Setting Up an Access List on a Cisco/FS Switch
Access lists are a way to control network traffic on a Cisco device, and can be used to specify which IP addresses are allowed to access the switch. In this article, I'll show you how to set up an access list on a Cisco/FS switch.
Prerequisites
Before you begin, you'll need the following:
- A terminal emulator program, such as PuTTY
- The IP address and login credentials for your Cisco/FS switch
- The name of the interface that connects the switch to the internet
Step 1: Log in to the switch
To log in to the switch, follow these steps:
-
Open your terminal emulator program.
-
Enter the IP address of the switch in the "Host Name" field.
-
Select the "SSH" protocol.
-
Click "Open" to connect to the switch.
-
When prompted, enter the username and password for the switch.
Step 2: Enter privileged mode
To enter privileged mode, follow these steps:
-
At the command prompt, type
enable
and press Enter. -
You may be prompted for a password. If so, enter the password and press Enter.
Step 3: Enter global configuration mode
To enter global configuration mode, follow these steps:
-
At the command prompt, type
configure
orconfigure terminal
and press Enter.configure
-
You will now be in global configuration mode, and the command prompt will change to reflect this.
Step 4: Create an access list
To create an access list, follow these steps:
-
At the command prompt, type
ip access-list [type] [name]
and press Enter. Replace [name] with a name for your access list.ip access-list standard my-access-list
this will create a standard access list. If you want to create an extended access list, type
ip access-list extended [name]
instead. -
To add an entry to the access list, type
permit
ordeny
and press Enter. Replace [permit/deny] with eitherpermit
ordeny
depending on whether you want to allow or block the specified IP address.permit host [ip address]
deny host [ip address]
Allow/Block IP range by typing
permit
ordeny
and press Enter.permit [ip address] [wildcard mask]
Example: to deny
10.10.10.1/29
IP range - Wildcard Mask Listdeny 10.10.10.1 0.0.0.7
Quick shortcut: Type
ip access-list [type] [name] [permit/deny] [IP address]
and press Enter. Replace [name] with a name for your access list, [permit/deny] with eitherpermit
ordeny
depending on whether you want to allow or block the specified IP address, and [IP address] with the IP address you want to allow or block.For example, to create an access list named "my-access-list" that blocks the IP address 10.0.0.1, you would type
ip access-list standard my-access-list deny 10.0.0.1
and press Enter.ip access-list standard my-access-list deny 10.0.0.1
Step 5: Apply the access list to the internet interface
To apply the access list to the interface that connects the switch to the internet, follow these steps:
-
At the command prompt, type
interface [interface type] [interface name]
and press Enter. Replace [interface name] with the name of the interface you want to apply the access list to.For example, if the name of the interface that connects the switch to the internet is "GigabitEthernet 0/1", you would type "interface GigabitEthernet 0/1" and press Enter.
interface GigabitEthernet 0/1
-
Create an access group by typing
ip access-group [name] [in/out]
and pressing Enter. Replace [name] with the name of the access list you created in step 4, and [in/out] with either "in" or "out" depending on whether you want to apply the access list to incoming or outgoing traffic on the interface.For example, if the name of the access list you created in step 4 is "my-access-list" and you want to apply it to incoming traffic on the interface, you would type
ip access-group my-access-list in
and press Enter.ip access-group my-access-list in
Step 6: Save your changes
To save your changes so that the access list remains in place even if the switch is restarted, follow these steps:
-
Exit global configuration mode by typing
exit
and pressing Enter. -
At the command prompt, type
write memory
orcopy running-config startup-config
and press Enter. -
This will save your changes to the startup configuration of the switch.
Step 7: Verify that the access list is working
To verify that the access list is working, follow these steps:
-
At the command prompt, type
show access-lists
and press Enter.show access-lists
if set using group then type
show access-group
and press Enter.show access-group
-
This will display a list of all access lists on the switch, including the one you created in step 4.