FREE VIDEO: Harden your Cisco Router with IOS ACLs

by David Davis on August 9, 2007

Recently, I created a short video that shows you how to secure your Cisco router using Access-control lists (ACL) in the Cisco IOS. It is a step-by-step ten-minute video. It was originally published over at

In this video, I walk you through the steps you’ll need to take to use Cisco IOS access control lists (ACLs) to define and filter traffic for better network security.

I recommend Train Signal Cisco CCNA Video Training!

Here is my network diagram (click on it to enlarge it):

Hardening your Router with Cisco IOS ACLs

Here is the actual ACL used in the video:

!DNS resolution must be happening locally
!Default gateways must be configured on each side of the network
!If you were doing this between a LAN and the Internet, you would have NAT to
take into account
!Reflexive access-lists or firewall features can be used to improve on this

ip access-list extended less-secure
remark allow all hosts on 10 net to access web server
permit tcp host eq www
permit tcp host eq 443

remark allow RESPONSE to secure PC’s requets for access to web, ftp control,
data, smtp, and pop3 on 10 net
permit tcp eq www host
permit tcp eq ftp host
permit tcp eq ftp-data host
permit tcp eq smtp host
permit tcp eq pop3 host

ip access-list extended more-secure
remark allow web server to respond to all hosts on 10 net
permit tcp host eq www
permit tcp host eq 443

remark allow PC full access to make requests to less secure network
permit tcp host

int fa4
ip access-group less-secure in

int vlan1
ip access-group more-secure in

{ 8 comments… read them below or add one }

John 09.05.08 at 2:10 pm

Thank you for taking your valuable time to create such helpful content for those (like myself) that are new and curious to the Cisco world.

Marlon 11.09.08 at 6:52 pm


I am new on cisco world. This video is very helpful and interesting.. but I have a question… why in your extended ACL you do not have a line saying…

Deny ip any any ???, or something that say that any other traffic won t be allowed?


ahamed 01.06.09 at 12:24 pm

i am a ccna. i visit this site to develop my knowledge. thank you for the video. i need to download this video, because my internet connection is very slow . help me plz
thank you

Russell C. 08.16.09 at 5:57 pm

This is a response to Marlon’s question: You don’t have to put a statement like deny ip any any at the end of each list because there is an implict deny all statement at the end of each list as long as there is at least one permit access control element (ACE) in the ACL. I hope this answers your question.

Phillip B 10.24.09 at 6:08 pm

Your video needs the ability to expand the size of the screen. Why, I cannot see a cotton pick’n thing with the screen size that small. If your videos are this way in tutorial, the student will have more trouble understanding what you typed and why….

Not all viewers have 20/20 or xray vision. :)

Ganesh 01.15.11 at 9:25 am

Thanks a lot for sharing the Knowledge. Keep Rocking.

JK 02.10.11 at 1:26 am



prakash 12.05.11 at 6:30 am


thanks for the video. it help full to all CCNA students include me.

anyway once again thank u ……………

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Previous post:

Next post: