NetworkTools
Sign In
1ACLs2Zone Firewalls3IPsec4SSL VPN5802.1X6IDS/IPS7PKI
← Back to Network Security

Learning Objectives

  • Understand what ACLs are and why they exist
  • Distinguish standard from extended ACLs
  • Apply ACL entry ordering rules
  • Troubleshoot common ACL misconfigurations

The Guard at the Gate

Imagine a bouncer at a club with a clipboard. Every person approaching gets checked: name, ID, maybe what they're wearing. Some get waved through, others are turned away. The bouncer checks each rule in order and stops at the first match.

That's an ACL.

An Access Control List (ACL) is a sequential list of permit or deny rules applied to a router or firewall interface. The device inspects each packet against the rules in order. As soon as a rule matches, the packet is either permitted or denied and no further rules are checked. An implicit deny at the end means if no rule matches, the packet is dropped.

Standard vs Extended ACLs

Standard ACLs filter only by source IP address and use numbers 1–99 or 1300–1999. Extended ACLs filter by source, destination, protocol, and port using numbers 100–199 or 2000–2699.

Extended ACLs are more precise. A standard ACL might block all traffic from 10.0.1.0/24, while an extended ACL can block only SSH traffic from 10.0.1.0/24 to a specific server.

ACL Placement Matters

Standard ACLs should be placed as close to the destination as possible because they only inspect source addresses. Extended ACLs should be placed as close to the source as possible to filter early and conserve bandwidth.

Rule Order is Critical

Rules are evaluated top-down. The first match wins. A common mistake is placing a broad permit before a specific deny, accidentally allowing traffic that should be blocked. On Cisco IOS, rules are numbered by sequence number, and new rules can be inserted between existing ones.

Standard ACL Configuration

Build a numbered standard ACL and apply it to an interface.

Preview
access-list {number} {action} {source}
interface {iface}
ip access-group {number} {direction}
You configure these ACL rules on a router: ip access-list extended BLOCK_SMTP deny tcp host 10.1.1.50 any eq 25 permit tcp any any eq 25 deny tcp any any A packet arrives from 10.1.1.50 destined to 192.168.1.100 on port 25.

What is the resulting IP access list entry number that gets matched first?

Named ACLs

Modern networks use named ACLs, which allow descriptive names instead of numbers. Named ACLs also allow individual rule insertion and deletion by sequence number, making management much cleaner than numbered ACLs.

What happens to a packet that does not match any ACL rule?

An extended ACL should be placed as close as possible to the...

Key Takeaways

  • ACLs are sequential rule lists applied to interfaces
  • Standard ACLs filter by source only; extended ACLs filter by source, destination, protocol, and port
  • Rules are evaluated top-down with first match winning
  • An implicit deny all exists at the end of every ACL
  • Place extended ACLs close to the source, standard ACLs close to the destination
  • Named ACLs offer better management than numbered ACLs
NextZone Firewalls