© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-2 Outline Overview Implementing ACLs Configuring Standard IP ACLs Configuring Extended IP ACLs Using Named ACLs Configuring vty ACLs Guidelines for Placing ACLs Verifying the ACL Configuration Summary
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-3 ACL Configuration Guidelines ACL numbers indicate which protocol is filtered. One ACL per interface, per protocol, per direction is allowed. The order of ACL statements controls testing. The most restrictive statements go at the top of the list. The last ACL test is always an implicit deny any statement, so every list needs at least one permit statement. ACLs must be created before applying them to interfaces. ACLs filter traffic going through the router. ACLs do not filter traffic originating from the router.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-4 Step 1: Set parameters for this ACL test statement (which can be one of several statements). Step 2: Enable an interface to use the specified ACL. Router(config-if)# {protocol} access-group access-list-number {in | out} ACL Command Overview Standard IP lists (1-99) Extended IP lists ( ) Standard IP lists ( ) (expanded range) Extended IP lists ( ) (expanded range) Router(config)# access-list access-list-number {permit | deny} {test conditions}
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-5 Activates the list on an interface Sets inbound or outbound testing Default = outbound no ip access-group access-list-number removes ACL from the interface Router(config-if)# ip access-group access-list-number {in | out} Sets parameters for this list entry IP standard ACLs use 1 to 99 Default wildcard mask = no access-list access-list-number removes entire ACL remark lets you add a description for the ACL Router(config)# access-list access-list-number {permit | deny | remark} source [mask] Standard IP ACL Configuration
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-6 Permit my network only. Standard IP ACL Example 1
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-7 Deny a specific host. Standard IP ACL Example 2
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-8 Deny a specific subnet. Standard IP ACL Example 3
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-9 Router(config-if)# ip access-group access-list-number {in | out} Activates the extended list on an interface Sets parameters for this list entry Router(config)# access-list access-list-number {permit | deny} protocol source source-wildcard [operator port] destination destination-wildcard [operator port] [established] [log] Extended IP ACL Configuration
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-10 Extended ACL Example 1 Deny FTP from subnet to subnet out E0. Permit all other traffic.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-11 Extended ACL Example 2 Deny only Telnet from subnet out E0. Permit all other traffic.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-12 Router(config)# ip access-list {standard | extended} name Router(config {std- | ext-}nacl)# {permit | deny} {ip access list test conditions} {permit | deny} {ip access list test conditions} no {permit | deny} {ip access list test conditions} Router(config-if)# ip access-group name {in | out} Using Named IP ACL Alphanumeric name string must be unique. Permit or deny statements have no prepended number. “no” removes the specific test from the named ACL. Activates the named IP ACL on an interface.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-13 Five virtual terminal lines (0 through 4) Filter addresses that can access the router vty ports Filter vty access originating from the router Filtering vty Access to a Router
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-14 How to Control vty Access Set up an IP address filter with a standard ACL statement. Use line configuration mode to filter access with the access-class command. Set identical restrictions on every vty.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-15 Enters configuration mode for a vty or vty range Restricts incoming or outgoing vty connections for addresses in the ACL Router(config-line)# access-class access-list- number {in | out} Router(config)# line vty {vty# | vty-range} vty Commands
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-16 Permits only hosts in network to connect to the router vty access-list 12 permit (implicit deny any) ! line vty 0 4 access-class 12 in Controlling Inbound Access vty Access Example
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-17 ACL Configuration Guidelines The order of ACL statements is crucial. –Recommended: Use a text editor on a PC to create the ACL statements, then cut and paste them into the router. –Top-down processing is important. –Place the more specific test statements first. Statements cannot be rearranged or removed. –Use the no access-list number command to remove the entire ACL. –Exception: Named ACLs permit removal of individual statements. Implicit deny any will be applied to all packets that do not match any ACL statement unless the ACL ends with an explicit permit any statement.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-18 Place extended ACLs close to the source. Place standard ACLs close to the destination. Where to Place IP ACLs
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-19 wg_ro_a# show ip interfaces e0 Ethernet0 is up, line protocol is up Internet address is /24 Broadcast address is Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 1 Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Feature Fast switching turbo vector IP multicast fast switching is enabled IP multicast distributed fast switching is disabled Verifying ACLs
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-20 Monitoring ACL Statements wg_ro_a# show access-lists Standard IP access list 1 permit permit permit permit Extended IP access list 101 permit tcp host any eq telnet permit tcp host any eq ftp permit tcp host any eq ftp-data wg_ro_a# show {protocol} access-list {access-list number} wg_ro_a# show access-lists {access-list number}
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-21 Summary Following the ACL configuration guidelines and commands is important to successfully implement ACLs. To configure standard IP ACLs on a Cisco router, you must create a standard IP ACL and apply an ACL on an interface. To configure extended IP ACLs on a Cisco router, you must create an extended IP access list range and apply an ACL on an interface. The named ACL feature allows you to identify IP standard and extended ACLs with an alphanumeric string (name) instead of the current numeric (1 to 199 and 1300 to 2699) representations.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-22 Summary (Cont.) For security purposes, you can deny Telnet access to or from a router’s vty ports. Restricting Telnet access is primarily a technique for increasing network security. ACLs are used to control traffic by filtering and eliminating unwanted packets. Proper placement of an ACL statement can reduce unnecessary traffic. The show command can be used to verify ACL configuration.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-23