Security: To Permit, or Not to Permit – Cisco IOS Access Control Lists (ACL). The Basics of Permission and Denial – Part 2
In Part 1 of this article, we explained how access-lists work. In this article, we’ll take a sample network and explain how to create and apply an access-list. Remember that an Access-List (ACL) is used to specify network traffic. Once you specify traffic with an ACL, you can then do a variety of things with it. For example, you could allow it, deny it, limit it, or use it to restrict routing updates. We will also explain how to filter traffic with an ACL because this is the most common use.
Preparing for Cisco CCNP Exams? These are the videos you need to get certified...
Whether you are studying for the BCSI, BCMSN, ONT, ISCW or all four, Train Signal's Cisco CCNP Training Series is the best out there. The instructor uses a "hands-on" method for teaching complex technologies. Each video covers all the bases and gives you more than enough test prep to pass any of your CCNP exams!
Daniel Petri
Click Here to Watch the Cisco CCNP Training Videos!
Example of Filtering with an Access-list
Now, let me provide an example of how to filter inbound traffic with access-list. Here is our sample network:
Let’s say that we are on the Chicago router. We want to only allow inbound www traffic from the IP addresses on the San Diego LAN. Those IP addresses are the network 10.10.1.0, which has a subnet mask of 255.255.255.0. We want to log any traffic that is denied to our logging buffer. Let’s do this in two steps.
First, create your access-list:
Note that the second line of the access-list denied all traffic, and used the log-input keyword at the end to log all denied traffic. Also, note how the wildcard mask was used instead of the subnet mask. It is important to know the direction of the traffic (the ACL uses source, then destination), and how the traffic works (WWW or HTTP) traffic contacts the web server with a destination port on the server of port 80, or WWW.
Second, apply your access-list:
Note the direction of “IN” when we applied the access-list. This says that the ACL applies to IN-BOUND traffic, coming into the Serial interface from the T1 WAN circuit (in this case, from San Diego, CA).
Finally, let’s see what the access-list looks like with our show command, and also where the ACL is applied to the Interface.
Here is output from the show ip access-lists and show ip interface serial0 command. In the first command, you can see the access-list that we created. In the second command, you can see where the access-list was applied and in what direction. Of course, you can see both of these things with the show running-config command.
Example of Restricting Telnet access with an Access-list
Quickly, let me provide another example of using an ACL. Say that you are still on the Chicago router. You want to only allow your PC’s IP address (on the Chicago LAN) access to TELNET, to the router. Yes, you could do this with an ACL on the Interface but, instead, let’s do it by using the access-class statement on the vty lines. To do this, you only need a standard access-list. Say that your PC’s IP address is 10.10.2.100. First, create an access-list to specify traffic with that source, like this:
Next, apply this ACL to all 5 VTY lines using the vty range configuration, using the access-class statement, like this:
By creating this ACL and applying it to all 5 VTY lines, we are saying that only IP address 10.10.2.100 can TELNET to this Cisco router. This is just another example of the many uses of an ACL.
Summary
The proper usage of Cisco IOS access-lists are essential knowledge for any network administrator. In Part 2 of these articles on Access-Lists, you saw a real-world network, and how to create and apply access-lists on that network. You saw how access-lists could be used to filter traffic that is flowing through the network, and also how an ACL can be used to specify what IP address can telnet to the router. If you haven’t read Part 1 of this series, please take a look. Part 1 covered the essentials of Access-List that everyone should know.
Cisco IOS Access-lists have so many more options and uses than what we were able to explore in this short article. To learn more, go to your router and type access-list ?, or consult the Cisco IOS documentation on Access-lists.
About the writer
David Davis (CCIE #9369, CWNA, MCSE, CISSP, Linux+, CEH) has been in the IT industry for 15 years. Currently, he manages a group of systems/network administrators for a privately owned retail company and authors IT-related material in his spare time. He has written over fifty articles, eight practice tests and three video courses and has co-authored one book. His website is at www.happyrouter.com.
