[Techtalk] ACLs on cisco switches

Maria Blackmore mariab at cats.meow.at
Tue Oct 29 02:16:57 EST 2002


On Mon, 28 Oct 2002, Jen B wrote:

> I have a number of cisco 2900XL switches in production off-site.
> I noticed that the version of IOS they are running appears to support
> ACL's. I would like to set some rules for telnet access-is this do-able?

yes, and easily so :)

> The manuals have gone missing and the only online docs I've been able to
> find deal only with acl syntax. I can't seem to find a straight answer
> about restricting access to the switch though. I don't have a spare
> switch to play around with, so before I go mucking with production
> hardware I just want to make sure I can put these kind of ACL's in place.

ok, well if you're going to mess with stuff on the production switches,
there's a few things that you can remember to make life happier :)

firstly, changes take effect as soon as you type them

secondly, changes you make are NOT commited forever until you type
"write" or "copy running-config startup-config" or "write
startup-config" or whatever you chose

thirdly, if you're about to make a change that you're not sure about, you
can issue a "reload in $time" command, eg "reload in 5" to reload in five
minutes, so that if everything goes horribly wrong, then you only have to
wait five minutes before the switch reboots itself :)  When what you are
doing works just fine you can simply cancel it with "reload cancel"

fourthly, if you're not sure what to type next, type a "?" and IOS will
happily respond with a list of what it will accept next


The easiest way to explain what to do is by way of a list of example
commands, I'll anotate it afterwards, first of all you must have entered
enable mode, and then entered "configure terminal" to enter configuration 
mode.  This includes line numbers, which you won't see on a login of
course, and also the IOS prompt, which you will see, this is designed to
be similar in style to that used in Cisco's own documentation, but to
allow me to add annotations

1	Switch(config)#access-list 42 permit 192.168.1.1
2	Switch(config)#access-list 42 permit 192.168.2.96 0.0.0.31
3	Switch(config)#access-list 42 deny any
4	Switch(config)#line vty 0 4
5	Switch(config-line)#access-class 42
6	Switch(config-line)#^Z
7	Switch#copy running-config startup-config
	Switch#

1
~
add a rule to IP standard access list 42, permitting traffic involving
192.168.1.1 (a single machine)

2
~
add a rule to IP standard access list 42, permitting traffic involving
192.168.2.96/27, or IP addresses between 192.168.2.96 and
192.168.2.127.  Such as may specify a group of workstations.  Note here
that IOS uses inverse masking, you're marking the bits you want to be
allowed to vary, rather than the bits which must stay fixed.  The normal
mask for a /27 would be 255.255.255.224, so for a IOS acl you need
255-224 = 31, so the inverse mask is 0.0.0.31

3
~
add a rule to IP standard access list 42, denying all traffic that hasn't
previously been matched

4
~
Select the line(s) comprising the range of vtys between 0 and 4, for
your commands to apply to.  vtys are virtual tty's, much like ptys on a
unix machine, they are what you use when you login through telnet

5
~
Indicate that you wish IP standard access list 42 to apply to connections
made to this line(s)

6
~
Exit configuration mode

7
~
Write changes to nvram, you can actually just type "write" if you want,
but this is just for completeness


If you run into any problems with this, drop me a line and I'll see what I
can do :)

Remember, "reload in $time" can be a life saver :)

You can find IOS command references for the appropriate version of IOS on
CCO (www.cisco.com), though you may need to do a little digging since they
have recently rearranged things, but the command references *are* there,
and cover the syntax for every single IOS command of every single IOS
version currently in use.  There are also a few configuration guides
too.  If you can't find them, let me know and I'll see what I can dig up
for you.  You can find out what the switch is currently running with "show
version"

Have fun, and good luck :)

Maria


-- 
Maria Blackmore, Network Fairy




More information about the Techtalk mailing list