What are Access Control Lists and why to use them?

An access control list is a rule, or can be comprised of one or more rules, that are applied to an interface allowing hosts to communicate to other hosts by filtering traffic using specific protocols such as tcp, udp, icmp or other protocols and even port numbers or specific IP addresses. Furthermore an access control list can define access by allowing a subnet of hosts or entire networks.

In the example below we will create three access list. One access list will permit only PC1 to reach PC2, PC3, and SERVER using ping while PC2 and PC3 are not permitted to talk to each other using any protocol. PC1 is permitted only to ping SERVER while PC2 and PC3 are only permitted to telnet to SERVER. All other traffic must be blocked by an explicit deny.

Steps to configure Access Control Lists

Step 1: Configure all applicable router interfaces.

R1(config)#interface FastEthernet0/0
R1(config-if)#ip address 1.1.1.1 255.255.255.252
!
R1(config)#interface FastEthernet0/1
R1(config-if)#ip address 10.1.0.1 255.255.255.0
!
R1(config)#interface FastEthernet1/0
R1(config-if)#ip address 10.2.0.1 255.255.255.0
!
R1(config)#interface FastEthernet1/1
R1(config-if)#ip address 10.3.0.1 255.255.255.0

Step 2: Configure an access-list defining which host are permitted to communicate with SERVER and how. In this example we will allow PC1 to communicate with SERVER using only ping whereas PC2 and PC3 will need to communicate with SERVER with telnet. End the access-list with an explicit deny to block all traffic undefined.

R1(config)#access-list 101 permit tcp host 10.2.0.2 host 1.1.1.2 eq telnet
R1(config)#access-list 101 permit tcp host 10.3.0.2 host 1.1.1.2 eq telnet
R1(config)#access-list 101 permit icmp host 10.1.0.2 host 1.1.1.2 echo
R1(config)#access-list 101 deny ip any any

Step 3: Assign the access-list to interface FastEthernet0/0 out. This will allow only approved hosts and protocols out of FastEthernet0/0 onto the same network as SERVER. This is an example of an outbound access-list as we are inspecting traffic once it enters the router.

R1(config)#interface FastEthernet0/0
R1(config-if)#ip access-group 101 out

Step 4: Configure an access-list permitting PC2 to communicate with only PC1 and SERVER. No filtering of protocols will be performed. End the access-list with an explicit deny to block all traffic undefined.

R1(config)#access-list 102 permit ip host 10.2.0.2 host 1.1.1.2
R1(config)#access-list 102 permit ip host 10.2.0.2 host 10.1.0.2
R1(config)#access-list 102 deny ip any any

Step 5: Assign the access-list to interface FastEthernet1/0 in. This will allow only approved hosts to communicate in and through FastEthernet1/0 to approved hosts. This is an example of an inbound access-list as we are inspecting traffic before it enters the router.

R1(config)#interface FastEthernet1/0
R1(config-if)#ip access-group 102 in

Step 6: Configure an access-list permitting PC3 to communicate with only PC1 and SERVER. No filtering of protocols will be performed. End the access-list with an explicit deny to block all traffic undefined.

R1(config)#access-list 103 permit ip host 10.3.0.2 host 10.1.0.2
R1(config)#access-list 103 permit ip host 10.3.0.2 host 1.1.1.2
R1(config)#access-list 103 deny ip any any

Step 7: Assign the access-list to interface FastEthernet1/1 in. This will allow only approved hosts to communicate in and through FastEthernet1/1 to approved hosts. Again this is an example of an inbound access-list.

R1(config)#interface FastEthernet1/1
R1(config-if)#ip access-group 103 in

Verify the configuration

Now that the configuration is finished lets verify our ACL deployment. Using ping only PC1 should be able to reach PC2, PC3, and SERVER. PC2 and PC3 are not permitted to communicate with each other at all using ping or telnet. Only PC2 and PC3 are permitted to telnet to SERVER. Using the show access-lists command you can verify hits on access-list that denies or allows traffic to pass.


Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Cisco Networking

BGP Load Sharing

What is load sharing and why to use it?Load balancing with BGP is not possible in a multihomed environment with two ISPs. BGP selects only the single best path to a destination among the BGP Read more…

Cisco Firewall

Configuring Dynamic Multipoint VPN and Zone Based Firewall

What is a Dynamic Multipoint VPN and why to use it?DMVPN provides the capability for creating a dynamic-mesh VPN network without having to pre-configure (static) all possible tunnel end-point peers, including IPsec (Internet Protocol Security) Read more…

Cisco Networking

Configuring Layer 2 MPLS VPN

What is a Layer 2 MPLS VPN and why to use it?Layer 2 VPNs are a type of Virtual Private Network (VPN) that uses MPLS labels to transport data. The communication occurs between routers that Read more…