How to Create ACLs
It’s no secret that I have a love affair with all things “monitoring.” I love the tools; I love the basic techniques those tools execute; I love the ways the data can be visualized and used; I love the opportunities for automation that monitoring opens up. I just love the whole thing.
But I had never really thought about using monitoring as a teaching tool until recently.
I have a friend who’s an IT warhorse—a programming wizard who has built and configured a few servers in his day—who ran into a networking issue. It’s not that he didn’t understand what networking was, but it had long ago passed out of the realm that even he, as one of the original “full stack” developers, had kept tabs on. And now he was under the gun to set up an access control list (ACL) on a Cisco 5510 for a client.
To be honest, this presented me with a challenge, too. How could I best explain, via email, a fairly complex process that is backed by an equally complex set of foundational concepts (e.g., subnetting, ACL syntax, etc.), in a way that would allow my friend—a technically savvy but non-networking IT professional—to actually be able to get the job done?
I put the question out to my fellow Head Geeks, and Destiny Bertucci’s answer was the perfect blend of simplicity, elegance, and get-it-done that I’ve come to expect from her:
“Point him at the online demo and he should be able to take it from there.”
For those who aren’t familiar with the SolarWinds online demo (shame on you!), it can be found at http://demo.solarwinds.com/. It contains the latest version of the many SolarWinds modules, along with a healthy set of sample devices, applications, and error conditions. If you want to kick the tires on a particular module, or see what it looks like when multiple modules are integrated together, the online demo is where we’ve done all the work for you and you can click around to your heart’s content.
And it just so happens that we have a couple of 5510s in the mix, replete with a few rule sets. With a little bit of digging, I was able to pull together an ACL tutorial that got the job done.
If you want to learn a little bit about setting up access control lists—or if you already know about them and want to see good a job my instructions do in explaining them—follow along below.
FIRST – See What an ACL Looks Like
- Go to the SolarWinds online demo
- Pop open the left side to reveal:
- Cisco à Cisco ASA 5510C
- Click the East firewall device
- On the node details page, hover over the left-hand nav bar so it flies open, then click the bottom item “Access Lists”
- In the search bar (top-ish right side), search for INS-WAN
You’ll see “INS-WAN-in” and “INS-WAN-out”
SECOND – See How the ACL Gets Applied
- Back on the Node details page hover on the left-hand nav and go to the second-from-bottom item, “Configs”
- Click the “Running” config from the config list
- Search (ctrl-F) for “INS-WAN”)
- First, you’ll see a chunk for the “INS-WAN-out” access list
- Then a chunk for the “INS-WAN-in” list
- And finally, a line that assigns the list “INS-WAN-in” to the inbound traffic on interface named “INSIDE”
And the list “INS-WAN-out” to the inbound traffic on the interface named “OUTSIDE”
What Have We Learned?
- You first create the access list, by giving it a distinctive name, and then one or more commands that limit traffic.
- PRO TIP 1: the presumed last rule is “deny all”
- PRO TIP 2: the first rule that “fits” the traffic wins, and no further rules are evaluated
So, go from most restrictive to least in your rule order
- Next, you apply that list to the inbound, outbound, (or both) traffic on a specific interface.
About a day later I got a response from my friend:
“Nice. I think I’ve got enough to work this out for the little I need. Once again, I bow before you and your networking compatriots. Hey, that SolarWinds stuff is pretty slick…it just might catch on.”
I’m pretty sure monitoring (and SolarWinds) has already caught on in most of the developed IT world. But using monitoring for teaching?
Maybe that is an idea whose time has arrived.