๐ŸŽฏ Lab Objectives

  • Understand how ACLs filter traffic using permit/deny rules
  • Configure numbered standard ACLs (1-99) to filter by source IP
  • Configure extended ACLs to filter by source, destination, port, and protocol
  • Apply ACLs to interfaces in the correct direction
  • Verify ACL matches with show commands
๐Ÿ‘ถ
ACL = Traffic filter. Think of it as a bouncer at a nightclub โ€” it checks every packet and either lets it through (permit) or blocks it (deny). There's always an invisible implicit "deny all" at the end of every ACL.

Step 1 โ€” ACL Concepts

# ACL rules are processed TOP to BOTTOM, FIRST MATCH WINS
# Order matters enormously!

# Example:
permit 192.168.1.0 0.0.0.255   โ†’ allows the whole /24
deny   192.168.1.10             โ†’ NEVER reached for .10 (already permitted above!)

# Correct order:
deny   192.168.1.10             โ†’ block this specific host
permit 192.168.1.0 0.0.0.255   โ†’ allow rest of /24

# Implicit deny at end:
# Every ACL ends with an invisible:
# deny any   (for standard) / deny ip any any (for extended)
# If no rule matches โ†’ packet DROPPED

# Two ACL types:
# Standard (1-99, 1300-1999)   โ†’ filter by SOURCE IP only
# Extended (100-199, 2000-2699) โ†’ filter by src, dst, protocol, port

Step 2 โ€” Standard ACLs

# Standard ACL โ€” only checks source IP
# Number range: 1-99

# Block a single host
access-list 10 deny 192.168.1.10
access-list 10 permit any

# Block an entire subnet
access-list 11 deny 192.168.2.0 0.0.0.255
access-list 11 permit any

# Allow only one subnet, deny everything else
access-list 12 permit 10.0.0.0 0.0.0.255
# implicit deny any at end

# Wildcard shortcuts:
# host 192.168.1.1 = 192.168.1.1 0.0.0.0  (exact host)
# any             = 0.0.0.0 255.255.255.255 (all IPs)
access-list 13 deny host 192.168.1.5
access-list 13 permit any

Step 3 โ€” Extended ACLs

# Extended ACL syntax:
access-list NUMBER {permit|deny} PROTOCOL SOURCE [PORT] DESTINATION [PORT]

# Block HTTP (port 80) from a host to a server
access-list 100 deny tcp host 192.168.1.10 host 10.0.0.5 eq 80
access-list 100 permit ip any any

# Block Telnet (port 23) from any source to any destination
access-list 101 deny tcp any any eq 23
access-list 101 permit ip any any

# Allow only SSH (22) and HTTPS (443) to a server
access-list 102 permit tcp any host 10.0.0.5 eq 22
access-list 102 permit tcp any host 10.0.0.5 eq 443
# implicit deny ip any any

# Protocol options:
# ip   โ†’ all IP traffic
# tcp  โ†’ TCP only
# udp  โ†’ UDP only
# icmp โ†’ ping
# ospf โ†’ OSPF routing protocol

# Port keywords:
# eq 80    โ†’ equal to port 80
# gt 1024  โ†’ greater than 1024
# lt 1024  โ†’ less than 1024
# range 20 21 โ†’ ports 20-21

Step 4 โ€” Named ACLs

# Named ACLs are easier to read and modify
ip access-list standard BLOCK_GUEST
 deny 192.168.100.0 0.0.0.255
 permit any

ip access-list extended ALLOW_WEB
 permit tcp any any eq 80
 permit tcp any any eq 443
 deny ip any any

# Edit a named ACL (add/remove individual lines)
ip access-list extended ALLOW_WEB
 no permit tcp any any eq 80   # remove a line
 15 permit tcp any any eq 8080  # insert at sequence 15

Step 5 โ€” Applying ACLs to Interfaces

# Apply ACL to interface
interface GigabitEthernet0/1
 ip access-group 100 in    # filter traffic ENTERING this interface
 ip access-group 101 out   # filter traffic LEAVING this interface

# Only ONE ACL per interface per direction (in/out)

# Remove an ACL from an interface
interface GigabitEthernet0/1
 no ip access-group 100 in

Step 6 โ€” ACL Placement Rules

# GOLDEN RULES:
# Standard ACLs โ†’ place CLOSE TO DESTINATION
# (they only check source IP โ€” placing close to source might block too much)

# Extended ACLs โ†’ place CLOSE TO SOURCE
# (they are specific โ€” block early to save bandwidth)

# Example topology:
# PC (192.168.1.0/24) โ†’ R1 โ†’ R2 โ†’ Server (10.0.0.5)
# Goal: block PC subnet from reaching the server

# Standard ACL placement: on R2 (close to destination)
access-list 10 deny 192.168.1.0 0.0.0.255
access-list 10 permit any
โ†’ Apply inbound on R2's interface toward the server

# Extended ACL placement: on R1 (close to source)
access-list 100 deny ip 192.168.1.0 0.0.0.255 host 10.0.0.5
access-list 100 permit ip any any
โ†’ Apply inbound on R1's LAN interface

Step 7 โ€” Verifying ACLs

# Show all ACLs
show access-lists

# Show a specific ACL
show access-lists 100

# Match counters show how many packets matched each line
Extended IP access list 100
    10 deny tcp host 192.168.1.10 host 10.0.0.5 eq 80 (15 matches)
    20 permit ip any any (1523 matches)

# Show which ACLs are applied to which interfaces
show ip interface GigabitEthernet0/1 | include access list

# Clear ACL match counters
clear ip access-list counters

Step 8 โ€” Common ACL Examples

# Block all Telnet (23) - enforce SSH only
ip access-list extended NO_TELNET
 deny tcp any any eq 23
 permit ip any any

# Block ICMP (stop ping) from internet
ip access-list extended NO_PING_IN
 deny icmp any any echo
 permit ip any any

# Allow only a management host to access routers via SSH
ip access-list standard MGMT_ONLY
 permit host 10.0.0.100
 deny any

line vty 0 4
 access-class MGMT_ONLY in   # apply to VTY (SSH/Telnet) lines

# Block traffic between two VLANs
ip access-list extended BLOCK_VLAN10_TO_20
 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
 permit ip any any

๐Ÿ“‹ ACL Quick Reference

ItemValue
Standard numbered1โ€“99, 1300โ€“1999
Extended numbered100โ€“199, 2000โ€“2699
Processing orderTop to bottom, first match wins
Default actionImplicit deny all at end
Standard placementClose to destination
Extended placementClose to source
Per interface limitOne ACL per direction (in/out)
Apply to VTYaccess-class ACL_NAME in
โœ…
Lab Complete! ACLs are your primary traffic filtering tool on Cisco networks. Practice building them in Packet Tracer โ€” mistakes are easy to make and easy to fix there before touching real routers.
Related: VLANs Lab โ†’ โ† All Labs
// guided terminal

Try It Live

Type the commands from the steps above. The terminal simulates the expected output for this lab.

KaliRange ~ Terminal type help for commands