• Skip to main content
  • Skip to primary sidebar
  • Skip to footer

securitywing

Access Control List Configuration on Cisco Router

by wing

What is ACL: Access control list or ACLs are a set of if-then rules set on a router to allow or deny a specific group of IP to send or receive traffic from your network into another network.

When you apply an ACL to a route interface  for incoming traffic then every incoming packets will be compared with your ACL first, if a match is found then either permit or deny action will take place according to your configuration of the ACL. If there are more than one ACL and if there is no match after comparing the incoming packets with the first ACL, then the second ACL will be matched and so on. Remember there is an implicit deny after an ACL. That is why after permit or denies any IP or IP range you must add the command: access-list ip permit any any.

For example in your network you want that no computer or devices from 172.16.0.0 network can send traffic to your network. To implement this rule you need to write and ACL that will tell your router to discard all the traffic from 172.16.0.0. Now, let see how to implement this ACL into a router.

Rourter#configure terminal

Router(config)# access-list 10 deny ip 172.16.0.0 0.0.255.255

Router (config) #access-list 10 permits ip any any


(If you do not add the line “access-list 10 permits ip any “then all the traffic from any network will be denied. Since you only want to deny the IP from 172.16.0.0 network then you must allow IP from other networks.)

Now, you have written an access list that you must add into an interface. Remember if you write an ACL and do not add it into any interface then that ACL is of no use. For example, 172.16.0.0 network or any other network can connect your network via your router fastethernet 0/1 port. So, you just have to add the access control list into your fastethernet port 0/1 and want the all the incoming traffic this port from that specified network must be denied. To add this ACL in your router use the following commands.

Router (config)#access-group 10 in

 

the above example was the most simple form of access list known as standard access list.if you want to stop only a specific IP(e.g. 192.168.1.1) from sending data to your network then use the host command

Router(config)#ip access-list 15 deny host 192.168.1.1

Router(config)#ip access-list 15 permit any any

Types of access list: there are two types of access lists

A. standard access list

B. extended access list

Standard access list: this access list control IP allow or deny IP based on the source IP address of a packet and this kind of access control list must be implemented near the destination of an IP packet. You can create a standard access list by using the number 1-99 or 1300-1999(expanded range).

Command format of standard access control list:

Router(config)#access-list  (access list number)  (permit/deny)  (source IP) (wild card mask)

Router(config)#access-list 10 deny IP 172.16.0.0 0.0.255.255

Router(config)#interface fastetheirnet 0/1

Router(config)# ip access-group 10   ( applying the access list 10 in an interface)

access control list

 

Extended access list:

Unlike standard access control list, extended ACLs allow you to specify the source and destination IP address. Moreover, you can specify which protocols and service ports (www, telnet, and ftp) you want to deny in your router. You can use 100-199 and 2000-2699(expanded range) for specifying your extended ACL. For example you want to deny Telnet connection originating from outside to  your host computer with IP 172.16.100.100, and to do that you have to write the following extended access control list on your router and then apply it to  a interface   that you expect to receive incoming Telnet request from outsiders.

Router(config)# access-list 120 deny tcp any host 172.16.100.100 eq 23 log

23 is the port number of telnet and the “log” command will log all the telnet attempts made to your host IP 172.16.100.100.

If you did not add the “eq 23” in the above access list, then your router would deny all the tcp packets irrespective of its destination port, which means if a person try to FTP to your host he would be denied.

How to configure your router for accepting Telnet from only a specific IP

Access list also is a great way to enhance your router’s security. If you want only a single IP can perform Telnet operation to your router, then you just have to create an ACL for the specific IP (172.16.16.16) and then just add the ACL to your “Line Vty”

Router(config)# access-list 20 permit 172.16.16.16

Router(config)#line vty 0 4

Router(config)#access-class 20 in

 

You might also be interested in learning how to implement  Cisco VPN(virtual private network) and HSRP

Related posts:

  1. Cisco VPN Configuration in IOS Routers
  2. Site to Site VPN Between Cisco VPN Concentrator and Router
  3. Screening Router Security Test
  4. How to Configure Cisco Private VLANs in 4 Easy Steps

Filed Under: Network Security Tips Tagged With: access control, acl, cisco, list, router

Primary Sidebar

Please help us sharing

Categories

  • AWS
  • Basics
  • Containers
  • Cryptocurrency
  • Cyber
  • Internet Security and Safety
  • IS Audit
  • IT Security Exams
  • Law & Human Rights
  • Network Security Tips
  • Off Track
  • Social Media Governance
  • Tech Comparisons
  • Tech Stack Suitability
  • Telecom
  • Tutorial

CISSP Sample Test

Take a CISSP Sample Test

CISA Sample Test

CISA IT governance Sample test

Please Follow Us

Contact us for Ads

Go to Contact Form

Search

Footer

Copyrights

Protected by Copyscape Duplicate Content Detection Software

Securitywing.com reserves the copyrights of all of its published articles.No contents of this site is permitted to be published to anywhere else in the Internet.If any contents are found in any other websites, securitywing reserves the rights to file a DMCA complaint. But you have the right to use the link of any relevant article of this site to point from your website if you consider that it might improve the quality of your article.

Tags

audit AWS backup basics browser check cisco cloud computer configuration cyber data database email gmail hsrp ids iis informaiton internet kubernetes linux load balancing malware microsoft network protection redundancy risk router security security tips server social media SSL switch test tools vpn vrrp web webserver website windows wordpress

Copyright © 2010-2025 ·All Rights Reserved · SecurityWing.com