Please enable JavaScript.
Coggle requires JavaScript to display documents.
ACLs for IPv4 Configuration - Coggle Diagram
ACLs for IPv4 Configuration
Configure Extended IPv4 ACLs
Extended ACLs
Numbered Extended ACL - Created using the access-list access-list-number global configuration command.
Named Extended ACL - Created using the ip access-list extended access-list-name.
Numbered Extended IPv4 ACL Syntax
parameter
access-list-number
deny
permit
remark text
source
source wildcard
destination
destination wildcard
operator
prot
log
protocol
Protocols and Port Numbers Configuration Examples
Extended ACLs can filter on different port number and port name options. This example configures an extended ACL 100 to filter HTTP traffic. The first ACE uses the www port name. The second ACE uses the port number 80. Both ACEs achieve exactly the same result.
Apply a Numbered Extended IPv4 ACL
The topology in the figure will be used to demonstrate configuring and applying numbered and named extended IPv4 ACLs to an interface. This first example shows a numbered extended IPv4 ACL implementation.
Named Extended IPv4 ACL Syntax
Router(config)# ip access-list extended access-list-name
R1(config)# ip access-list extended NO-FTP-ACCESS
R1(config-ext-nacl)#
Named Extended IPv4 ACL Example
SURFING - This will permit inside HTTP and HTTPS traffic to exit to the internet.
BROWSING - This will only permit returning web traffic to the inside hosts while all other traffic exiting the R1 G0/0/0 interface is implicitly denied.
Configure Standard IPv4 ACLs
Create an ACL
Use a text editor and write out the specifics of the policy to be implemented.
Add the IOS configuration commands to accomplish those tasks.
Include remarks to document the ACL.
Copy and paste the commands onto the device.
Always thoroughly test an ACL to ensure that it correctly applies the desired policy.
Numbered Standard IPv4 ACL Syntax
Parameter
acess-list-number
deny
permit
remark text
source
source-wildcard
log
Apply a Standard IPv4 ACL
Router(config-if) # ip access-group {access-list-number | access-list-name} {in | out}
Secure VTY Ports with a Standard IPv4 ACL
The access-class Command
ACLs typically filter incoming or outgoing traffic on an interface. However, an ACL can also be used to secure remote administrative access to a device using the vty lines.
Command to apply an ACL
R1(config-line)# access-class {access-list-number | access-list-name} { in | out }
Secure VTY Access Example
The vty lines are configured to use the local database for authentication, permit Telnet traffic, and use the ADMIN-HOST ACL to restrict traffic.
R1(config)# username ADMIN secret class
R1(config)# ip access-list standard ADMIN-HOST
R1(config-std-nacl)# remark This ACL secures incoming vty lines
R1(config-std-nacl)# permit 192.168.10.10
R1(config-std-nacl)# deny any
R1(config-std-nacl)# exit
R1(config)# line vty 0 4
R1(config-line)# login local
R1(config-line)# transport input telnet
R1(config-line)# access-class ADMIN-HOST in
R1(config-line)# end
R1#
In a production environment, you would set the vty lines to only allow SSH, as shown in the example.
R1(config)# line vty 0 4
R1(config-line)# login local
R1(config-line)# transport input ssh
R1(config-line)# access-class ADMIN-HOST in
R1(config-line)# end
R1#
Verify the VTY Port is Secured
To verify the ACL statistics, issue the show access-lists command. Notice the informational message displayed on the console regarding the admin user. An informational console message is also generated when a user exits the vty line.
R1#
Oct 9 15:11:19.544: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: admin] [Source: 192.168.10.10] [localport: 23] at 15:11:19 UTC Wed Oct 9 2019
R1# show access-lists
Standard IP access list ADMIN-HOST
10 permit 192.168.10.10 (2 matches)
20 deny any (2 matches)
R1#
MODIFY IPV4 ACLS
Two Methods to Modify an ACL
After an ACL is configured, it may need to be modified. ACLs with multiple ACEs can be complex to configure. Sometimes the configured ACE does not yield the expected behaviors. For these reasons, ACLs may initially require a bit of trial and error to achieve the desired filtering result.
The two methods to use when modifying an ACL:
Use a Text Editor
Use Sequence Numbers
Text Editor Method
ACLs with multiple ACEs should be created using a text editor. This approach allows for better planning of the required ACEs, simplifies the creation of the ACL, and makes it easier to edit or fix before pasting it into the router interface.
Sequence Numbers Method
An ACL ACE can also be deleted or added using the ACL sequence numbers. Sequence numbers are automatically assigned when an ACE is entered. These numbers are listed in the show access-lists command. The show running-config command does not display sequence numbers.
Use the ip access-list standard command to edit an ACL.
Modify a Named ACL Example
Named ACLs can also use sequence numbers to delete and add ACEs.