In Cisco ASA Software Version 8.3 and later, Cisco adds a feature aimed to make access policy configuration easier. This feature is called Global ACL. The global ACL applies access control to inbound traffic on all interfaces and is defined in the same manner as interface ACLs, just obviously completed in global configuration mode.

Cisco lists the following benefits for this new feature:

• When migrating to the Cisco ASA from a competitor appliance, you can maintain a global access rule policy instead of needing to apply an interface-specific policy on each interface.
• Global access control policies are not replicated on each interface, so they save memory space.
• Global access rules provides flexibility in defining a security policy; as long as a packet matches the source and destination IP addresses, the incoming interface is irrelevant
• Global access rules use the same architectural constructs as interface-specific access rules, so scalability and performance for global rules is the same as for interface-specific rules.

The Cisco ASA security appliance uses the following order to match access rules when only interface ACLs are configured:

1. Interface access list rules
2. Implicit deny ip any any interface access list rule

Note: The above is obvious and simple to remember as it reflects the Cisco ASA behavior before the introduction of global ACLs.

The Cisco ASA security appliance uses the following order to match access rules when both interface ACLs and the global ACL are configured:

1. Interface access list rules
2. Global access list rules
3. Implicit deny ip any any global access list rules

Anthony Sequeira CCIE, CCSI
Twitter: @compsolv
Facebook: http://www.facebook.com/compsolv

Print Friendly

Watch the self-paced version here:

Print Friendly

Do you want to check out true next-generation video training and have some fun (yes, fun!) while you learn? Join Anthony Sequeira of StormWind.com’s Epic Live Training as he leads a free, live, online presentation regarding the configuration of zone-based firewalls.

What?
Zone-Based Firewalls – Part 1 of 2 – Configuration

Where?
http://stormwind.adobeconnect.com/cs007/
Log in as Guest using whatever name you like :)

When?
Friday, May 18, 2012, 3 PM EST USA

How Long?
1 hour

What to Bring?
For the best possible viewing results – consider installing the Adobe Connect Add-In for Windows or Macintosh – http://stormwind.com/hd; for the full Epic Live Requirements – check out http://stormwind.com/pdf/system-requirements.pdf

What If I Cannot Make It?
The HD video will be uploaded to YouTube immediately following the event and a link provided.

Are There Any Extras?
Feel free to arrive early and stay late chatting with our Guest CCIEs Narbik Kocharians of MicronicsTraining.com and Terry Vinson of IPexpert.com. A PDF of the event content is also provided free of charge.

Can I Bring A Friend?
Yes – there is no limit to the number of attendees!

What About Part 2?
Part 2 of this event will cover advanced configurations of the zone-based firewall as well as troubleshooting. The exact date and time will be announced.

Print Friendly

Q. When doe this course start?

A. Thursday, June 7, 2012, 8:00 – 10:30 PM EDT

Q. Who should attend this course?

A. This course assumes the student has already been through at least one practice lab on their own and that they are at least familiar with the technologies on the CCIE Voice Lab blueprint.

Q. What is the basis for the course content?

A. This live on-line boot camp walks the student through a new mock lab (that Kevin Wallace created) over a series of eight sessions.

Q. What distinguishes this boot camp from a tradition boot camp?

A. The biggest difference (huge!) is its focus on lab strategy. There are 12 strategies outlined in what Kevin Wallace calls his “CCIE Voice Alchemy” process, which helps the student “turn their lab day into gold.” This boot camp demonstrates these 12 strategies while working through the new mock lab (in a non-linear fashion).

Q. What is the goal of this bootcamp?

A. The goal is for the student to complete this boot camp with a much deeper understanding of the technologies on the lab, and (maybe even more importantly) have a set of strategies that they can use on lab day to make the most effective use of their time.

Q. Who is this Kevin Wallace guy?

A. Kevin Wallace is a CCIE R&S and Voice. With Cisco experience dating back to 1989 (on a Cisco AGS+ router running Cisco IOS 7.x), Kevin has been a network design specialist for the Walt Disney World Resort, a Senior Technical Instructor for SkillSoft, and a network manager for Eastern Kentucky University. Kevin holds a bachelor’s of science degree in electrical engineering (focusing on digital communications) from the University of Kentucky, and has also authored or co-authored multiple books for Cisco Press, including: Voice over IP First-Step,Cvoice Foundation Learning Guide, TSHOOT Cert Kit, TSHOOT Official Certification Guide, and ROUTE Cert Kit. Kevin’s website is1ExamAMonth.com.

Print Friendly

While researching the Catalyst QoS chapter of the latest IPexpert book The Operation and Troubleshooting of QoS, I discovered that there are many incorrect blog posts out there regarding the configuration of traffic policing on a switched virtual interface (SVI). The purpose of this post is to provide the correct configuration and some supporting commentary. Big thanks to upcoming IPexpert instructor Kevin Wallace for this clear and direct video on the topic during our CCIE Lab Fundamentals course where he was one of our prized Guest Speakers.

As you know, policing sets a “speed limit” for traffic that is entering or exiting the Catalyst switch. Traffic that is not exceeding the speed limit is termed the conforming traffic. Traffic that is exceeding the speed limit is termed the exceeding traffic.

Read Full Entry »

Print Friendly