I configured standard and extended ACLs on Cisco IOS to enforce least-privilege traffic flow between segments, ordering rules so specific permits precede the implicit deny. Correct sequencing turned ACLs into a precise filter rather than an accidental black hole.

Objective & Context

ACLs filter by matching packets top-down against ordered entries with an implicit deny at the end. This lab uses standard ACLs (source only) and extended ACLs (source, destination, protocol, port) to enforce segment policy, mirroring host firewall intent at the network layer.

Environment & Prerequisites

  • Cisco router/L3 switch (or emulator) with multiple subnets.
  • Defined allow/deny policy between segments.
  • Understanding of wildcard masks.

Step-by-Step Execution

1. Define an extended ACL

ip access-list extended SEG-POLICY ; permit tcp 192.168.20.0 0.0.0.255 host 192.168.30.10 eq 443 ; deny ip any any log

2. Apply it to an interface direction

interface Gi0/1 ; ip access-group SEG-POLICY in

3. Verify hit counts

show access-lists SEG-POLICY
10 permit tcp 192.168.20.0 0.0.0.255 host 192.168.30.10 eq 443 (142 matches)
20 deny ip any any log (37 matches)

Validation & Testing

Send permitted and denied flows and confirm hit counters increment on the expected entries, with denied traffic logged. Pass criteria: only the explicitly permitted flow passes and the implicit deny catches everything else.

Advanced: Troubleshooting
  • Everything blocked: a too-early deny or missing permit before the implicit deny; reorder entries.
  • Wrong direction: apply inbound vs outbound on the correct interface relative to traffic.
  • Wildcard mask errors: remember masks are inverse of subnet masks.

Key Results

  • Enforced least-privilege flow with a single permitted service path.
  • Logged 100% of denied traffic for audit via the deny-log entry.
  • Validated rule ordering through per-entry hit counters.
  • Aligned network-layer filtering with host firewall policy.