Networking Technologies by Johnny Bandin
Networking Knowledge
Networking KnowledgeAnsible
Networking Knowledge
Networking KnowledgeAnsible
  • Cisco Networking Fundamentals
  • VLANs Knowledge
    • Creating and Assigning VLANs
    • Creating Trunks
    • Creating SVIs
  • etherchannel overview
    • Etherchannel Layer 2 LACP Configuration
    • Etherchannel Layer 3 LACP Configuration
  • DHCP Overview
    • DHCP Configuration
  • Layer 2 Security
    • Blackhole VLAN Configuration
    • Port Security
    • BPDUGuard and Root Guard
    • DHCP Snooping Configuration
    • Dynamic ARP Inspection
  • Key Chains
  • ACLs
    • Standard ACLs
    • Extended and Named ACLs
  • EIGRP
    • EIGRP Named Mode
    • EIGRP Authentication, Passive-Interface, Summarization
    • EIGRP Stub Routing, Leak-Maps
Powered by GitBook
On this page
  1. ACLs

Standard ACLs

PreviousACLsNextExtended and Named ACLs

Last updated 2 years ago

In this guide we will cover configuring and applying a standard ACL to an interface and our VTY lines. Not shown in this guide is the configuration of static routes between routers, and the configuration of SSH. Refer to our other guides for those configuration steps.

Configuration

Security standards we need to configure

1. Users in VLAN 10 should not be able to ping both servers
2. Users in VLAN 20 should not be able to SSH to R2
3. The file server should not be able to reach the ENG VLAN 20

First lets figure where to apply the ACL. Standard ACLs should be as close to the destination as possible.

CLI Configuration

R1(config)#access-list 10 [permit | deny] [any | host | Network] [Wildcard Mask] # This command will configure a standard ACL and a Access Control Entry

R1(config-if)#ip access-group [ Number | Name] [ in | out] # This command will apply the ACL inbound or outbound on the desired interface

R1(config-line)#ip access-class [ Number | Name ] [ in | out] # This command will apply the ACL inbound or outbound on the VTY lines of the Cisco network device

Now lets conmfigure and apply the security standards listed above

- Security standard 1

R1(config)#ip access-list 10 deny 10.10.10.0 0.0.0.255 log # This command will configure a standard ACL and a Access Control Entry and also log any matches to the ACL

R1(config)#ip access-list 10 permit any log # This command will permit any traffic that does not match our first entry. We need this because of the "implicit" deny at the end of every ACL

R1(config)#inteface eth0/0 # This command brings us into the sub-interface configuration mode

R1(config-if)#ip access-group 10 out # This command applies the ACL outbound on interface eth0/0

Full configuration below

- Security standard 2

R1(config)#access-list 20 deny 10.10.20.0 0.0.0.255 log # This command will configure a standard ACL and a Access Control Entry and also log any traffic matches to the ACL

R1(config)#ip access-list 10 permit any log # This command will permit any traffic that does not match our first entry. We need this because of the "implicit" deny at the end of every ACL

R1(config)#line vty 0 4 # This command will bring you into the VTY sub-configuration mode

R1(config-line)#ip access-class 20 in This command will apply the ACL inbound to the VTY lines only

Full configuration below

- Security Standard 3

R2(config)#access-list 30 deny host 10.10.10.9 log # This command will create the ACL and only filter based on a single source IP address

R2(config)#ip access-list 10 permit any log # This command will permit any traffic that does not match our first entry. We need this because of the "implicit" deny at the end of every ACL

R2(config)#interface eth0/0.20 # This command will bring us into the sub-interface configuration mode

R2(config-subif)#ip access-class 30 out # This command applies the ACL outbound on interface eth0/0.20

Full configuration belown

Testing / Verification

Now lets do some testing. For this testing we will remove the ACL, check connectivity and then apply the ACL and test again. In this guide we will just demonstrate security standard 1.

- As we can see here our VLAN 10 Users can currently ping the servers. Let's apply the ACL and see if our ping test is successful.

- As we can see now the ACL worked and our ping test responded with an "unreachable" message. We can also see from our show command that the ACL has 5 matches on our first Access Control Entry.

R1#show ip access-lists [ number | name] # This command will show all access-lists or specific access-lists that we have created on our device

R1#show access-lists [number | name] # This command will show all access-lists or specific access-lists that we have created on our device

R1#show run | se access # This command will show us in the running-configuration what access-lists configuration we currently have.

Conclusion

Standard ACLs are a quick and easy way to deny/filter traffic for a whole subnet or a single host. But what if we want our users in VLAN 10 to still reach the Servers, but not be able to SSH or use HTTP on the web server? Standard ACLs can not get the job done. Extended ACLs can give us more granular control over what we filter on our networks.

  • Configuration
  • CLI Configuration
  • Testing / Verification
  • Conclusion
Standard ACL Network Diagram
Standard ACL placement
Standard Numbered ACL configuration
Standard Numbered ACL configuration
Standard Numbered ACL configuration
Ping Test Using a Source Interface
Applying the ACL on the interface
Ping Test using a Source Interface and Receiving a "unreachable" Response
show access-list command and output
show ip access-list command and output
show access-list command and output
show run access-list with REGEX to filter the output to only show the access-list configuration
Page cover image