An Access Control List (ACL) is a list of rules that control and filter traffic based on source and destination IP addresses. This happens by either allowing packets or blocking packets from an interface on a router or firewall. Access control lists are in two forms. These are Standard access control lists and Extended access control lists. ACLs can also be used as a security measure for connecting to your router by allowing only the necessary IP addresses or networks for accessing the router via telnet. We will be considering these access control lists, how they work and how to configure them on Cisco routers. Let’s start with the standard access control lists below.

Standard Access Lists

The standard access control list will allow you to either permit or deny traffic from a specific source IP address or IP network. These access lists have a number from 1 to 99. When you are putting an access list on a router you will need to identify the access lists with a number e.g. access lists 10. To configure a standard access list and apply it on an Ethernet interface you would enter the following commands:

access-list 10 permit 192.168.2.0 0.0.0.255
interface Ethernet0
ip access-group 10 in

By enforcing the above command you would allow traffic to pass through the interface from all addressing in the 192.168.2.0 to 192.168.2.255 range. In every access list there will be an implicit deny all at the end of the ACL even if you don’t specify it explicitly. So if you configured your access list like this here is what it would do.

show access-list 10

The output will be:

access-list 10 permit 192.168.2.0 0.0.0.255
access-list 10 deny any

Extended Access Lists

An extended access control list will allow you to deny or permit traffic from specific IP addresses, and ports. It also gives you the ability to control the type of protocol that can be transferred such as ICMP, TCP, UDP and so forth. The range of the extended access control lists is from 100 to 199.

An example of an extended ACL:

access-list 110 permit tcp 92.128.2.0 0.0.0.255 any eq 80

The ACL 110 will permit traffic that is coming from any address on the 92.128.2.0 network (source network) towards any destination IP on port 80. The ‘any’ statement is there so as to allow traffic towards any IP destination on port 80. The first network statement in the access-list command (i.e 92.128.2.0 0.0.0.255) refers to the source of the traffic, and the second network statement (the keyword “any” in our example) refers to the destination of the traffic.

Another example:

access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

The above configuration will allow all IP traffic from source network 192.168.1.0/24 towards destination network 192.168.2.0/24.

Note also that the subnet mask in the ACL configuration in always represented with an inverse mask (i.e instead of using 255.255.255.0 we use 0.0.0.255)

How to apply the ACL

After you have set the ACL in place you will need to specify which direction you want it to operate on the interface that will be applied (inbound or outbound). For example “in” means inbound to the interface and “out” means outbound from the interface. The ACL is then applied on a specific interface using the “access-group” command.

You can identify an access list by giving it a name or number. Here is a set of commands you would use:

Router(config)#interface serial 0
Router(config-if)#ip access-group 111 out

Using Access Lists to secure Telnet access to a router

You can also secure your telnet lines on a router via ACL. This will enable you to allow access to telnet login only for certain hosts or networks. Here is a sample configuration of how you would go about doing this.

access-list 25 permit 192.168.2.0 0.0.0.255

line vty 0 4
access-class 25 in

With this ACL in place you will only permit hosts on the 192.168.2.0/24 network to have access to the VTY login. All attempts from other networks would be blocked.

Another example: Let’s say we have one specific management station (10.1.1.1) which should be allowed to access the router via telnet. All other hosts should be blocked.

access-list 10 permit host 10.1.1.1

line vty 0 4
access-class 10 in

According to a recent research survey, 44% of Enterprises are going to migrate to Exchange Server 2010 in the next few months. Also, professionals possessing Microsoft Exchange 2010 experience or certification can easily find employment with salaries of over $80,000 per year.

The newest Microsoft Exchange Server 2010 is not just a simple email platform. Rather, it is a full featured Unified Communication solution offering integrated enterprise telephony (VoIP), voice mail, security-enhanced email distribution, calendaring, conferencing, instant messaging and many more. This means that in order to tame the beast called Exchange Server 2010 you will need an excellent training course. And this applies to experienced I.T professionals as well.

Microsoft has introduced also a certification associated with Exchange 2010. It is called MCTS Exchange Server 2010, Configuration. To get this certification you need to pass exam number 70-662. So, the question that arises here is: Shall I get a training course which will teach me all the details of the Exchange 2010 platform or a training course to help me pass the 70-662 exam ? The answer to this is: “why don’t you get a single training course that will offer you both Exchange 2010 training plus 70-662 exam coverage”.

There are two training companies that offer such a course. These are CBT Nuggets and Trainsignal. These two companies are the two most trusted and successful in the area of computer based training (CBT). The video trainings produced by these two companies have helped thousands of certification candidates to pass their exams and also thousands of I.T professionals to master their chosen technology topic. A video training course is also an excellent option for students. It offers a combination of “teacher based” training which you can follow on your own pace and time without having to pay thousands of dollars to attend a training classroom.

In this article my intention is to give you a side-by-side comparison of the two training courses for Exchange 2010 offered by CBT Nuggets and Trainsignal. Remember also that both training packages will help you achieve two goals:

1. Get a high standard and solid training to learn the details of Exchange Server 2010 from two highly experienced teachers.
2. Cover the objectives and pass the 70-662 exam.

The table below illustrates the characteristics and features of the two courses:

From a first glance on the side-by-side comparison table above, you can easily observe that the TrainSignal package option offers a more comprehensive and in-depth training value. The key differences that make Trainsignal Exchange 2010 Training a better value for money are the 20 hours of training (compared to 7 hours with the CBT Nuggets course) and the free extra Transcender Practice Exam together with the 90-Days Total Experience Guarantee (something that is not available with the CBT Nuggets option). Of course the CBT Nuggets price is $299 compared to $397 of the Trainsignal package so its completely up to you to decide which company’s package to choose.

You can visit the two training companies below for getting more information if you want.

Trainsignal

CBT Nuggets