Cisco

How to Use Cisco IOS Access Lists - Part 2

In Part 1 of this article, we explained how access-lists work. In this article, we’ll take a sample network and explain how to create and apply an access-list. Remember that an Access-List (ACL) is used to specify network traffic. Once you specify traffic with an ACL, you can then do a variety of things with it. For example, you could allow it, deny it, limit it, or use it to restrict routing updates. We will also explain how to filter traffic with an ACL because this is the most common use.

Example of Filtering with an Access-list

Now, let me provide an example of how to filter inbound traffic with access-list. Here is our sample network: Let’s say that we are on the Chicago router. We want to only allow inbound www traffic from the IP addresses on the San Diego LAN. Those IP addresses are the network 10.10.1.0, which has a subnet mask of 255.255.255.0. We want to log any traffic that is denied to our logging buffer. Let’s do this in two steps. First, create your access-list: Note that the second line of the access-list denied all traffic, and used the log-input keyword at the end to log all denied traffic. Also, note how the wildcard mask was used instead of the subnet mask. It is important to know the direction of the traffic (the ACL uses source, then destination), and how the traffic works (WWW or HTTP) traffic contacts the web server with a destination port on the server of port 80, or WWW. Second, apply your access-list: Note the direction of “IN” when we applied the access-list. This says that the ACL applies to IN-BOUND traffic, coming into the Serial interface from the T1 WAN circuit (in this case, from San Diego, CA). Finally, let’s see what the access-list looks like with our show command, and also where the ACL is applied to the Interface. Here is output from the show ip access-lists and show ip interface serial0 command. In the first command, you can see the access-list that we created. In the second command, you can see where the access-list was applied and in what direction. Of course, you can see both of these things with the show running-config command.

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

Example of Restricting Telnet access with an Access-list

Quickly, let me provide another example of using an ACL. Say that you are still on the Chicago router. You want to only allow your PC’s IP address (on the Chicago LAN) access to TELNET, to the router. Yes, you could do this with an ACL on the Interface but, instead, let’s do it by using the access-class statement on the vty lines. To do this, you only need a standard access-list. Say that your PC’s IP address is 10.10.2.100. First, create an access-list to specify traffic with that source, like this:

Next, apply this ACL to all 5 VTY lines using the vty range configuration, using the access-class statement, like this: By creating this ACL and applying it to all 5 VTY lines, we are saying that only IP address 10.10.2.100 can TELNET to this Cisco router. This is just another example of the many uses of an ACL.

Summary

The proper usage of Cisco IOS access-lists are essential knowledge for any network administrator. In Part 2 of these articles on Access-Lists, you saw a real-world network, and how to create and apply access-lists on that network. You saw how access-lists could be used to filter traffic that is flowing through the network, and also how an ACL can be used to specify what IP address can telnet to the router. If you haven’t read Part 1 of this series, please take a look. Part 1 covered the essentials of Access-List that everyone should know. Cisco IOS Access-lists have so many more options and uses than what we were able to explore in this short article. To learn more, go to your router and type access-list ?, or consult the Cisco IOS documentation on Access-lists.

Related articles

You might also want to read the following related articles:

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (0)

Leave a Reply

Don't leave your business open to attack! Come learn how to protect your AD in this FREE masterclass!REGISTER NOW - Thursday, December 2, 2021 @ 1 pm ET

Active Directory (AD) is leveraged by over 90% of enterprises worldwide as the authentication and authorization hub of their IT infrastructure—but its inherent complexity leaves it prone to misconfigurations that can allow attackers to slip into your network and wreak havoc. 

Join this session with Microsoft MVP and MCT Sander Berkouwer, who will explore:

  • Whether you should upgrade your domain controllers to Windows Server
    2019 and beyond
  • Achieving mission impossible: updating DCs within 48 hours
  • How to disable legacy protocols and outdated compatibility options in
    Active Directory

Sponsored by: