← Back

⚙️ Module 8: Access Control Lists

🔐 Packet Filtering and Network Security Implementation

CCNA Level Packet Filtering Standard ACLs Extended ACLs

📋 Overview

This module covers Access Control Lists (ACLs), which are fundamental security tools for packet filtering in Cisco networks. Students will learn to configure standard and extended ACLs, understand wildcard masking, implement proper placement strategies, and use ACLs to mitigate network attacks.

Back to top

🔑 Key Terms

Access Control List (ACL)

Series of IOS commands that filter packets based on information in packet headers.

Access Control Entry (ACE)

Individual permit or deny statement within an ACL.

Standard ACL

Filters packets based only on source IP address (numbered 1-99, 1300-1999).

Extended ACL

Filters packets based on source, destination, protocol, and port information (numbered 100-199, 2000-2699).

Wildcard Mask

32-bit mask determining which address bits to examine for matches (inverse of subnet mask).

Named ACL

ACL identified by descriptive name rather than number (preferred method).

Back to top

Introduction to ACLs

ACL Types and Numbering

ACL Type Number Range Filtering Capability
Standard 1-99, 1300-1999 Source IP address only
Extended 100-199, 2000-2699 Source, destination, protocol, ports

ACL Processing Logic

Sequential Processing

How ACLs Work

  1. Router compares packet against each ACE sequentially
  2. First match determines action (permit or deny)
  3. If no match found, implicit deny any applies
  4. Processing stops after first match

ACL Guidelines

  • Create ACL globally, then apply to interface
  • Only one ACL per interface, per protocol, per direction
  • Order matters - most specific to most generic
  • Implicit deny any at end of every ACL
  • New statements added to bottom by default
  • Router-generated packets not filtered by outbound ACLs
Back to top

Wildcard Masking

Wildcard masks determine which bits of an IP address to examine for matches. They work opposite to subnet masks.

Wildcard Mask Logic

Binary 0

Must match exactly (check this bit)

Binary 1

Ignore this bit (don't care)

Quick Calculation

Wildcard from Subnet Mask

Subtract subnet mask from 255.255.255.255

Example: /24 subnet mask 255.255.255.0

Wildcard: 255.255.255.255 - 255.255.255.0 = 0.0.0.255

Common Wildcard Masks

Purpose Wildcard Mask Keyword
Single host 0.0.0.0 host
All addresses 255.255.255.255 any
/24 network 0.0.0.255 N/A
/16 network 0.0.255.255 N/A
Back to top

Configuring ACLs

Standard ACL Configuration

# Numbered standard ACL
Router(config)# access-list 10 permit 192.168.1.0 0.0.0.255
Router(config)# access-list 10 deny any

# Named standard ACL
Router(config)# ip access-list standard SALES-FILTER
Router(config-std-nacl)# permit 192.168.1.0 0.0.0.255
Router(config-std-nacl)# deny any

# Apply to interface
Router(config)# interface g0/0
Router(config-if)# ip access-group 10 out

Extended ACL Configuration

# Numbered extended ACL
Router(config)# access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 80
Router(config)# access-list 100 deny ip any any

# Named extended ACL
Router(config)# ip access-list extended WEB-FILTER
Router(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any eq 80
Router(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any eq 443
Router(config-ext-nacl)# deny ip any any

# Apply to interface
Router(config)# interface g0/1
Router(config-if)# ip access-group WEB-FILTER in
Best Practice

Use Text Editor

For complex ACLs, use a text editor to plan and create the ACL, then copy and paste to the router. This makes editing and troubleshooting much easier.

ACL Modification

  • Use sequence numbers to insert/delete specific ACEs
  • Sequence numbers assigned automatically (10, 20, 30...)
  • Use show access-lists to view sequence numbers
  • Remove specific ACE: no 20 (in ACL config mode)
  • Insert ACE: 15 permit host 192.168.1.5
Back to top

ACL Placement Guidelines

Standard ACL Placement

Rule: Place as close to destination as possible

Reason: Standard ACLs only filter by source address, so placing too close to source may block legitimate traffic to other destinations

Extended ACL Placement

Rule: Place as close to source as possible

Reason: Extended ACLs can filter by source, destination, and protocol, so unwanted traffic can be blocked early to save bandwidth

Placement Considerations

  • Organizational control - Can only place ACLs on devices you control
  • Bandwidth efficiency - Block unwanted traffic early
  • Administrative ease - Consider configuration complexity
  • Processing overhead - Balance security vs performance
Example Scenario

Extended ACL Placement

To block FTP and Telnet from 192.168.11.0/24 to 192.168.30.0/24:

  • Place extended ACL on router closest to 192.168.11.0/24 network
  • Apply inbound on interface connected to source network
  • This prevents unwanted traffic from crossing multiple networks
Back to top

Mitigate Attacks with ACLs

Mitigate IP Spoofing

Block packets with invalid source addresses that should never enter your network:

# Block spoofed addresses inbound
access-list 150 deny ip host 0.0.0.0 any
access-list 150 deny ip 10.0.0.0 0.255.255.255 any
access-list 150 deny ip 127.0.0.0 0.255.255.255 any
access-list 150 deny ip 172.16.0.0 0.15.255.255 any
access-list 150 deny ip 192.168.0.0 0.0.255.255 any
access-list 150 deny ip 224.0.0.0 15.255.255.255 any
access-list 150 deny ip host 255.255.255.255 any

Control ICMP Traffic

Allow Inbound ICMP

  • Echo reply (ping responses)
  • Source quench (flow control)
  • Unreachable (error messages)

Allow Outbound ICMP

  • Echo (ping requests)
  • Parameter problem
  • Packet too big (MTU discovery)
  • Source quench

Permit Specific Services

# Allow specific services through firewall
access-list 180 permit udp any host 192.168.20.2 eq domain
access-list 180 permit tcp any host 192.168.20.2 eq smtp
access-list 180 permit tcp any host 192.168.20.2 eq ftp
access-list 180 permit tcp host 200.5.5.5 host 10.0.1.1 eq 22
SNMP Security

Disable Unnecessary Services

If SNMP is not needed, disable it completely:

Router(config)# no snmp-server

If SNMP is required, use ACLs to restrict access to authorized management stations only.

Back to top

IPv6 ACLs

IPv6 ACL Characteristics

  • No equivalent to IPv4 standard ACLs
  • All IPv6 ACLs must be named
  • Similar functionality to IPv4 extended ACLs
  • Support filtering on IPv6 option headers
  • Include implicit permit for neighbor discovery

IPv6 ACL Configuration

# Configure IPv6 ACL
Router(config)# ipv6 access-list LAN_ONLY
Router(config-ipv6-acl)# permit ipv6 2001:db8:1:1::/64 any
Router(config-ipv6-acl)# permit icmp any any nd-na
Router(config-ipv6-acl)# permit icmp any any nd-ns
Router(config-ipv6-acl)# deny ipv6 any any

# Apply to interface
Router(config)# interface g0/0
Router(config-if)# ipv6 traffic-filter LAN_ONLY in
Neighbor Discovery

IPv6 Requirements

IPv6 ACLs must explicitly permit neighbor discovery messages (nd-na and nd-ns) for proper network operation. Without these permits, IPv6 neighbor discovery will fail.

IPv6 Security Concerns

  • Dual-stack environments create security holes
  • Attackers can exploit IPv4 to attack IPv6
  • Teredo tunneling embeds IPv6 in IPv4 UDP
  • Rogue router advertisements can compromise hosts
  • IPv6 ACLs essential for edge filtering
Back to top

✅ Quick Checks

  1. What is the difference between standard and extended ACLs?
    Standard ACLs filter only by source IP address, while extended ACLs filter by source, destination, protocol, and ports.
  2. Where should standard ACLs be placed?
    As close to the destination as possible to avoid blocking legitimate traffic.
  3. Where should extended ACLs be placed?
    As close to the source as possible to prevent unwanted traffic from consuming bandwidth.
  4. What is the wildcard mask for a single host?
    0.0.0.0 (or use the "host" keyword).
  5. What happens if no ACE matches a packet?
    The packet is denied by the implicit "deny any" at the end of every ACL.
Back to top

📝 Summary

  • ACLs are fundamental packet filtering tools for network security
  • Standard ACLs filter by source address only (1-99, 1300-1999)
  • Extended ACLs filter by multiple criteria (100-199, 2000-2699)
  • Named ACLs are preferred for better documentation
  • Wildcard masks determine which address bits to examine
  • ACL processing is sequential with implicit deny any
  • Proper placement is critical for effectiveness
  • ACLs can mitigate spoofing, DoS, and other attacks
  • IPv6 ACLs are named only and require neighbor discovery permits
  • Regular testing and documentation are essential
Back to top

References

  • Module 8: Access Control Lists - Introduction (Ch. 8.0)
  • Introduction to Access Control Lists (Ch. 8.1)
  • Wildcard Masking (Ch. 8.2)
  • Configuring ACLs (Ch. 8.3)
  • Modifying ACLs (Ch. 8.4)
  • Implement ACLs (Ch. 8.5)
  • Mitigate Attacks with ACLs (Ch. 8.6)
  • IPv6 ACLs (Ch. 8.7)
Back to top