Tuesday, May 17, 2005

Cisco tip: Name your access lists

The traditional way of building access lists on a Cisco router is to number them: 1-99 means a standard IP access list, 100-199 means an extended IP access list. It makes a lot more sense to give them a name instead of a number. We have way too many numbers to remember as it is, so having to remember which numbered list does what is just too much. CIOS release 11.2 introduced the ability to name access lists. Now, instead of trying to remember that ACL 101 is designed to block Telnet traffic, we can name it something like “telnet_restrict” so its purpose is obvious.

Use global configuration mode to configure a named ACL. The following sequence of commands configures an IP extended list named restrict_telnet to block telnet (port 23) access from any host to hosts at and on router4’s serial 0/0 and ethernet 0/0 interfaces while permitting all other traffic:

router4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
router4(config)#ip access-list extended restrict_telnet
router4(config-ext-nacl)#deny tcp any host eq 23
router4(config-ext-nacl)#deny tcp any host eq 23
router4(config-ext-nacl)#permit ip any any
router4(config)#int s0/0
router4(config-if)#ip access-group restrict_telnet in
router4(config-if)#int e0/0
router4(config-if)#ip access-group restrict_telnet in

Want to know more about configuring access-lists on a Cisco router? Bring our two-day Cisco Router Fundamentals workshop to your location for groups of four or more in an onsite presentations. Click here or call 206.988.5858 for details and scheduling. Also, check online for public, open-enrollment seminars.

No comments: