CHAPTER 11

Access Control Lists

Additional Topics of Interest

Firewalls …………………………………………………………………………………………………………1

Restricting Telnet Access to Routers ………………………………………………………………………2

This section covers the following two additional topics, which supplement the coverage of Access Control Lists
(ACLs) in Chapter 11 in the book:
■ Firewalls
■ Restricting Telnet access

Firewalls
In a physical building, a firewall is an actual wall that separates the building into parts. When a fire occurs, the
firewall reduces or even prevents the spread of fire from one part of the building to another. To enable the fire-
wall to do its job, it is made of fire-retardant materials and typically runs from ground level to the top of the
building. The doors that let people walk through the firewall are typically set up to shut automatically when the
fire alarm goes off. Additionally, the architect and builder try to minimize the number of holes in the wall for
doors, conduits for wiring and plumbing, and other utilities, all to help the firewall do its job better.
The networking world has taken up the term firewall to refer to a function, oftentimes implemented by a sepa-
rate hardware device, that protects one internetwork from others. In networking, firewalls protect the hosts in
an internetwork from harmful packets from outside the internetwork, much like a building’s firewall protects
one part of the building from fire outside that part of the building. Figure 11-15 shows a typical network topol-
ogy in which the enterprise on the left uses a firewall, requiring all traffic to and from the Internet to flow
through the firewall to reach the hosts inside the enterprise.

© 2007 Cisco Systems • Routers and Routing CCNA2 Companion Guide • Wendell Odom and Rick McDonald • ISBN 1587131668
2 Routers and Routing Basics CCNA 2 Companion Guide

Figure 11-15 Typical Architecture for Internet Connection with a Firewall

R1

Firewall R2 Internet
Enterprise

Note Firewalls and routers can perform many of the same functions, but firewalls typically perform a
In addition to routers, broader range of security functions. Besides that, vendors optimize the internal operations of
Cisco Systems leads the firewall products to perform complicated security functions; by contrast, vendors optimize
marketplace in firewall routers to forward packets. Given the typically broader security features of firewalls, plus their
product sales. Cisco fire-
walls are called PIX design to perform well when performing a large amount of security-related work, many compa-
Firewalls. nies use a separate firewall product, as shown in Figure 11-15. However, Cisco keeps adding to
the security features and processing power of Cisco IOS routers, so many functions typically
reserved for firewalls can now be performed in a router.

Restricting Telnet Access to Routers

1-58713-166-8
rc231115.eps
Router ACLs filter packets that flow through the router. However, Cisco did not design these
05/22/06
ACLs to filter packets created and sent by the router—packets such as Telnet traffic and routing
ICC an outbound ACL cannot filter packets created by
protocol packets. In fact, on Cisco routers,
that router.
Telnet access to routers needs to be protected through security mechanisms, to prevent hackers
from shutting down interfaces or reloading the router. Configuring a Telnet password is a must,
but good security practices include using several different protections against each type of prob-
lem. This section describes how a router can be configured to use ACLs to filter Telnet traffic
when Telnet clients try to connect to a router. By discarding the packets of Telnet clients that
should not ever be allowed to access the router, the router prevents that person from ever seeing
a router password prompt. If the hacker never sees a password prompt, the ACL has prevented
the unauthorized user from even getting to guess the router’s password.
To protect Telnet access, the router needs to apply the ACL logic to a vty line. Routers use vir-
tual ports called vty lines to control Telnet access. When a Telnet client telnets into a router, the
router allocates one of the vty lines, numbered 0 through 4. To restrict Telnet access into the
router, the router applies an ACL to the vty lines, telling IOS to filter packets coming into the
vty lines—in other words, to filter Telnet requests coming into the router.

© 2007 Cisco Systems • Routers and Routing CCNA2 Companion Guide • Wendell Odom and Rick McDonald • ISBN 1587131668
 Chapter 11: Access Control Lists 3

For example, in the internetwork shown in Figure 11-16, all the network engineers happen to
have IP addresses in subnet 172.16.1.0/24. So, the engineers configure all the routers with the
same basic logic, as follows:
Permit Telnet clients in subnet 172.16.1.0/24 to connect to the router; deny requests from
all other source IP addresses.

Figure 11-16 Allowing and Denying Clients to Telnet to a Router

Telnet - Allowed
172.16.1.1
Telnet - Denied
PC1

PC3
S0/1/0
FA0/0 S0/1/1 FA0/1
172.16.4.251
PC2 172.16.1.251 R1 172.16.4.252 R2 172.16.3.252
172.16.3.3

172.16.1.2

To meet these goals, the engineer must configure a numbered ACL that both permits all packets
from source IP addresses in subnet 172.16.1.0/24 and denies all other traffic. Then, the ACL
must be applied to traffic coming in the vty lines (all vty lines) using the access-class ACL-
number in command. This command tells IOS to filter packets coming into the vty lines—in
other words, incoming Telnet requests—using the referenced ACL. Example 11-12 shows a
sample configuration.

Example 11-12 Restricting Telnet Access

configure terminal
R1#c
Enter configuration commands, one per line. End with CNTL/Z.
access-list 1 permit 171-58713-166-8
R1(config)#a 2.16.1.0 0.0.0.255
line vty 0 4
R1(config)#l rc231116.eps
login
R1(config-line)#l
05/22/06
password cisco
R1(config-line)#p
access-class 1 in
R1(config-line)#a
ICC

Example 11-12 shows both the additional configuration for restricting Telnet access and the
normal configuration for a simple Telnet password. The access-list command creates an ACL
statement that permits traffic whose source IP address begins with 172.16.1. All other packets
will match the implicit deny all at the end of the list. The access-class 1 in command, under the
line vty 0 4 command, enables ACL 1 for Telnet requests coming into the router. The login and
password commands simply define the password required from the password prompt given to
Telnet users.

© 2007 Cisco Systems • Routers and Routing CCNA2 Companion Guide • Wendell Odom and Rick McDonald • ISBN 1587131668
4 Routers and Routing Basics CCNA 2 Companion Guide

Finally, keep in mind two important configuration recommendations when restricting Telnet
access. First, apply the same ACL to all vty lines, as shown here, because you cannot tell the
router which vty lines to assign to a given user. Also, IOS supports only numbered ACLs, and
not named ACLs, when used for restricting Telnet access.

Lab Exercise 11.2.6 VTY Restriction

In this lab, you use the access-class and line commands to control Telnet access to the
router.

© 2007 Cisco Systems • Routers and Routing CCNA2 Companion Guide • Wendell Odom and Rick McDonald • ISBN 1587131668