There is a way to reduce the overhead involved in modifying ACL by using the Cisco IOS feature of resequencing.

In the following example in a Cisco router there is an access-list name ITKE

ASW2-02#sho access-lists ITKE

Extended IP access list ITKE

1 permit ip host 192.168.1.1 host 10.1.0.1

2 permit ip host 192.168.1.2 host 10.1.0.2

ASW2-02#

From the example if we need to add one more deny statement for the host 192.168.1, it’s not possible to add a statement without deleting the current access list and create a new one. But the power of resequence allows you to assign a new set of sequence numbers to current access list as demonstrated below using the IOS command “ip access-list resequence”

ASW2-02#configure t

ASW2-02(config)#ip access-list resequence ITKE ?

<1-2147483647>  Starting Sequence Number

ASW2-02(config)#ip access-list resequence ITKE 10 10

This starts the first entry with a sequence number of 10 and increments all new lines by 10. The result is as shown below

ASW2-02#sho ip access-lists ITKE

Extended IP access list ITKE

10 permit ip host 192.168.1.1 host 10.1.0.1

20 permit ip host 192.168.1.2 host 10.1.0.2

ASW2-02#

By resequencing the ACL now it’s easy to inserts a new ACL with a sequence number of 15 which would fall between the existing entries in the ITKE access list.

6. CCNP Security ($97,539)

CCNP Security certification program is aligned specifically to the job role of the Cisco Network Security Engineer responsible for Security in Routers, Switches, Networking devices and appliances, as well as choosing, deploying, supporting and troubleshooting Firewalls, VPNS, and IDS/IPS solutions for their networking environments

7.CCNP: Cisco Certified Network Professional ($97,296)

There are two tracks available at the Associate and Professional levels – Designing and Networking. The Cisco Certified Network Professional (CCNP) demonstrates that you have the ability to plan, implement, verify and troubleshoot local and wide-area enterprise networks. A CCNP certified individual is expected to work collaboratively with other Cisco specialists on advanced security, voice, wireless and video solutions.

8.CCNA: Voice ($92,837)

There are two tracks at the Associate and Professional levels – Designing and Networking. The Cisco Certified Network Associate Voice (CCNA Voice) demonstrates that an individual possess the required associate-level knowledge and skills to administer a voice network and validates skills in VoIP technologies such as IP PBX, IP telephony, handset, call control, and voicemail solutions.

9. Cisco ASA Specialist ($86,812)

The ASA Specialist certification identifies individuals who possess in-depth expertise with implementing security technologies using the Adaptive Security Appliance (ASA) technologies, especially firewall and VPN functionality. Other topics include ACL, AAA, advanced protocol handling, remote access VPN, secure socket layer VPN, site-to-site VPNs, failover, and security appliance management. Cisco ASA Specialists possess the ability to describe, configure, verify and manage the ASA products and the Adaptive Security Device Manager (ASDM).

10. CCNA Security ($83,101)

Cisco Certified Network Associate Security (CCNA® Security) validates associate-level knowledge and skills required to secure Cisco networks. With a CCNA Security certification, a network professional demonstrates the skills required to develop a security infrastructure, recognize threats and vulnerabilities to networks, and mitigate security threats. The CCNA Security curriculum emphasizes core security technologies, the installation, troubleshooting and monitoring of network devices to maintain integrity, confidentiality and availability of data and devices, and competency in the technologies that Cisco uses in its security structure.

We all know in Cisco Catalyst Multilayer Switches the matching process of the Access Control list is done at hardware level. In order to do this processing the Ternary Content Addressable Memory (TCAM) comes into picture. Basically the Ternary Content Addressable Memory (TCAM) is used by Cisco Catalyst switches to store information necessary for hardware processing. TCAM allows a packet to be evaluated against the entire access list in a single lookup table. Most Cisco Catalyst Switches comes with multiple TCAMs. Its utilization depends on the features supported by the platform, but the TCAM is generally partitioned into sections designated for unicast routes, multicast routes, VLANs, and entries for routed, VLAN, and QoS ACLs.

The Cisco IOS Software constitutes of two components what are part of the TCAM operation, namely Feature Manager (FD) and Switching Database Manager (SDM, when I saw SDM the first thing came to my mind was Security Device Manager Application.)

The Feature Manager merges or compiles the Access Control Entries (ACE) in the TCAM table of a Cisco Catalyst Switch, whereas the Switching Database Manager (SDM) comes handy in creating a partition of TCAM table on some of Cisco Catalyst Switches into areas of different functions. The Switching Database Manager (SDM) software can configure or tunes the TCAM partition if needed. The Cisco Catalyst 4500 and Cisco Catalyst 6500 Series Switches cannot be repartitioned as it comes with the fixed TCAM memory.