Access Control Lists

Intermediate Networking
ACLCisco IOSstandard ACLextended ACLip access-list

Objective

Create standard and extended ACLs to filter network traffic, apply them to interfaces, and understand ACL processing order.

Tools & Technologies

  • ACL
  • Cisco IOS
  • standard ACL
  • extended ACL
  • ip access-list

Key Commands

access-list 10 permit 192.168.1.0 0.0.0.255
ip access-list extended BLOCK_TELNET
access-list 100 deny tcp any any eq 23
show ip access-lists

Architecture Overview

flowchart TD PKT[Packet arrives] --> ACL{ACL applied\nto interface?} ACL -->|No| FWD[Forward normally] ACL -->|Yes, inbound| RULES[Check rules\ntop to bottom] RULES -->|First match PERMIT| FWD RULES -->|First match DENY| DROP[Drop packet] RULES -->|No match| IMPLICIT[Implicit deny\nall dropped] style RULES fill:#1a1a2e,stroke:#00d4ff,color:#e0e0e0 style DROP fill:#1a1a2e,stroke:#ff4444,color:#ff4444

Step-by-Step Process

01
Standard ACLs (filter by source IP only)

Standard ACLs only match on source IP. Apply close to destination.

! Permit 192.168.1.0/24, deny rest
access-list 10 permit 192.168.1.0 0.0.0.255
! (implicit deny all)

! Apply to interface
interface Gi0/1
 ip access-group 10 out

show ip access-lists 10
02
Extended ACLs (src+dst IP, protocol, port)

Extended ACLs match on source, destination, protocol, and ports. Apply close to source.

! Block Telnet (port 23) from any source
ip access-list extended BLOCK_TELNET
 deny tcp any any eq 23
 permit ip any any

! Permit only HTTP/HTTPS to server
ip access-list extended WEB_ONLY
 permit tcp any host 10.0.0.5 eq 80
 permit tcp any host 10.0.0.5 eq 443
 deny ip any any log

interface Gi0/0
 ip access-group WEB_ONLY in
03
ACL Wildcards

Wildcard masks are inverse subnet masks. 0=must match, 255=don't care.

! Match 192.168.1.0/24
! Subnet:   255.255.255.0
! Wildcard: 0.0.0.255

! Match any host: 0.0.0.0 255.255.255.255
! Match one host: 192.168.1.5 0.0.0.0
! Match /16:      10.10.0.0 0.0.255.255

Challenges & Solutions

  • ACLs are processed top-down — first match wins, put specific rules before general
  • Adding rules to a numbered ACL resequences automatically in IOS

Key Takeaways

  • Standard ACLs near destination, extended ACLs near source
  • show ip access-lists shows match counters — use to verify rules are hitting