Question:
Questions about Access Control Lists and Cisco routers?
Joshua
2010-09-20 10:47:57 UTC
I have some questions about access control lists (ACLS) and Cisco routers. First, some background info.

Current Network Setup

My current network set is is the following: cable modem connects to router. Router connects to switch one. Switch one has a few connections to client computers. Switch one has a long cable run to switch 2. Switch 2 has 2 computers connected to it. Every device on the network gets its IP via a DHCP server running on the router.

What I Want To Do

I want to replace switch 2 with a Cisco 10/100 wired Ethernet router. I will then either A) hook switch 2 into the Cisco router and hook clients into switch 2 or B) Hook clients directly into the Cisco router.

I want to set up an Access control list so that the only network traffic allowed from the client computer connected to the Cisco router is

web browser traffic
ssl
ftp
dhcp.

I know that whatever is not permitted is denied by default. I also know the ACL has to be applied to specific interfaces, or a specific interface and is not active until it's applied. Which ports do I need to allow? Should this ACL be applied to the WAN port? Or to the individual Ethernet ports the client PC's are connected to? Should the ACL be applied inbound or outbound? What would this ACL look like? What Cisco routers support ACLs?

Keep in mind this is a home network with minor traffic, 4 PC operational web surfing is pretty much the extent of it.
Three answers:
Ceffy
2010-09-21 21:57:39 UTC
HTTP is Port 80 yes. 8080 is just for its alternative.

FTP is 20 and 21.



My suggestion is this, if the router connected to the modem has ACL capabilities then dont buy another 1. All you have to block is the mac addresses using the access list.



Now I've got a simpler approach on your home network. Get yourself a second hand Cisco 1721 router with WIC-1ENET and replace the router next to the modem. If your switches doesnt support 802.1q/VLANS, then instead of getting WIC-1ENET, get WIC-4ESW instead. Using WIC-4ESW, you can create VLANS in each port, and you wont need a trunk. Then just plug the two switches to the ports of the WIC-4ESW. Cisco 1721 is cheap so dont worry. Also get the one bundled with the WIC I told you if you know your gonna save money.



Its better to block on the WAN port so that clients on different VLANs within your network can still normally talk to each other.



If you want to block trojans, bots and others, its not just ACL you need. What you really need is a Firewall. ACL only offers Layer 4 inspection. Firewalls inspect data til the application layer.



With regards to the topology I am suggesting, just send me an email from my yahoo! answers profile then tell me your email address so that I could send you directly the picture of the topology. With regards to the configuration, you can also count on me. Just send me an email.
?
2010-09-20 17:58:12 UTC
A second router is a little overkill.

I would get a Cisco 871, it has the WAN for your internet and has a 4 port switch built in. From here make your ACL of what you want to pass through then just apply it to each interface that you want to lock down.



like if you want to lock down ports 2 and 3 while leaving the other 2 open just apply the ACL to interface 2 and 3. This will allow all traffic to the other 2 while locking down 2 and 3.



Not sure why you want to lock this traffic down, i'm sure you have reasons, but I don't need to know. I would apply this to inbound and outbound traffic on each port.



Oh and if you go this route just a heads up Int0 - 3 are LAN and Int4 is the WAN.
JoelKatz
2010-09-20 17:52:07 UTC
You can't do that with an access control list. Web traffic can be on any port. Same with FTP. You'd need to set up a proxy and configure each machine to use that proxy.



You also wouldn't be happy if you did set that up. For one thing, without DNS, many applications would break. Second, you'd seriously reduce the performance of UDP-based streaming applications.



Why do you think this is what you want to do? Most of the evil takes place over web browser traffic and that's on your allow list.


This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.
Loading...