ACL over Loopback
The loopback interface ACL feature provides basic security for management applications accessible through In-band interfaces.
Refer to the command reference section for limitations, default behavior, and unsupported features.
Topology
Figure 73. ACL Loopback Topology
|
#configure terminal |
Enter configure mode. |
|
(config)#interface lo |
Enter interface mode. |
|
(config-if)#ip address 3.3.3.3/32 secondary |
Assign the IPv4 secondary address. |
|
(config-if)#ip address 4.4.4.4/32 secondary |
Assign the IPv4 secondary address. |
|
(config-if)#ip address 5.5.5.5/32 secondary |
Assign the IPv4 secondary address. |
|
(config-if)#ip address 6.6.6.6/32 secondary |
Assign the IPv4 secondary address. |
|
(config-if)#ip address 7.7.7.7/32 secondary |
Assign the IPv4 secondary address. |
|
(config-if)# exit |
Exit interface mode. |
|
(config)#commit |
Commit the candidate configuration to the running configuration |
|
(config)#ip access-list loopback |
Create loopback access list |
|
(config-ip-acl)# 10 permit tcp any host 3.3.3.3 eq telnet |
Permit telnet session from any source with specific destination. |
|
(config-ip-acl)# 20 deny tcp any host 4.4.4.4 eq telnet |
Deny telnet session from any source with specific destination. |
|
(config-ip-acl)# 30 permit tcp any host 5.5.5.5 eq ssh |
Permit ssh session from any source with specific destination. |
|
(config-ip-acl)# 40 deny tcp any host 6.6.6.6 eq ssh |
Deny ssh session from any source with specific destination. |
|
(config-ip-acl)# 50 deny udp any host 6.6.6.6 eq snmp |
Deny udp from any source with specific destination. |
|
(config-ip-acl)# 60 deny udp any host 7.7.7.7 eq ntp |
Deny udp from any source with specific destination. |
|
(config-ip-acl)#exit |
Exit interface acl mode |
|
(config)#commit |
Commit the candidate configuration to the running configuration |
|
(config)#interface lo |
Enter interface lo mode |
|
(config-if)#ip access-group loopback in |
Associate loopback acl over lo interface |
|
(config-if)#exit |
Exit interface mode |
|
(config)#commit |
Commit the candidate configuration to the running configuration |
|
(config)#exit |
Exit config mode |
Validation
#sh access-lists
IP access list loopback
10 permit tcp any host 3.3.3.3 eq telnet [match=12]
20 deny tcp any host 4.4.4.4 eq telnet [match=12]
30 permit tcp any host 5.5.5.5 eq ssh
40 deny tcp any host 6.6.6.6 eq ssh
50 deny udp any host 6.6.6.6 eq snmp [match=6]
60 deny udp any host 7.7.7.7 eq ntp
#sh ip access-lists summary
IPV4 ACL loopback
statistics enabled
Total ACEs Configured: 6
Configured on interfaces:
lo - ingress (Router ACL)
Active on interfaces:
lo - ingress (Router ACL)
Configured on line vty:
#sh running-config aclmgr
ip access-list loopback
10 permit tcp any host 3.3.3.3 eq telnet
20 deny tcp any host 4.4.4.4 eq telnet
30 permit tcp any host 5.5.5.5 eq ssh
40 deny tcp any host 6.6.6.6 eq ssh
50 deny udp any host 6.6.6.6 eq snmp
60 deny udp any host 7.7.7.7 eq ntp
!
interface lo
ip access-group loopback in
!