CCNA Training-Access Control Lists
Zac Bickersteth on October 5, 2010 in Courses SectionAn Access Control List (ACL) is a list of rules that control and filter traffic based on source and destination IP addresses. This happens by either allowing packets or blocking packets from an interface on a router or firewall. Access control lists are in two forms. These are Standard access control lists and Extended access control lists. ACLs can also be used as a security measure for connecting to your router by allowing only the necessary IP addresses or networks for accessing the router via telnet. We will be considering these access control lists, how they work and how to configure them on Cisco routers. Let’s start with the standard access control lists below.
Standard Access Lists
The standard access control list will allow you to either permit or deny traffic from a specific source IP address or IP network. These access lists have a number from 1 to 99. When you are putting an access list on a router you will need to identify the access lists with a number e.g. access lists 10. To configure a standard access list and apply it on an Ethernet interface you would enter the following commands:
access-list 10 permit 192.168.2.0 0.0.0.255 interface Ethernet0 ip access-group 10 in
By enforcing the above command you would allow traffic to pass through the interface from all addressing in the 192.168.2.0 to 192.168.2.255 range. In every access list there will be an implicit deny all at the end of the ACL even if you don’t specify it explicitly. So if you configured your access list like this here is what it would do.
show access-list 10
The output will be:
access-list 10 permit 192.168.2.0 0.0.0.255 access-list 10 deny any
Extended Access Lists
An extended access control list will allow you to deny or permit traffic from specific IP addresses, and ports. It also gives you the ability to control the type of protocol that can be transferred such as ICMP, TCP, UDP and so forth. The range of the extended access control lists is from 100 to 199.
An example of an extended ACL:
access-list 110 permit tcp 92.128.2.0 0.0.0.255 any eq 80
The ACL 110 will permit traffic that is coming from any address on the 92.128.2.0 network (source network) towards any destination IP on port 80. The ‘any’ statement is there so as to allow traffic towards any IP destination on port 80. The first network statement in the access-list command (i.e 92.128.2.0 0.0.0.255) refers to the source of the traffic, and the second network statement (the keyword “any” in our example) refers to the destination of the traffic.
Another example:
access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
The above configuration will allow all IP traffic from source network 192.168.1.0/24 towards destination network 192.168.2.0/24.
Note also that the subnet mask in the ACL configuration in always represented with an inverse mask (i.e instead of using 255.255.255.0 we use 0.0.0.255)
How to apply the ACL
After you have set the ACL in place you will need to specify which direction you want it to operate on the interface that will be applied (inbound or outbound). For example “in” means inbound to the interface and “out” means outbound from the interface. The ACL is then applied on a specific interface using the “access-group” command.
You can identify an access list by giving it a name or number. Here is a set of commands you would use:
Router(config)#interface serial 0 Router(config-if)#ip access-group 111 out
Using Access Lists to secure Telnet access to a router
You can also secure your telnet lines on a router via ACL. This will enable you to allow access to telnet login only for certain hosts or networks. Here is a sample configuration of how you would go about doing this.
access-list 25 permit 192.168.2.0 0.0.0.255
line vty 0 4 access-class 25 in
With this ACL in place you will only permit hosts on the 192.168.2.0/24 network to have access to the VTY login. All attempts from other networks would be blocked.
Another example: Let’s say we have one specific management station (10.1.1.1) which should be allowed to access the router via telnet. All other hosts should be blocked.
access-list 10 permit host 10.1.1.1
line vty 0 4 access-class 10 in
Similar Posts:
- Site to Site VPN with Dynamic Crypto Map
- Basic Cisco Switch Configuration
- How to Configure Static Routing on Cisco Routers
- Series of Steps to Forward a packet in a Cisco ASA Firewall
- Configuring Static Routing on Cisco Routers-CCNA Tutorial
