Restricting Virtual Terminal Access 869
Restricting Virtual Terminal Access
Standard and extended ACLs apply to packets traveling through a router. They are not
designed to block packets that originate within the router. By default, an outbound
Telnet-extended ACL does not prevent router-initiated Telnet sessions.
In addition to physical ports or interfaces on the router, such as Fa0/0 and S0/0, there
are virtual ports. These virtual ports are called vty lines. There are five vty lines, which
are numbered zero through four, as shown in Figure 20-16. For security purposes,
users can be denied or permitted virtual terminal access to the router, but denied access
to destinations from that router. For example, an administrator can configure the ACL
to allow terminal access to the router for management or troubleshooting purposes,
while at the same time restricting access beyond this router.
Figure 20-16 Restricting vty Access with ACLs
Restricting vty access is not commonly used as a traffic control mechanism; instead, it
is for increasing network security. vty access is accomplished using the Telnet protocol
to make a nonphysical connection to the router. As a result, there is only one type of
vty ACL. Identical restrictions should be placed on all vty lines because it is impossible
to control which line a user will connect on.
Whereas a vty ACL is created the same way as on an interface, applying the vty ACL
to a terminal line requires using the access-class command instead of the access-group
command. Example 20-7 demonstrates creating and applying a virtual terminal access
list.
Example 20-7 Restricting vty Access with ACLs
! Creating the standard list:
Rt1(config)# access-list 2 permit 172.16.1.0 0.0.0.255
Rt1(config)# access-list 2 permit 172.16.2.0 0.0.0.255
Rt1(config)# access-list 2 deny any
continues
1102.book Page 869 Tuesday, May 20, 2003 2:53 PM
870 Chapter 20: Access Control Lists
Keep the following considerations in mind when configuring access lists on vty lines:

■ A name or number can be used when controlling access to an interface.
■ Only numbered access lists can be applied to virtual lines.
■ Identical restrictions should be set on all the virtual terminal lines because a user
can attempt to connect to any of them.
Verifying ACLs
The show ip interface command displays IP interface information and indicates
whether any ACLs are set. Example 20-8 shows the output of the show ip interface
command. As you can see in rows 9 and 10 in Example 20-8, ACL 10 is set to the out-
going traffic on interface Ethernet 0. There is no ACL set to inbound traffic.
! Applying the access list:
Rt1(config)# line vty 0 4
Rt1(config)# login
Rt1(config)# password secret
Rt1(config)# access-class 2 in
Example 20-8 show ip interface Command
Router> show ip interface
Ethernet0 is up, line protocol is up
Internet address is 192.54.22.2, subnet mask is 255.255.255.0
Broadcast address is 255.255.255.255
Address determined by nonvolatile memory
MTU is 1500 bytes
Helper address is 192.52.71.4
Secondary address 131.192.115.2, subnet mask 255.255.255.0
Outgoing ACL 10 is set
Inbound ACL is not set
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are never sent

ICMP mask replies are never sent
Example 20-7 Restricting vty Access with ACLs (Continued)
chpt_20.fm Page 870 Tuesday, May 27, 2003 2:21 PM
Summary 871
The show access-lists command displays the contents of all ACLs. By entering the ACL
name or number as an option for this command, you can see a specific list.
Summary
This chapter presented an overview of the following key points:
■ The two main types of ACLs are standard and extended.
■ Named ACLs allow access lists to be identified by name instead of number.
■ ACLs can be configured for all routed network protocols.
■ ACLs typically are used in firewall routers, which often are positioned between
the internal network and an external network such as the Internet.
■ ACLs also can restrict virtual terminal access to the router.
■ ACLs perform several functions within a Cisco router, including implementing
security/access procedures.
■ ACLs are used to control and manage traffic.
■ For some protocols, you can apply up to two ACLs to an interface: one inbound
ACL and one outbound ACL.
■ With ACLs, after a packet is checked for a match with the ACL statement, it can
be denied or permitted the use of an associated interface.
■ Wildcard mask bits use the numbers 1 and 0 to determine how to treat the corre-
sponding IP address bits.
To supplement all that you’ve learned in this chapter, refer to the chapter-specific Videos,
PhotoZooms, and e-Lab activities on the CD-ROM accompanying this book.
IP fast switching is enabled
Gateway Discovery is disabled
IP accounting is disabled
TCP/IP header compression is disabled
Probe proxy name replies are disabled

Router>
Example 20-8 show ip interface Command (Continued)
1102.book Page 871 Tuesday, May 20, 2003 2:53 PM
872 Chapter 20: Access Control Lists
Key Terms
ACL (access control list)—A means of controlling or limiting network traffic that com-
pares different criteria to a defined rule set.
bit bucket—The destination of discarded bits (dropped packets), as determined by the
router.
border router—A router situated at the edges or end of the network boundary, which
provides basic security from the outside network or from a less controlled area of the
network into a more private area of the network.
extended ACL—Compares source IP address, destination IP address, TCP/UDP port
number, and other criteria to the rules defining an extended ACL.
exterior router—In firewall architecture, the router that is connected to the Internet is
referred to as the exterior router. It forces all incoming traffic to pass through the
application gateway.
firewall—One or more network devices, such as routers or access servers, designated
as a buffer between any connected public networks and a private network. A firewall
router uses access control lists and other methods to ensure the security of the private
network.
interior router—The router that is connected to the internal network. The interior
router accepts packets only from the application gateway. The gateway controls the
delivery of network-based services both to and from the internal network.
named ACL—ACL that allows standard and extended ACLs to be given names.
queuing—A process by which ACLs can designate certain packets to be processed by a
router before other traffic, on the basis of some configurable parameter such as speci-
fying a protocol.
standard ACL—ACL that compares source IP addresses to the rules defining a stan-
dard ACL.

