Chapter 9. Securing the network by using IP access control lists

 

In the last chapter, you configured IP routing and switched virtual interfaces (SVIs) to allow hosts on one subnet to talk to hosts on another. By default, IOS doesn’t restrict this sort of inter-VLAN communication. Any device on one subnet can reach any device on another, provided you’ve set up routing correctly.

If these were the 1990s, you could probably leave it at that. But security is a big deal nowadays, and many organizations require tight control over how traffic flows between devices. If you want to be taken seriously as a Cisco network administrator, you have to know how to configure your switches and routers to restrict IP traffic according to those requirements.

The most common way to do this is by using IP access control lists (ACLs). An ACL is a set of rules that defines whether a given IP address can talk to another IP address. At first blush, the idea of writing rules like this may sound monumentally tedious. In a network of 5,000 devices, you can’t write ACL rules for every device—nor should you. The good news is that ACLs are extremely flexible and powerful, and you can cover a large number of use cases with a small number of rules.

When it comes to restricting traffic, you’ll most often encounter three basic scenarios:

  • Blocking a single IP address from reaching another IP address
  • Blocking a single IP address from reaching another subnet
  • Blocking a subnet from reaching another subnet

9.1. Blocking IP-to-IP traffic

9.2. Applying an ACL to an interface

9.3. Blocking IP-to-subnet traffic

9.4. Blocking subnet-to-subnet traffic

9.5. Commands in this chapter

9.6. Hands-on lab