Access Control Lists: Standard and Extended Traffic Filtering
I configured standard and extended ACLs on Cisco IOS to enforce least-privilege traffic flow between segments, ordering rules so specific permits precede the implicit deny. Correct sequencing turned ACLs into a precise filter rather than an accidental black hole.
Objective & Context
ACLs filter by matching packets top-down against ordered entries with an implicit deny at the end. This lab uses standard ACLs (source only) and extended ACLs (source, destination, protocol, port) to enforce segment policy, mirroring host firewall intent at the network layer.
Environment & Prerequisites
- Cisco router/L3 switch (or emulator) with multiple subnets.
- Defined allow/deny policy between segments.
- Understanding of wildcard masks.
Step-by-Step Execution
1. Define an extended ACL
ip access-list extended SEG-POLICY ; permit tcp 192.168.20.0 0.0.0.255 host 192.168.30.10 eq 443 ; deny ip any any log2. Apply it to an interface direction
interface Gi0/1 ; ip access-group SEG-POLICY in3. Verify hit counts
show access-lists SEG-POLICY10 permit tcp 192.168.20.0 0.0.0.255 host 192.168.30.10 eq 443 (142 matches)
20 deny ip any any log (37 matches)
Validation & Testing
Send permitted and denied flows and confirm hit counters increment on the expected entries, with denied traffic logged. Pass criteria: only the explicitly permitted flow passes and the implicit deny catches everything else.
Advanced: Troubleshooting
- Everything blocked: a too-early deny or missing permit before the implicit deny; reorder entries.
- Wrong direction: apply inbound vs outbound on the correct interface relative to traffic.
- Wildcard mask errors: remember masks are inverse of subnet masks.
Key Results
- Enforced least-privilege flow with a single permitted service path.
- Logged 100% of denied traffic for audit via the deny-log entry.
- Validated rule ordering through per-entry hit counters.
- Aligned network-layer filtering with host firewall policy.