SkarpChapter 23 of 29
Device Access Control, ACLs, and Secure Management
Control who can reach your devices and what they can do by combining local authentication, secure remote access, and ACL-based traffic filtering.
Big Picture: Device Access Control and ACLs
Three Building Blocks
You will connect three ideas: local user accounts and line passwords, secure console/VTY access (SSH), and ACL-based traffic filtering on Cisco IOS devices.
Attackers' First Doors
The first targets are usually the console port (physical), VTY lines (remote CLI), and management-plane IP access like SSH, HTTP/HTTPS, and SNMP.
ACL Canonical Definition
Remember: An Access Control List (ACL) is an ordered set of permit and deny statements that control which packets are allowed or blocked based on criteria such as source, destination, and protocol.
What You Will Do
You will compare standard vs extended ACLs, protect management access with ACLs, filter data-plane traffic, and troubleshoot connectivity broken by ACL misconfigurations.
Local User Accounts, Console, and VTY Lines
Local User Accounts
Local users are created with `username name privilege level secret password`. Use `secret`, not `password`, because it is strongly hashed and more secure.
Console Line Basics
The console line is physical access. Use `line console 0`, then `login local` and `exec-timeout` to require usernames and auto-logout idle sessions.
VTY Lines for Remote Access
VTY lines handle Telnet/SSH. Use `line vty 0 4`, `transport input ssh`, and `login local` to enforce SSH-only and local user authentication.
Exam Signal: Telnet vs SSH
If both Telnet and SSH are allowed, it is functional but not best practice. Expect SSH-only configurations to be the "most secure" answer choice.
End-to-End: Building Secure SSH Access
Step 1: IP Reachability
Configure an IP on a router interface or a switch SVI plus a default gateway so management hosts can reach the device over the network.
Default Gateway Reminder
A default gateway is the IP of a router interface on the local segment that a host uses to send traffic to remote networks.
Step 2: Enable SSH
Set hostname and domain name, then generate RSA keys and enable SSH version 2: `crypto key generate rsa modulus 2048` and `ip ssh version 2`.
Step 3: Users and VTY
Create a local admin user and configure `line vty 0 4` with `transport input ssh` and `login local` so only authenticated SSH is allowed.
Putting It Together
Visualize an SSH flow: laptop → router IP → VTY line (SSH-only) → local username/password. Any missing piece breaks the management connection.
ACL Fundamentals and the Implicit Deny
ACL Canonical Definition
An ACL is an ordered set of permit and deny statements that control which packets are allowed or blocked based on source, destination, and protocol.
Ordered and First Match
ACLs are processed top to bottom. The first line that matches a packet decides its fate; no later lines are checked.
Implicit Deny Any
Every ACL ends with an invisible `deny any`. If no lines match, the packet is dropped. This is a common exam and troubleshooting trap.
Standard vs Extended
Standard ACLs match only source IP. Extended ACLs can match source, destination, protocol, and ports, giving much finer control.
Interface Direction
ACLs act only when attached to an interface with `ip access-group ... in|out`. The direction is relative to the router interface.
Standard ACLs: Syntax, Wildcards, and Placement
Wildcard Masks
Wildcard 0 means "must match"; 1 means "don’t care". A /24 network uses 0.0.0.255, while a single host uses 0.0.0.0.
Standard ACL Example
`access-list 10 permit 192.0.2.0 0.0.0.255` permits sources in 192.0.2.0/24 and implicitly denies all other source addresses.
Protecting VTY with access-class
Use `line vty 0 4` then `access-class 10 in` to restrict which source IPs can open VTY sessions, before `login local` and SSH.
Standard ACL Placement
Rule of thumb: place standard ACLs close to the destination to avoid over-blocking a source that might need other traffic allowed.
Extended ACLs: Matching Protocols and Ports
Extended ACL Power
Extended ACLs can match source, destination, protocol (like TCP, UDP, ICMP), and ports (like 80, 443, 23) for precise control.
Reading an Extended ACL
`access-list 101 permit tcp 192.0.2.0 0.0.0.255 198.51.100.10 0.0.0.0 eq 80` allows HTTP from that subnet to that server.
Interface Application
Use `ip access-group 101 in` on an interface so packets entering that interface are checked against ACL 101.
Named ACLs
Named ACLs with `ip access-list extended NAME` are easier to manage. Use `host 198.51.100.10` as a shorthand for a single-IP wildcard.
Extended ACL Placement
Place extended ACLs close to the source to drop unwanted traffic early and avoid carrying it across the network.
Thought Exercise: Choosing Standard vs Extended and Direction
Exercise Overview
You will mentally choose ACL type (standard vs extended) and placement (interface/line, in/out) for three realistic scenarios.
Scenario 1: SSH to Router
Only LAN 192.0.2.0/24 may SSH to R1. Do you just care about source networks, or also the SSH port? Line-based `access-class` vs interface ACL?
Scenario 2: Block HTTP
You must block HTTP from LAN to server but allow other traffic. Do you need port matching? Where do you drop the traffic most efficiently?
Scenario 3: Limit Ping
Only 192.0.2.50 may ping the router. Think about protocol (ICMP) and whether this calls for a standard or extended ACL and best interface/direction.
Using ACLs for Secure Management Access
Line-Based Control
`access-class` on VTY lines uses an ACL to decide which source IPs may open remote CLI sessions, without touching normal forwarding.
Interface-Based Control
Extended ACLs on interfaces with `ip access-group` can restrict SSH, HTTP, and other protocols to the router or through the router.
Sample MGMT-SSH ACL
In `MGMT-SSH`, permit SSH from 192.0.2.0/24 to 192.0.2.1, deny other SSH to that IP, then permit all remaining IP traffic.
