Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET
Cisco

How to Use Cisco IOS Access Lists - Part 2

In Part 1 of this article, we explained how access-lists work. In this article, we’ll take a sample network and explain how to create and apply an access-list. Remember that an Access-List (ACL) is used to specify network traffic. Once you specify traffic with an ACL, you can then do a variety of things with it. For example, you could allow it, deny it, limit it, or use it to restrict routing updates. We will also explain how to filter traffic with an ACL because this is the most common use.

Example of Filtering with an Access-list

Now, let me provide an example of how to filter inbound traffic with access-list. Here is our sample network: Let’s say that we are on the Chicago router. We want to only allow inbound www traffic from the IP addresses on the San Diego LAN. Those IP addresses are the network 10.10.1.0, which has a subnet mask of 255.255.255.0. We want to log any traffic that is denied to our logging buffer. Let’s do this in two steps. First, create your access-list: Note that the second line of the access-list denied all traffic, and used the log-input keyword at the end to log all denied traffic. Also, note how the wildcard mask was used instead of the subnet mask. It is important to know the direction of the traffic (the ACL uses source, then destination), and how the traffic works (WWW or HTTP) traffic contacts the web server with a destination port on the server of port 80, or WWW. Second, apply your access-list: Note the direction of “IN” when we applied the access-list. This says that the ACL applies to IN-BOUND traffic, coming into the Serial interface from the T1 WAN circuit (in this case, from San Diego, CA). Finally, let’s see what the access-list looks like with our show command, and also where the ACL is applied to the Interface. Here is output from the show ip access-lists and show ip interface serial0 command. In the first command, you can see the access-list that we created. In the second command, you can see where the access-list was applied and in what direction. Of course, you can see both of these things with the show running-config command.

Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

Example of Restricting Telnet access with an Access-list

Quickly, let me provide another example of using an ACL. Say that you are still on the Chicago router. You want to only allow your PC’s IP address (on the Chicago LAN) access to TELNET, to the router. Yes, you could do this with an ACL on the Interface but, instead, let’s do it by using the access-class statement on the vty lines. To do this, you only need a standard access-list. Say that your PC’s IP address is 10.10.2.100. First, create an access-list to specify traffic with that source, like this:

Next, apply this ACL to all 5 VTY lines using the vty range configuration, using the access-class statement, like this: By creating this ACL and applying it to all 5 VTY lines, we are saying that only IP address 10.10.2.100 can TELNET to this Cisco router. This is just another example of the many uses of an ACL.

Summary

The proper usage of Cisco IOS access-lists are essential knowledge for any network administrator. In Part 2 of these articles on Access-Lists, you saw a real-world network, and how to create and apply access-lists on that network. You saw how access-lists could be used to filter traffic that is flowing through the network, and also how an ACL can be used to specify what IP address can telnet to the router. If you haven’t read Part 1 of this series, please take a look. Part 1 covered the essentials of Access-List that everyone should know. Cisco IOS Access-lists have so many more options and uses than what we were able to explore in this short article. To learn more, go to your router and type access-list ?, or consult the Cisco IOS documentation on Access-lists.

Related articles

You might also want to read the following related articles:

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (0)

Leave a Reply

Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: