How to Configure ACLs

104 27
    • 1). Decide which Internet protocol (IP) addresses you would like to allow and which you must block. There is a list of common items people block when it comes to the ingress port, such as traffic from a private IP address. The reason why it is called private is because it is for internal use only; you should never be getting traffic from a private address coming in on your Internet connection. IPs that belong to your backbone interfaces should be trusted on this list so that they can allow customer traffic to flow. There is no limit to how many IPs you can allow or deny.

    • 2). Build your list from words, device names or IPs into the format your router will accept; use a notepad, and do it ahead of time. The syntax for a basic access list can be written as "access-list x permit/deny IP x.x.x.x x.x.x.x any." Think of the traffic as a letter coming to your house. Each letter has a source mailing address (like a source IP) and a destination address for the person receiving the letter (destination IP address).

    • 3). Choose a number to take the place of the first x. Each ACL has a unique number or name that identifies that list. One through 99 are considered standard ACL numbers; anything higher or with an actual text name is considered an extended list. You can manipulate extended lists with more options and creativity than standard lists, which are built only one way. Extended lists allow you to edit without removing the whole list and starting over.

    • 4). Choose an action for the router to perform, either to permit or to deny. This is important because it tells the router to accept (permit) or drop (deny) traffic based on an IP address that matches one of the entries. At the end of every list there is a hidden "deny" statement. Keep in mind as you configure your list that order matters. A router will compare an incoming source and destination IP from a packet in the order of the list from top to bottom. Once it has found a match to permit or deny, the router performs the action without comparing the rest of the list to the IPs. Once an IP match is found, the router pushes the traffic on or drops it and does not use the rest of the entries in the list.

    • 5). Choose a protocol. In this example we are using IP, as it is standard and is the most commonly used choice. If you were configuring an extended list, additional choices would be transmission control protocol (TCP), user datagram protocol (UPD) or Internet control message protocol (ICMP).

    • 6). Pick an IP. The first set of x.x.x.x stands for the IP address you want to allow or deny for the source IP address. Fill in the numbers needed, which range from 0 through 255. If you ever see an IP with a number over 255 then there is an error.

    • 7). Pick a wild card mask. A mask tells the router which numbers to check and which to ignore for the source. If there is a 0 where the x is, then ignore that number. If there is a 1 through 255, then the router checks that number to see if it is allowed. Numbers for the mask also range from 0 to 255; an example would look like this: This mask ignores the first 3 positions and allows all numbers in the last position.

    • 8). Log in and apply your configurations to the router. For example, an access list denying all IP addresses and permitting everything else would look like this (only type what is inside the quotes; the additional text is reference material to provide more detail on what action each command performs):

      "configure terminal" press enter key (command to enter configuration mode)

      "access-list 4 deny any" press enter key (command to deny all IPs)

      "access-list 4 permit any any" press enter key (command to allow all other IPs)

      "end" press enter key (command to exit configuration mode)

      "write memory" press enter key (command to save changes)

      Every access list ends with that hidden "deny" statement, but you can change this using the "permit any any" command to allow all, and the router will let every other IP into the interface before it tries to match the "deny all" at the end of the access list.

      "Any" is a command that takes the place of an additional IP address and mask for the destination. For a standard access list, this is what is usually used because you are trying to limit the source IP address rather than the destination IP address where that source is trying to go.

Subscribe to our newsletter
Sign up here to get the latest news, updates and special offers delivered directly to your inbox.
You can unsubscribe at any time

Leave A Reply

Your email address will not be published.