Access Control Lists (ACL) are used to filter network traffic on Cisco routers. In order to filter network traffic, ACLs control if routed packets have to be forwarded or blocked at the ingress or egress router interface. The router checks each packet to determine whether to forward or drop the packet based on the criteria specified in the ACL applied to the interface.
IP ACL types
Two types of IP ACL can be configured in Cisco Packet Tracer 7.2 :
- Standard ACLs : This is the oldest ACL type which can be configured on Cisco routers. Traffic is filtered based on the source IP address of IP packets. The access-list number can be any number from 1 to 99. This kind of ACL has to be placed near the destination to avoid blocking legitimate trafic from the source.
access-list 1 permit 10.2.25.0 0.0.0.255
access-list 1 deny any
- Extended ACLs : Introduced in IOS version 8.3, the extended ACLs are more complex and allow filtering of the IP traffic based on a combination of multiple criterias : source IP address, destination IP address, TCP or UDP port, protocol, .... In numbered ACLs, the access-list number can be any number from 100 to 199 or 2000 to 2699 (available in IOS versions >12.0.1). Such ACLs can also be named access lists in which the ACL number is replaced by a keyword. This kind of ACL has to be placed near the source as it allows fine grained control to ressources accessed. Placing the ACL near the destination will make the trafic travel through the network before beeing blocked, resulting in bandwidth waste.
access-list 1 permit ip 10.2.25.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 101 permit icmp any 10.1.0.0 0.0.255.255 echo
access-list 1 deny ip any any
Configuration on Cisco 2911 ISR Router
Restrict remote telnet or SSH access to the ISR router
Access lists can be used to restrict remote SSH or Telnet access to the ISR router management interface (VTY) from specific networks only. Only numbered access-lists are supported on the Virtual Terminal Line.
The access-class command is used to apply the access list on the Virtual Terminal Line. The following configuration deny administrative access to the router except for the 192.168.1.0/24 network hosting admin workstations. Note the wildcard mask used in the access-list configuration for the /24 network.
access-list 1 permit 192.168.1.0 0.0.0.255 line vty 0 4 access-class 1 in login line vty 5 15 access-class 1 in login