Restricting Remote Access with Access Lists
Vty or virtual terminal lines are used to allow remote access to the router. A virtual terminal line is not associated with the auxiliary or console port. The router has five virtual terminal lines by default numbered 0 through 4. You can create additional virtual terminal lines if more than five concurrent remote console connections are desired. In most situations five default virtual terminal lines are enough.
Securing remote console access is critical because if it is compromised, an intruder can gain access to router configuration and can even modify it which compromises all other security features configured on the router. Vty lines are also protected using usernames and passwords but access lists can also be used as an additional security measure ensuring Vty lines can be accessed only from trusted hosts having specific IP addresses. Also remember to set identical access lists on all active virtual terminal lines because a user can connect to any of them.
The access-class command is used in line configuration mode to restrict incoming or outgoing connections between a virtual terminal line and the addresses in the access list. The following example defines an access list that denies incoming connections from all networks other than 172.16.0.0 on terminal lines 0 through 4.
The show line command can be used to view at a glance all active virtual terminal lines and access lists applied to them.
Modifying Access Lists
While you are creating an access list or after it is created, you might want to delete an entry. You cannot delete an individual entry from a numbered access list. If you need to delete even a single entry from a numbered access list, you have to delete the whole access list using no access-list command and start over.
It is a good strategy to copy the access list to Notepad before deleting it from router configuration. You can then modify the access list in Notepad before applying it again to router configuration.
However, you sure can delete an individual entry from a named access list using the no permit or no deny command. Let’s demonstrate this using the NoSales extended access list we created earlier, by deleting the second access list statement.
This is one good reason to prefer named access lists over numbered access lists from a practical standpoint.
Hints for Creating IP Access Lists
- Create an access list before applying it to an interface, because if you apply a yet non-existent access list to an interface and then proceed to configure the access list, the first access control entry (ACE) is put into effect as soon as you enter it, and the implicit deny statement that follows could immediately block traffic causing immediate access problems.
- An interface with an empty access list applied to it permits all traffic, so that’s another reason to configure an access list before applying it.
- Only one access list can be applied to an interface in each direction for any given protocol.
- All access lists need at least one permit statement; otherwise all packets are denied due to the implicit deny statement and no traffic passes at all.
- Because the software stops testing access control entries (ACEs) after it encounters the first match (to either a permit or deny statement), you will reduce the processing time and resource usage if you put statements that packets are most likely to match at the beginning of the access list. Place more frequently occurring conditions before less frequent conditions.
- Organize your access list so that more specific references in a network or subnet appear before more general ones.
- Use the statement permit any any if you want to allow all other packets not already denied by an earlier statement in the access list. Using the statement permit any any at the end of an access list, in effect, avoids denying all other packets with the implicit deny statement at the end of an access list. Do not make your first access list entry permit any any because all traffic will get through; no packets will reach subsequent testing and so even if there are deny statements after permit any any they will have no effect.
- While you are creating an access list or after it is created, you might want to delete an entry. You cannot de*lete an individual entry from a numbered access list; trying to do so will delete the entire access list. If you need to delete an entry, you have to delete the whole access list using no access-list command and start over. However, you sure can delete an individual entry from a named access list using the no permit or no deny command. This is one good reason to prefer named access lists over numbered access lists from a practical standpoint.
- In order to make individual entries or statements in an access list more scanable and easy to understand at a glance, you can write a helpful remark before or after any statement using the remark command.
- When trying to save router resources, remember that an inbound access list filters traffic before the routing table lookup. An outbound access list applies the filter conditions after the routing table lookup.
Switch Port Access Lists
Switch port access lists are ACLs configured on physical interfaces on a switch. Here are some facts you should not forget about port ACLs:
- Port ACLs support only inbound traffic filtering.
- Port ACLs can be configured as three types: standard, extended, and extended MAC.
- Port ACLs control IP traffic through standard or extended access lists while non-IP traffic is filtered through the use of extended MAC access lists.
You are already familiar with how standard and extended access lists are created. We will learn how to create extended MAC access lists in this section. You can apply both types of filters, IP and non-IP, to a single interface, but you only get to apply one of each. If you try to apply an additional ACL of either type on an interface, the new one will override the one you had there before.
Let’s define and verify an extended MAC access list:
It’s now time to apply the MAC ACL to a switch interface using mac access-group command:
Let’s try to understand what we just did. We created an extended MAC access list that we called MY_MAC_LIST, allowing incoming frames sourced only from a specific MAC address 00cd.38ab.4d35. This scenario makes sense if you have a desktop cabled to your switch port and you don’t want any other device connected to the same port by user.
In the last example, we defined an access list that made its filtering decision based on MAC addresses. Sometimes it is desirable to make permit or deny decisions based on the protocol carried inside Ethernet frames rather than source and/or destination MAC addresses.
You can specify either an EtherType code or protocol name if a corresponding keyword for your desired protocol is available.