Restricting Remote Access with Access Lists

Vty or virtual terminal lines are used to allow remote access to the router. A virtual terminal line is not associated with the auxiliary or console port. The router has five virtual terminal lines by default numbered 0 through 4. You can create additional virtual terminal lines if more than five concurrent remote console connections are desired. In most situations five default virtual terminal lines are enough.

Securing remote console access is critical because if it is compromised, an intruder can gain access to router configuration and can even modify it which compromises all other security features configured on the router. Vty lines are also protected using usernames and passwords but access lists can also be used as an additional security measure ensuring Vty lines can be accessed only from trusted hosts having specific IP addresses. Also remember to set identical access lists on all active virtual terminal lines because a user can connect to any of them.

The access-class command is used in line configuration mode to restrict incoming or outgoing connections between a virtual terminal line and the addresses in the access list. The following example defines an access list that denies incoming connections from all networks other than 172.16.0.0 on terminal lines 0 through 4.

R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#access-list 10 permit 172.16.0.0 0.0.255.255
R1(config)#line vty 0  4
R1(config-line)#access-class 10 in
R1(config-line)#end 

The show line command can be used to view at a glance all active virtual terminal lines and access lists applied to them.

R1#show line
Tty Line Typ     Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
*   0    0 CTY           –     –    –    –    –    0     1      0/0   –
1    1 AUX 9600/9600 –     –    –    –    –    0     0      0/0   –
194  194 VTY           –     –    –    –   10    0     0      0/0   –
195  195 VTY           –     –    –    –   10    0     0      0/0   –
196  196 VTY           –     –    –    –   10    0     0      0/0   –
197  197 VTY           –     –    –    –   10    0     0      0/0   –
198  198 VTY           –     –    –    –   10    0     0      0/0   –

Line(s) not in async mode -or- with no hardware support:

2-193  

Modifying Access Lists

While you are creating an access list or after it is created, you might want to delete an entry. You cannot delete an individual entry from a numbered access list. If you need to delete even a single entry from a numbered access list, you have to delete the whole access list using no access-list command and start over.

R1(config)#no access-list 1
R1(config)#end
R1#show access-list 1

R1#

It is a good strategy to copy the access list to Notepad before deleting it from router configuration. You can then modify the access list in Notepad before applying it again to router configuration.

However, you sure can delete an individual entry from a named access list using the no permit or no deny command. Let’s demonstrate this using the NoSales extended access list we created earlier, by deleting the second access list statement.

R1#show access-list NoSales
Extended IP access list NoSales
10 deny ip 172.18.0.0 0.0.255.255 host 172.16.40.10 log
20 permit tcp any any

R1#configure terminal
R1(config)#ip access-list extended NoSales
R1(config-ext-nacl)#no permit tcp any any
R1(config-ext-nacl)#end

R1#show access-list NoSales
Extended IP access list NoSales
10 deny ip 172.18.0.0 0.0.255.255 host 172.16.40.10 log
R1#

This is one good reason to prefer named access lists over numbered access lists from a practical standpoint.

Hints for Creating IP Access Lists

  • Create an access list before applying it to an interface, because if you apply a yet non-existent access list to an interface and then proceed to configure the access list, the first access control entry (ACE) is put into effect as soon as you enter it, and the implicit deny statement that follows could immediately block traffic causing immediate access problems.
  • An interface with an empty access list applied to it permits all traffic, so that’s another reason to configure an access list before applying it.
  • Only one access list can be applied to an interface in each direction for any given protocol.
  • All access lists need at least one permit statement; otherwise all packets are denied due to the implicit deny statement and no traffic passes at all.
  • Because the software stops testing access control entries (ACEs) after it encounters the first match (to either a permit or deny statement), you will reduce the processing time and resource usage if you put statements that packets are most likely to match at the beginning of the access list. Place more frequently occurring conditions before less frequent conditions.
  • Organize your access list so that more specific references in a network or subnet appear before more general ones.
  • Use the statement permit any any if you want to allow all other packets not already denied by an earlier statement in the access list. Using the statement permit any any at the end of an access list, in effect, avoids denying all other packets with the implicit deny statement at the end of an access list. Do not make your first access list entry permit any any because all traffic will get through; no packets will reach subsequent testing and so even if there are deny statements after permit any any they will have no effect.
  • While you are creating an access list or after it is created, you might want to delete an entry. You cannot de*lete an individual entry from a numbered access list; trying to do so will delete the entire access list. If you need to delete an entry, you have to delete the whole access list using no access-list command and start over. However, you sure can delete an individual entry from a named access list using the no permit or no deny command. This is one good reason to prefer named access lists over numbered access lists from a practical standpoint.
  • In order to make individual entries or statements in an access list more scanable and easy to understand at a glance, you can write a helpful remark before or after any statement using the remark command.
  • When trying to save router resources, remember that an inbound access list filters traffic before the routing table lookup. An outbound access list applies the filter conditions after the routing table lookup. 

