4.0 0.0.0.255 10.1.4.0 0.0.0.255 eq 80
Router(config)# access-list 102 permit tcp 10.2.4.0 0.0.0.255 any eq 80
Router(config)# config int e1
Router(config-f)# ip access-group 102 in

Router(config)# access-list 103 permit tcp any any eq 25
Router(config)# access-list 103 permit tcp any any eq 53
Router(config)# access-list 103 permit udp any any eq 53
Router(config)# access-list 103 permit tcp any any eq 80 established
Router(config)# access-list 103 permit igrp any any
Router(config)# config int s1
Router(config-if)# ip access-group 103 in

Since growth is expected, we will have a policy to allow requests for changes to any ACL. If a teacher would like a port opened to the public, or opened to allow a certain service between the school districts (such as FTP), they will be required to fill out a form. The form will ask the service requested, how it will be used, and why it is needed. The network administrator will then review the application and decide if it is plausible to fulfill the request. If the administrator OKs it, it will then be presented in front of the school board by the network administrator and the teacher filing the application. It will be explained and reviewed. If the school board passes it, it will be implemented.

Semester 3 Index | Back to Home