In Part 1 of this article, we explained how access-lists work. In this article, we’ll take a sample network and explain how to create and apply an access-list. Remember that an Access-List (ACL) is used to specify network traffic. Once you specify traffic with an ACL, you can then do a variety of things with it. For example, you could allow it, deny it, limit it, or use it to restrict routing updates. We will also explain how to filter traffic with an ACL because this is the most common use.
Preparing for Cisco CCNP Exams? These are the videos you need to get certified...
Whether you are studying for the BCSI, BCMSN, ONT, ISCW or all four, Train Signal's Cisco CCNP Training Series is the best out there. The instructor uses a "hands-on" method for teaching complex technologies. Each video covers all the bases and gives you more than enough test prep to pass any of your CCNP exams!
Daniel Petri
Click Here to Watch the Cisco CCNP Training Videos!
Example of Filtering with an Access-list
Now, let me provide an example of how to filter inbound traffic with access-list. Here is our sample network:
Let’s say that we are on the Chicago router. We want to only allow inbound www traffic from the IP addresses on the San Diego LAN. Those IP addresses are the network 10.10.1.0, which has a subnet mask of 255.255.255.0. We want to log any traffic that is denied to our logging buffer. Let’s do this in two steps.
First, create your access-list:
Note that the second line of the access-list denied all traffic, and used the log-input keyword at the end to log all denied traffic. Also, note how the wildcard mask was used instead of the subnet mask. It is important to know the direction of the traffic (the ACL uses source, then destination), and how the traffic works (WWW or HTTP) traffic contacts the web server with a destination port on the server of port 80, or WWW.
Second, apply your access-list:
Note the direction of “IN” when we applied the access-list. This says that the ACL applies to IN-BOUND traffic, coming into the Serial interface from the T1 WAN circuit (in this case, from San Diego, CA).
Finally, let’s see what the access-list looks like with our show command, and also where the ACL is applied to the Interface.
Here is output from the show ip access-lists and show ip interface serial0 command. In the first command, you can see the access-list that we created. In the second command, you can see where the access-list was applied and in what direction. Of course, you can see both of these things with the show running-config command.
Example of Restricting Telnet access with an Access-list
Quickly, let me provide another example of using an ACL. Say that you are still on the Chicago router. You want to only allow your PC’s IP address (on the Chicago LAN) access to TELNET, to the router. Yes, you could do this with an ACL on the Interface but, instead, let’s do it by using the access-class statement on the vty lines. To do this, you only need a standard access-list. Say that your PC’s IP address is 10.10.2.100. First, create an access-list to specify traffic with that source, like this:
Next, apply this ACL to all 5 VTY lines using the vty range configuration, using the access-class statement, like this:
By creating this ACL and applying it to all 5 VTY lines, we are saying that only IP address 10.10.2.100 can TELNET to this Cisco router. This is just another example of the many uses of an ACL.
Summary
The proper usage of Cisco IOS access-lists are essential knowledge for any network administrator. In Part 2 of these articles on Access-Lists, you saw a real-world network, and how to create and apply access-lists on that network. You saw how access-lists could be used to filter traffic that is flowing through the network, and also how an ACL can be used to specify what IP address can telnet to the router. If you haven’t read Part 1 of this series, please take a look. Part 1 covered the essentials of Access-List that everyone should know.
Cisco IOS Access-lists have so many more options and uses than what we were able to explore in this short article. To learn more, go to your router and type access-list ?, or consult the Cisco IOS documentation on Access-lists.
About the writer
David Davis (CCIE #9369, CWNA, MCSE, CISSP, Linux+, CEH) has been in the IT industry for 15 years. Currently, he manages a group of systems/network administrators for a privately owned retail company and authors IT-related material in his spare time. He has written over fifty articles, eight practice tests and three video courses and has co-authored one book. His website is at www.happyrouter.com.