[Techtalk] ACLs on cisco switches

Jen B jenb at sdf.lonestar.org
Tue Oct 29 03:54:55 EST 2002 

wow! thanks for the super verbose answer!
I've looked over the docs for acls and am pretty comfortable
with the syntax, but this is more than I could have asked for!

Since this is a switch, and not a router the worst case scenario should
be that telnet access will be unreachable, right?

cheers!

Jen

On Tue, 29 Oct 2002, Maria Blackmore wrote:

> Date: Tue, 29 Oct 2002 01:16:57 +0000 (GMT)
> From: Maria Blackmore <mariab at cats.meow.at>
> To: techtalk at linuxchix.org
> Subject: Re: [Techtalk] ACLs on cisco switches
>
> On Mon, 28 Oct 2002, Jen B wrote:
>
> > I have a number of cisco 2900XL switches in production off-site.
> > I noticed that the version of IOS they are running appears to support
> > ACL's. I would like to set some rules for telnet access-is this do-able?
>
> yes, and easily so :)
>
> > The manuals have gone missing and the only online docs I've been able to
> > find deal only with acl syntax. I can't seem to find a straight answer
> > about restricting access to the switch though. I don't have a spare
> > switch to play around with, so before I go mucking with production
> > hardware I just want to make sure I can put these kind of ACL's in place.
>
> ok, well if you're going to mess with stuff on the production switches,
> there's a few things that you can remember to make life happier :)
>
> firstly, changes take effect as soon as you type them
>
> secondly, changes you make are NOT commited forever until you type
> "write" or "copy running-config startup-config" or "write
> startup-config" or whatever you chose
>
> thirdly, if you're about to make a change that you're not sure about, you
> can issue a "reload in $time" command, eg "reload in 5" to reload in five
> minutes, so that if everything goes horribly wrong, then you only have to
> wait five minutes before the switch reboots itself :)  When what you are
> doing works just fine you can simply cancel it with "reload cancel"
>
> fourthly, if you're not sure what to type next, type a "?" and IOS will
> happily respond with a list of what it will accept next
>
>
> The easiest way to explain what to do is by way of a list of example
> commands, I'll anotate it afterwards, first of all you must have entered
> enable mode, and then entered "configure terminal" to enter configuration
> mode.  This includes line numbers, which you won't see on a login of
> course, and also the IOS prompt, which you will see, this is designed to
> be similar in style to that used in Cisco's own documentation, but to
> allow me to add annotations
>
> 1	Switch(config)#access-list 42 permit 192.168.1.1
> 2	Switch(config)#access-list 42 permit 192.168.2.96 0.0.0.31
> 3	Switch(config)#access-list 42 deny any
> 4	Switch(config)#line vty 0 4
> 5	Switch(config-line)#access-class 42
> 6	Switch(config-line)#^Z
> 7	Switch#copy running-config startup-config
> 	Switch#
>
> 1
> ~
> add a rule to IP standard access list 42, permitting traffic involving
> 192.168.1.1 (a single machine)
>
> 2
> ~
> add a rule to IP standard access list 42, permitting traffic involving
> 192.168.2.96/27, or IP addresses between 192.168.2.96 and
> 192.168.2.127.  Such as may specify a group of workstations.  Note here
> that IOS uses inverse masking, you're marking the bits you want to be
> allowed to vary, rather than the bits which must stay fixed.  The normal
> mask for a /27 would be 255.255.255.224, so for a IOS acl you need
> 255-224 = 31, so the inverse mask is 0.0.0.31
>
> 3
> ~
> add a rule to IP standard access list 42, denying all traffic that hasn't
> previously been matched
>
> 4
> ~
> Select the line(s) comprising the range of vtys between 0 and 4, for
> your commands to apply to.  vtys are virtual tty's, much like ptys on a
> unix machine, they are what you use when you login through telnet
>
> 5
> ~
> Indicate that you wish IP standard access list 42 to apply to connections
> made to this line(s)
>
> 6
> ~
> Exit configuration mode
>
> 7
> ~
> Write changes to nvram, you can actually just type "write" if you want,
> but this is just for completeness
>
>
> If you run into any problems with this, drop me a line and I'll see what I
> can do :)
>
> Remember, "reload in $time" can be a life saver :)
>
> You can find IOS command references for the appropriate version of IOS on
> CCO (www.cisco.com), though you may need to do a little digging since they
> have recently rearranged things, but the command references *are* there,
> and cover the syntax for every single IOS command of every single IOS
> version currently in use.  There are also a few configuration guides
> too.  If you can't find them, let me know and I'll see what I can dig up
> for you.  You can find out what the switch is currently running with "show
> version"
>
> Have fun, and good luck :)
>
> Maria
>
>
> --
> Maria Blackmore, Network Fairy
>
> _______________________________________________
> Techtalk mailing list
> Techtalk at linuxchix.org
> http://mailman.linuxchix.org/mailman/listinfo/techtalk
>

. . . . . . . . . . . . . . . . . .
jenb at sdf.lonestar.org
jen at bitchoperatorfromhell.com
jen at sedition.org

More information about the Techtalk mailing list