Check Your Understanding
Complete all the review questions to test your understanding of the topics and con-
cepts in this chapter. Answers are listed in Appendix C, “Check Your Understanding
Answer Key.”
1102.book Page 872 Tuesday, May 20, 2003 2:53 PM
Check Your Understanding 873
1. Common ACL functions include filtering packets internally, protecting the inter-
nal network from illegal Internet access, and restricting access to virtual terminal
ports. True or false?
A. True
B. False
2. ACL is an acronym for:
A. Accessibility control list
B. Accountability control list
C. Assessment control list
D. Access control list
3. A(n) ACL works by comparing the source IP address against
the ACL rules.
A. Extended
B. Named
C. Standard
D. Router
4. A(n) ACL works by comparing the source IP address, destina-
tion IP address, or other parameters against the ACL rules.
A. Extended
B. Named
C. Standard
D. Router
5. A(n) ACL uses names instead of numbers to distinguish ACLs.
A. Extended

B. Named
C. Standard
D. Router
6. As a general rule, ACLs should be placed where in the network?
A. In the Internet
B. In the Core
C. Closest to the traffic to be controlled
D. None of the above
1102.book Page 873 Tuesday, May 20, 2003 2:53 PM
874 Chapter 20: Access Control Lists
7. In a firewall architecture, which router most likely will be configured with
an ACL?
A. The most powerful router
B. The interior router
C. The exterior router
D. All of the above
8. Named ACLs were introduced in Cisco IOS 11.2. True or false?
A. True
B. False
9. What command is used to apply an ACL to a VTY port?
A. ip access-list
B. ip access-class
C. ip access-group
10. Which of the following commands would you use to find out whether any ACLs
are set on an interface?
A. show running-config
B. show ip protocols
C. show ip interface
D. show ip network
11. What do you call the additional 32 bits of information in the access-list statement?

A. Wildcard bits
B. Access bits
C. 0 bits
D. 1 bits
12. If you want to permit traffic based on its addressing or protocol type, you would
use which of the following commands?
A. Router #access-list access-list number {permit | deny} {test conditions}
B. Router (config)#access-list access-list number {permit | deny} {test conditions}
C. Router (config-if)#access-list access-list number {permit | deny} {test conditions}
D. None of the above
1102.book Page 874 Tuesday, May 20, 2003 2:53 PM
Check Your Understanding 875
13. Standard IP access lists permit or deny routing of a packet based on the IP
address that it originates from and the protocol suite that it is destined for. True
or false?
A. True
B. False
14. Access lists impact network security based on which of the following factors?
A. The data content of the packets
B. The destination subnet/host/network for the packets
C. The source subnet/host/network of the packets
D. The type of the network they are routed through
15. What type of networking device would be needed to implement access lists to
increase network security?
A. Hub
B. Router
C. Bridge
D. Switch
16. What does the following access list allow? access-list 1 permit 204.211.19.162
0.0.0.0

A. “Deny my network only.”
B. “Permit a specific host.”
C. “Permit only my network.”
D. None of the above.
1102.book Page 875 Tuesday, May 20, 2003 2:53 PM

part_03.fm Page 876 Wednesday, May 21, 2003 8:16 AM
Part III
Appendixes
Appendix A Structured Cabling
Appendix B Glossary of Key Terms
Appendix C Check Your Understanding Answer Key

part_03.fm Page 877 Wednesday, May 21, 2003 8:16 AM
Objectives
Upon completion of this appendix, you will be able to

■
Understand the roots of structured cabling

■
Adhere to the rules of structured cabling when designing and performing instal-
lations to provide scalability

■
Recognize subsystems of structured cabling, including demarcation points, tele-
communications and equipment rooms including roles such as, MC, IC, and HC

■
Recognize the special requirements of cabling in the work area


■ Express familiarity with standards organizations such as Telecommunications
Industry Association (TIA), the Electronic Industries Association (EIA) TIA/EIA,
and the European Committee for Electrotechnical Standardization (CENELEC),
as well as world-level organizations such as the International Organization for
Standardization (ISO)

■
Perform low-voltage telecommunications work with attention to safety, and be
safe around electricity

■
Understand basic points of ladder safety and the importance or proper attire for
cabling work

■
Have a familiarity with the basic specialized hand tools of the installer’s craft,
as well as with basic telecom test and measurement equipment

■
Understand which cabling tasks accompany which phase of a typical project

■ Understand the basic business processes that lead to successful cabling organization

appen_a.fm Page 878 Tuesday, May 20, 2003 4:54 PM