3.2. Securing the network
Source IP Adress window, and 0.0.0.255 into the Source IP Mask window. This ACL was
then assigned to port 23 of the switch using the Binding Configuration part of the screen. By
clicking the Unit 1 label port selection was shown. Clicking the small box under port 23 resulted in a
tick mark appearing in that box. The APPLY button at the bottom of the screen was clicked to apply this
defined ACL combination.
In this configuration the source address 192.168.8.16 was a dummy address. The mask 0.0.0.255
selected the 192.169.8 part of the address as significant. The deny meant all address of the form
192.168.8.x would be discarded by the switch. The implicit deny would discard all othe packets
arriving on port 23 of the wswitch, the port connecting the wireless extender. Because PC 1 did not go
through the wireless network despite having an address on the wireless network, it was not effected by
the port 23 configuration.
The problem was this configuration provented the VLAN-A-12 devices access to the Internet. Those
devices had their Internet request routed onto the wireless network and through the Internet gateway,
but the reply was blocked by the installed security configuration. This installed security configuration
allowed 192.168.8.x packets but the implicit deny all stopped all other packets.
The solution was to change the deny all to permit all and combine it with the above 192.168.8.x rejec-
tion. This was done by applying the 192.168.8.x rejection as configured above first, then applying a
permit all ACL. The switch provides such ordering of ACL execution. The implicit deny all still existed
but the existence of the permit all above it meant it was never reached for execution.
This second tier was created by using the switch menu sequence:
Security → ACL → ACL Wizard
brought up the ACL Type Selection screen. From the ACL Type pull down menu ACL Based on
Source IPv4 was selected, resulting in a acl based on source ipv4 screen being displayed. Into
this set of entry windows, the value 10 was typed into the Rule ID window, Permit from the Action
pull down menu, False from the Match Every pull down menu, 192.168.78.90 was typed into
the Source IP Adress window, and 255.255.255.255 into the Source IP Mask window. This
ACL was then assigned to port 23 of the switch using the Binding Configuration part of the screen.
By clicking the Unit 1 label port selection was shown. Clicking the small box under port 23 resulted in
a tick mark appearing in that box. The ADD button at the bottom of the screen was clicked to apply this
defined ACL combination.
The address 192.168.78.90 was not important. The mask 255.255.255.255 meant ignore all parts
of the address. It was the mask which was the significant part of this ACL. This ACL was associated
with switch port 23 as was the previously created ACL. The value given as the ACL’s Rule ID was not
significant. That this ACL was created after the perious was significant. Being created after the previous
meant it was automaticly given in next sequence number, and ACL are executed by the switch in reverse
numerical order; the lowest sequence number is executed first.
3.2.3 Allowing PC 1 access but with limitation
It was assumed PC 1 was stable device on the network and it’s MAC address could be used to define it.
The switch menu sequence:
Security → ACL → ACL Wizard
brought up the ACL Type Selection screen. From the ACL Type pull down menu ACL Based on
Destination IPv4 was selected, resulting in a ACL Based on Destination IPv4 screen being
displayed. Into this set of entry windows, the value 2 was typed into the Rule ID window, Deny from
the Action pull down menu, False from the Match Every pull down menu, 192.168.78.90 was
typed into the Destination IP Address window. Then 0.0.0.0 was typed into the Destination
IP Mask window. The Unit 1 tag was clicked and the small box under port 19 was clicked resulting
in a tick mark appearing in that box. Then the APPLY button at the bottom of the screen was clicked.
24
To Next Page
Loading...