Switch Port Access Lists

Switch port access lists are ACLs configured on physical interfaces on a switch. Here are some facts you should not forget about port ACLs:

  • Port ACLs support only inbound traffic filtering.
  • Port ACLs can be configured as three types: standard, extended, and extended MAC.
  • Port ACLs control IP traffic through standard or extended access lists while non-IP traffic is filtered through the use of extended MAC access lists.

You are already familiar with how standard and extended access lists are created. We will learn how to create extended MAC access lists in this section. You can apply both types of filters, IP and non-IP, to a single interface, but you only get to apply one of each. If you try to apply an additional ACL of either type on an interface, the new one will override the one you had there before.

Let’s define and verify an extended MAC access list:

SW1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#mac access-list ?
extended  Extended Access List

SW1(config)#mac access-list extended ?
WORD  access-list name

SW1(config)#mac access-list extended MY_MAC_LIST
SW1(config-ext-macl)#permit ?
H.H.H  48-bit source MAC address
any    any source MAC address
host   A single source host

SW1(config-ext-macl)#permit host ?
H.H.H  48-bit source MAC address

SW1(config-ext-macl)#permit host 00cd.38ab.4d35 ?
H.H.H  48-bit destination MAC address
any    any destination MAC address
host   A single destination host

SW1(config-ext-macl)#permit host 00cd.38ab.4d35 any
SW1(config-ext-macl)#deny any any
SW1(config-ext-macl)#end
SW1#show access-list

Extended MAC access list MY_MAC_LIST
permit host 00cd.38ab.4d35 any
deny   any any
SW1#

It’s now time to apply the MAC ACL to a switch interface using mac access-group command:

SW1#configure terminal
SW1(config)#interface FastEthernet0/1
SW1(config-if)#mac access-group MY_MAC_LIST ?
in  Apply to Ingress

SW1(config-if)#mac access-group MY_MAC_LIST in
SW1(config-if)#end
SW1#

Let’s try to understand what we just did. We created an extended MAC access list that we called MY_MAC_LIST, allowing incoming frames sourced only from a specific MAC address 00cd.38ab.4d35. This scenario makes sense if you have a desktop cabled to your switch port and you don’t want any other device connected to the same port by user.

In the last example, we defined an access list that made its filtering decision based on MAC addresses. Sometimes it is desirable to make permit or deny decisions based on the protocol carried inside Ethernet frames rather than source and/or destination MAC addresses.

SW1(config-ext-macl)#permit any any ?
<0-65535>     An arbitrary EtherType in decimal, hex, or octal
aarp          EtherType: AppleTalk ARP
amber         EtherType: DEC-Amber
appletalk     EtherType: AppleTalk/EtherTalk
cos           CoS value
dec-spanning  EtherType: DEC-Spanning-Tree
decnet-iv     EtherType: DECnet Phase IV
diagnostic    EtherType: DEC-Diagnostic
dsm           EtherType: DEC-DSM
etype-6000    EtherType: 0x6000
etype-8042    EtherType: 0x8042
lat           EtherType: DEC-LAT
lavc-sca      EtherType: DEC-LAVC-SCA
lsap          LSAP value
mop-console   EtherType: DEC-MOP Remote Console
mop-dump      EtherType: DEC-MOP Dump
msdos         EtherType: DEC-MSDOS
mumps         EtherType: DEC-MUMPS
netbios       EtherType: DEC-NETBIOS
vines-echo    EtherType: VINES Echo
vines-ip      EtherType: VINES IP
xns-idp       EtherType: XNS IDP
<cr> 

You can specify either an EtherType code or protocol name if a corresponding keyword for your desired protocol is available.