Choosing the Tool
Use `access-class` when you just care who can log in. Use interface ACLs when you need protocol-aware filtering or to protect data-plane flows.
Troubleshooting ACLs and Common Exam Traps
Troubleshooting Checklist
Check if the ACL is applied, direction is correct, entries are ordered properly, implicit deny is considered, and wildcards are accurate.
Show Commands
Use `show access-lists` for ACL details and hit counts, and `show ip interface` to see which ACLs are bound to which interfaces.
Hit Counts Insight
If an ACL line has zero hits, either traffic is not reaching that interface/direction or the match conditions are wrong.
Common Exam Traps
Watch for missing final permits, wrong ACL type, misapplied interfaces, and swapped source/destination in extended ACL entries.
Quiz 1: Concepts and Best Practices
Check your understanding of ACL basics and secure management access.
You must ensure that only hosts in 10.10.10.0/24 can open SSH sessions to a router's VTY lines, but you do not need to distinguish between SSH and Telnet at the ACL level. Which is the simplest, best-practice approach?
- Create an extended ACL on G0/0 inbound that permits TCP port 22 from 10.10.10.0/24 and denies all other traffic.
- Create a standard ACL permitting 10.10.10.0/24 and apply it with access-class in on the VTY lines; configure transport input ssh.
- Create a standard ACL permitting 10.10.10.0/24 and apply it with ip access-group in on all interfaces.
- Create an extended ACL applied outbound on the WAN interface that denies SSH from all sources except 10.10.10.0/24.
Show Answer
Answer: B) Create a standard ACL permitting 10.10.10.0/24 and apply it with access-class in on the VTY lines; configure transport input ssh.
Option 2 is correct: a standard ACL with `access-class` on the VTY lines directly controls which source IPs can open remote sessions, and `transport input ssh` ensures only SSH is used. Option 1 overfilters data-plane traffic and is more complex. Option 3 would affect all traffic, not just management. Option 4 filters on the wrong interface and direction for local LAN SSH access.
Quiz 2: Reading and Predicting ACL Behavior
Apply what you know about ACL order, implicit deny, and matching.
Given this ACL applied inbound on G0/0 (LAN-facing): access-list 110 deny tcp any any eq 23 access-list 110 permit tcp any any eq 80 What happens to HTTPS (TCP port 443) traffic from the LAN to the internet?
- It is permitted, because it does not match either line and there is no deny statement.
- It is denied, because it matches the first line.
- It is denied due to the implicit deny any at the end of the ACL.
- It is permitted only if sourced from the router itself.
Show Answer
Answer: C) It is denied due to the implicit deny any at the end of the ACL.
HTTPS traffic does not match line 1 (port 23) or line 2 (port 80), so ACL processing reaches the end. Every ACL has an implicit `deny any` at the end, so the traffic is dropped. To allow HTTPS, you would need to add a specific `permit` or a more general `permit ip any any` after the specific denies.
Key Term Review: Device Access and ACLs
Use these flashcards to reinforce core definitions and commands.
- ACL (Access Control List) - canonical definition
- An Access Control List (ACL) is an ordered set of permit and deny statements that control which packets are allowed or blocked based on criteria such as source, destination, and protocol.
- Default gateway - canonical definition
- A default gateway is the IP address of a router interface on the local network segment that a host uses to send traffic destined for remote networks.
- Command to require local usernames on VTY lines
- `login local` under `line vty` tells the device to use the local user database for authentication.
- Command to restrict VTY access by source IP
- `access-class <acl-number-or-name> in` under `line vty` applies an ACL to incoming remote sessions.
- Command to apply an ACL to an interface
- `ip access-group <acl-number-or-name> in|out` under an interface applies the ACL in the chosen direction.
- Standard vs Extended ACL (key difference)
- Standard ACLs match only source IP; extended ACLs can match source, destination, protocol, and ports.
- Placement rule: standard ACLs
- Place standard ACLs close to the destination to avoid over-blocking a source that needs other traffic allowed.
- Placement rule: extended ACLs
- Place extended ACLs close to the source to drop unwanted traffic as early as possible.
- Implicit behavior at the end of every ACL
- There is an implicit `deny any` at the end of every ACL, even if not shown in the configuration.
- Command to see ACL hit counts
- `show access-lists` displays ACL entries and how many packets matched each line.
Key Terms
- ACL
- An Access Control List (ACL) is an ordered set of permit and deny statements that control which packets are allowed or blocked based on criteria such as source, destination, and protocol.
- SSH
- Secure Shell, a cryptographic network protocol used for secure remote command-line access and management.
- Telnet
- A legacy, unencrypted remote terminal protocol used to access device CLIs, considered insecure on modern networks.
- VTY lines
- Virtual terminal lines on Cisco devices used for remote CLI access via Telnet or SSH.
- access-class
- A line configuration command that applies an ACL to control which IP addresses can establish VTY (or other line) sessions.
- console line
- The physical management port on a Cisco device used for local CLI access, especially initial configuration and recovery.
- extended ACL
- An ACL type that can match source and destination IP addresses, protocols (TCP, UDP, ICMP, etc.), and ports for fine-grained control.
- standard ACL
- An ACL type that matches only source IP addresses, typically used to control which hosts or networks are allowed or denied.
- wildcard mask
- A mask used in ACLs where 0 bits must match exactly and 1 bits are "don’t care", effectively the inverse of a subnet mask.
- default gateway
- A default gateway is the IP address of a router interface on the local network segment that a host uses to send traffic destined for remote networks.
- ip access-group
- An interface configuration command that applies an ACL to traffic entering or leaving that interface.