Post

ACL

Posted
By Ntwork_Beginner
4 min read
ACL

๐Ÿ” Access Control Lists (ACLs): Technical Guide

Welcome to the definitive guide to Access Control Lists (ACLs) โ€” optimized for learners, revision, and interview preparation. This guide covers Standard and Extended ACLs, along with configuration best practices, verification, and editing techniques.

๐Ÿ“˜ 1. Inroduction to ACLs

  • Definition: An Access Control List (ACL) is an ordered list of Access Control Entries (ACEs) used to filter network packets at router interfaces.

๐Ÿ”ง Primary Functions

  • Packet Filtering: Allow or deny traffic based on rules.
  • Security Enforcement: Restrict access to resources (e.g., servers, segments).
  • Traffic Classification: Identify traffic for VPNs, QoS, or monitoring.

โš™๏ธ Router Behavior & ACLs

  • Default behavior: Forward packets if a route exists.
  • ACLs override this by enforcing access rules.
  • Logic resembles if-then-else:
    1
2
3

    If packet matches Rule 1 โ†’ Apply action
Else if matches Rule 2 โ†’ Apply action
Else โ†’ Implicitly denied

๐Ÿ“˜ 2. Core ACL Concepts

ConceptDescription
ACEEach rule in an ACL (permit or deny)
Sequential MatchingRules processed from top to bottom
First Match WinsOnce matched, packet is acted on and evaluation stops
Implicit DenyHidden rule at the end denies everything not explicitly permitted
Wildcard MaskInverse subnet mask used to define IP ranges
DirectionACLs are applied inbound or outbound on interfaces
Shadowed RulesRedundant ACEs that are never matched due to previous rules
VTY FilteringACLs can secure remote access via Telnet/SSH on VTY lines

๐ŸŽฏ Wildcard Mask Tips

  • 0 = must match1 = doesnโ€™t matter

  • Example: 0.0.0.255 โ†’ matches a /24 network

  • Shortcut: Wildcard Mask = 255.255.255.255 - Subnet Mask

๐Ÿ”Œ ACL Application Points

  • Inbound: Evaluates traffic entering an interface.

  • Outbound: Evaluates traffic leaving an interface.

  • Each interface: Max one ACL per direction.

  • ACLs must be explicitly applied to be active.

๐Ÿ“˜ 3. ACL Identification Types

TypeDescription
NumberedIdentified using a specific number range
NamedAssigned a custom name for clarity/editing

๐Ÿงฉ Benefits of Named ACLs

  • Easier editing (remove individual ACEs)

  • Use of sequence numbers

  • Better documentation (remark statements)

๐Ÿ“˜ 4. Standard ACLs

๐Ÿ”‘ Key Feature

  • Filters only on Source IP Address

  • Simple but less granular filtering (broad strokes)

๐Ÿงฎ Number Ranges

  • 1โ€“99

  • 1300โ€“1999

๐Ÿ› ๏ธ Configuration

  • โœ… Numbered ACL Example
1

access-list 10 permit 192.168.1.0 0.0.0.255
  • โœ… Named ACL Example
1
2
3

ip access-list standard BLOCK-HOSTS
  deny host 192.168.10.100
  permit any
  • โœ… With Remarks
1
2

access-list 15 remark Block Marketing Dept
access-list 15 deny 192.168.10.0 0.0.0.255
  • ๐Ÿšฆ Application
1
2

interface GigabitEthernet0/1
  ip access-group BLOCK-HOSTS out

Best Practice: Apply outbound, close to destination to avoid unintended blocking.

  • ** ๐Ÿงช Verification**
1
2
3

show access-lists
show ip access-lists
show ip interface GigabitEthernet0/1

โœ๏ธ Editing Standard ACLs

| Type | Can Delete ACEs? | Edit Inline? | Notes | | โ€”โ€”โ€”โ€” | โ€”โ€”โ€”โ€”โ€”- | โ€”โ€”โ€”โ€” | โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€” | | Numbered | โŒ No | โŒ No | no access-list 10 removes entire ACL | | Named | โœ… Yes | โœ… Yes | Use sequence numbers and no seq-num |

๐Ÿ“˜ 5. Extended ACLs

๐Ÿ”‘ Key Feature

  • Filters traffic based on multiple parameters:
    • Protocol (TCP, UDP, ICMP, etc.)
    • Source IP
    • Destination IP
    • Port numbers
    • Flags (e.g., ACK, SYN)

๐Ÿ—ƒ๏ธ Number Ranges

  • 100โ€“199
  • 2000โ€“2699

๐Ÿ› ๏ธ Configuration

โœ… Numbered ACL Example

1

access-list 110 permit tcp host 192.168.1.10 any eq 80

โœ… Named ACL Example

1
2

ip access-list extended WEB-ACCESS
  permit tcp host 192.168.1.10 any eq www

๐Ÿ” Matching Options

FieldExample
Protocoltcp, udp, icmp, ip
IP Address (single)host 192.168.1.5
IP Range192.168.1.0 0.0.0.255
Any IPany
Port Operatorseq, gt, lt, neq, range
Port Keywordswww, ftp, domain, ntp, etc.

๐Ÿšฆ Application

1
2

interface GigabitEthernet0/0
  ip access-group WEB-ACCESS in

Best Practice: Apply inbound, close to source to drop unwanted traffic early.

๐Ÿงช Verification

1
2
3

show access-lists
show ip access-lists
show ip interface GigabitEthernet0/0

โœ๏ธ Editing Extended ACLs

TaskCommand/Method
Delete ACEno 20 (in ACL config mode)
Insert ACEUse specific sequence-number
Resequence ACEsip access-list resequence ACL_NAME 10 10

๐Ÿ“˜ 6. Wildcard Mask Cheat Sheet

Subnet MaskWildcard MaskDescription
255.255.255.00.0.0.255/24 โ€“ Match last octet
255.255.0.00.0.255.255/16 โ€“ Match last 2
host keyword0.0.0.0Match exact IP

๐Ÿ“˜ 7. ACL Application Commands

Interface Example

1
2

interface GigabitEthernet0/1
  ip access-group 110 in

๐Ÿ” VTY Lines Example (Telnet/SSH ACL)

1
2

line vty 0 4
  access-class VTY-ACL in

๐Ÿ“˜ 8. Interview & Revision Summary

FeatureStandard ACLExtended ACL
Filters BySource IP onlyProtocol, Source/Destination IP, Port
Number Range1โ€“99, 1300โ€“1999100โ€“199, 2000โ€“2699
PlacementClose to destinationClose to source
Port FilteringโŒ Not Supportedโœ… Yes
Protocol AwarenessโŒ Noโœ… Yes
ComplexitySimpleAdvanced
EditingHarder (unless named)Easier with named ACLs + seq nums

โœ… ACL Knowledge = Network Security Control

With ACLs, you gain control, visibility, and security over network traffic โ€” whether youโ€™re securing routers, segmenting users, or preparing for certification/interviews.

๐Ÿ™Œ Connect With Me

GitHub LinkedIn YouTube Gmail

CCNA
acl ccna ccnp cisco network_topics
This post is licensed under CC BY 4.0 by the author.