๐ฏ Lab Objectives
- Understand how ACLs filter traffic using permit/deny rules
- Configure numbered standard ACLs (1-99) to filter by source IP
- Configure extended ACLs to filter by source, destination, port, and protocol
- Apply ACLs to interfaces in the correct direction
- Verify ACL matches with show commands
ACL = Traffic filter. Think of it as a bouncer at a nightclub โ it checks every packet and either lets it through (permit) or blocks it (deny). There's always an invisible implicit "deny all" at the end of every ACL.
Step 1 โ ACL Concepts
# ACL rules are processed TOP to BOTTOM, FIRST MATCH WINS
# Order matters enormously!
# Example:
permit 192.168.1.0 0.0.0.255 โ allows the whole /24
deny 192.168.1.10 โ NEVER reached for .10 (already permitted above!)
# Correct order:
deny 192.168.1.10 โ block this specific host
permit 192.168.1.0 0.0.0.255 โ allow rest of /24
# Implicit deny at end:
# Every ACL ends with an invisible:
# deny any (for standard) / deny ip any any (for extended)
# If no rule matches โ packet DROPPED
# Two ACL types:
# Standard (1-99, 1300-1999) โ filter by SOURCE IP only
# Extended (100-199, 2000-2699) โ filter by src, dst, protocol, port
Step 2 โ Standard ACLs
# Standard ACL โ only checks source IP
# Number range: 1-99
# Block a single host
access-list 10 deny 192.168.1.10
access-list 10 permit any
# Block an entire subnet
access-list 11 deny 192.168.2.0 0.0.0.255
access-list 11 permit any
# Allow only one subnet, deny everything else
access-list 12 permit 10.0.0.0 0.0.0.255
# implicit deny any at end
# Wildcard shortcuts:
# host 192.168.1.1 = 192.168.1.1 0.0.0.0 (exact host)
# any = 0.0.0.0 255.255.255.255 (all IPs)
access-list 13 deny host 192.168.1.5
access-list 13 permit any
Step 3 โ Extended ACLs
# Extended ACL syntax:
access-list NUMBER {permit|deny} PROTOCOL SOURCE [PORT] DESTINATION [PORT]
# Block HTTP (port 80) from a host to a server
access-list 100 deny tcp host 192.168.1.10 host 10.0.0.5 eq 80
access-list 100 permit ip any any
# Block Telnet (port 23) from any source to any destination
access-list 101 deny tcp any any eq 23
access-list 101 permit ip any any
# Allow only SSH (22) and HTTPS (443) to a server
access-list 102 permit tcp any host 10.0.0.5 eq 22
access-list 102 permit tcp any host 10.0.0.5 eq 443
# implicit deny ip any any
# Protocol options:
# ip โ all IP traffic
# tcp โ TCP only
# udp โ UDP only
# icmp โ ping
# ospf โ OSPF routing protocol
# Port keywords:
# eq 80 โ equal to port 80
# gt 1024 โ greater than 1024
# lt 1024 โ less than 1024
# range 20 21 โ ports 20-21
Step 4 โ Named ACLs
# Named ACLs are easier to read and modify
ip access-list standard BLOCK_GUEST
deny 192.168.100.0 0.0.0.255
permit any
ip access-list extended ALLOW_WEB
permit tcp any any eq 80
permit tcp any any eq 443
deny ip any any
# Edit a named ACL (add/remove individual lines)
ip access-list extended ALLOW_WEB
no permit tcp any any eq 80 # remove a line
15 permit tcp any any eq 8080 # insert at sequence 15
Step 5 โ Applying ACLs to Interfaces
# Apply ACL to interface
interface GigabitEthernet0/1
ip access-group 100 in # filter traffic ENTERING this interface
ip access-group 101 out # filter traffic LEAVING this interface
# Only ONE ACL per interface per direction (in/out)
# Remove an ACL from an interface
interface GigabitEthernet0/1
no ip access-group 100 in
Step 6 โ ACL Placement Rules
# GOLDEN RULES:
# Standard ACLs โ place CLOSE TO DESTINATION
# (they only check source IP โ placing close to source might block too much)
# Extended ACLs โ place CLOSE TO SOURCE
# (they are specific โ block early to save bandwidth)
# Example topology:
# PC (192.168.1.0/24) โ R1 โ R2 โ Server (10.0.0.5)
# Goal: block PC subnet from reaching the server
# Standard ACL placement: on R2 (close to destination)
access-list 10 deny 192.168.1.0 0.0.0.255
access-list 10 permit any
โ Apply inbound on R2's interface toward the server
# Extended ACL placement: on R1 (close to source)
access-list 100 deny ip 192.168.1.0 0.0.0.255 host 10.0.0.5
access-list 100 permit ip any any
โ Apply inbound on R1's LAN interface
Step 7 โ Verifying ACLs
# Show all ACLs
show access-lists
# Show a specific ACL
show access-lists 100
# Match counters show how many packets matched each line
Extended IP access list 100
10 deny tcp host 192.168.1.10 host 10.0.0.5 eq 80 (15 matches)
20 permit ip any any (1523 matches)
# Show which ACLs are applied to which interfaces
show ip interface GigabitEthernet0/1 | include access list
# Clear ACL match counters
clear ip access-list counters
Step 8 โ Common ACL Examples
# Block all Telnet (23) - enforce SSH only
ip access-list extended NO_TELNET
deny tcp any any eq 23
permit ip any any
# Block ICMP (stop ping) from internet
ip access-list extended NO_PING_IN
deny icmp any any echo
permit ip any any
# Allow only a management host to access routers via SSH
ip access-list standard MGMT_ONLY
permit host 10.0.0.100
deny any
line vty 0 4
access-class MGMT_ONLY in # apply to VTY (SSH/Telnet) lines
# Block traffic between two VLANs
ip access-list extended BLOCK_VLAN10_TO_20
deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip any any
๐ ACL Quick Reference
| Item | Value |
|---|---|
| Standard numbered | 1โ99, 1300โ1999 |
| Extended numbered | 100โ199, 2000โ2699 |
| Processing order | Top to bottom, first match wins |
| Default action | Implicit deny all at end |
| Standard placement | Close to destination |
| Extended placement | Close to source |
| Per interface limit | One ACL per direction (in/out) |
| Apply to VTY | access-class ACL_NAME in |
Lab Complete! ACLs are your primary traffic filtering tool on Cisco networks. Practice building them in Packet Tracer โ mistakes are easy to make and easy to fix there before touching real routers.