UnixSage

Typical ACLs on Edge Routers

Add the ACLs into the router… This is not a dangerious step, nothing will happen untill you apply it on the interface.

configure terminal
access-list 1 remark Anti Spof for Serial I/F
access-list 1 deny   63.127.106.56 0.0.0.7
access-list 1 deny   127.0.0.0 0.255.255.255
access-list 1 deny   10.0.0.0 0.255.255.255
access-list 1 deny   172.16.0.0 0.15.255.255
access-list 1 deny   192.168.0.0 0.0.255.255
access-list 1 permit any
access-list 2 remark Access to Admin Interface
access-list 2 permit 63.127.106.56 0.0.0.7
access-list 2 deny   any
[CTRL]+[Z]

To verify the access lists:

sh access-lists

To apply the ACL for telnet to the admin interface:

configure terminal
line vty 1 4
access-class 2 in
[CTRL]+[Z]

This does not affect session 0 just 1-4. Make sure it works, by first making sure you can telnet to the vty from inside your network. Then make sure you cannot from the outside internet.

Next apply it to all vtys:

configure terminal
line vty 0 4
access-class 2 in
[CTRL]+[Z]

Retest, make sure you can get in BEFORE you drop your current console. Now the Anti-Spoof ACLs on the serial I/F. NOTE I am guessing on the interface name.

configure terminal
interface serial 0
ip access-group 1 in
[CTRL]+[Z]