Access Control Lists (ACLs) Configuration

In modern network security, not all traffic should be treated equally. Access Control Lists (ACLs) are the fundamental packet-filtering tool on Cisco routers that decide what data is permitted or denied, acting as a stateless firewall for basic traffic control. Mastering their configuration is critical for the CCNA exam and for implementing basic security policies, enabling you to protect network resources, manage bandwidth, and define perimeter security in a granular way.

Understanding Core ACL Concepts and Types

At its heart, an ACL is an ordered list of permit or deny statements that are applied to traffic flowing through a router interface. These statements are processed sequentially from top to bottom, and the first matching rule determines the fate of the packet. If no rules match, an implicit "deny all" statement at the end of every ACL silently discards the traffic, a crucial point often tested on exams. ACLs come in two primary flavors, each with a specific scope of control.

Standard ACLs are the simpler type. They filter traffic based solely on the source IP address of a packet. Because they only consider where traffic is coming from, their use is limited. A typical application is to block entire subnets from accessing a part of the network, such as preventing a guest wireless network from reaching the internal corporate servers. Their simplicity is both a strength and a limitation, as they lack the precision needed for most modern security policies.

Extended ACLs provide far greater granularity. They can filter traffic based on multiple criteria: source IP address, destination IP address, protocol (like IP, TCP, UDP, or ICMP), and port numbers. This allows you to create rules as specific as "permit host 192.168.1.10 to access web server 10.0.0.5 on TCP port 443 (HTTPS) while denying all other traffic to that server." For the CCNA, you must be proficient in configuring extended ACLs for common services like web (port 80/443), email (port 25/110), and DNS (port 53).

Mastering Wildcard Masks and ACL Identification

To define ranges of addresses in ACL statements, Cisco IOS uses wildcard masks, which are the inverse of a subnet mask. Understanding this is non-negotiable. A wildcard mask uses binary 0s to indicate "must match" and 1s to indicate "ignore." For example, to match the 192.168.10.0/24 network, the wildcard mask is 0.0.0.255. The calculation is simple: subtract the subnet mask from 255.255.255.255. A /24 mask (255.255.255.0) gives you 255.255.255.255 - 255.255.255.0 = 0.0.0.255.

You will also encounter two methods of identifying an ACL: numbered and named. Numbered ACLs are the legacy method, where standard ACLs use numbers 1-99 and 1300-1999, and extended ACLs use 100-199 and 2000-2699. Named ACLs are now the recommended practice. They allow descriptive names (like INBOUND-FILTER), are easier to manage, and permit the insertion or deletion of specific lines without recreating the entire list—a significant operational advantage.

Configuration, Verification, and Placement Best Practices

Configuring an ACL is a two-step process: first, you create the ACL in global configuration mode, and second, you apply it to an interface in a specific direction (in or out). The direction is from the router's perspective: in means traffic arriving on the interface, out means traffic leaving the interface. For a CCNA lab, you must be able to perform this sequence flawlessly. Here is an example of creating and applying a named extended ACL:

Router(config)# ip access-list extended BLOCK-WEB
Router(config-ext-nacl)# deny tcp 192.168.10.0 0.0.0.255 any eq 80
Router(config-ext-nacl)# permit ip any any
Router(config-ext-nacl)# interface GigabitEthernet0/0
Router(config-if)# ip access-group BLOCK-WEB out

Verification is key. Use show access-lists to see all configured ACLs and their match counters, which increment when a packet hits a rule—this is invaluable for troubleshooting. Use show ip interface GigabitEthernet0/0 to confirm an ACL is applied correctly.

ACL placement is a critical best practice with a simple guideline: Place standard ACLs as close to the destination as possible, and place extended ACLs as close to the source as possible. Because standard ACLs only filter on source address, placing them too close to the source could inadvertently block all traffic from that host to other valid destinations. Extended ACLs, with their specificity, can be safely placed near the source to stop unwanted traffic before it consumes bandwidth across the network.

Common Pitfalls

Misordering ACL Statements: Remember, ACLs process rules top-down. A common mistake is placing a broad permit any or deny any statement at the top, which makes all subsequent rules irrelevant. Always sequence ACL statements from most specific to most general.

Ignoring the Implicit Deny All: Forgetting that every ACL ends with an invisible deny ip any any is a major source of connectivity issues. If your ACL is meant to permit some traffic, your final explicit statement should typically be a permit ip any any or a permit statement for required traffic, unless a default deny is the explicit security goal.

Incorrect Wildcard Mask Calculation: Confusing wildcard masks with subnet masks will lead to rules that match too much or too little traffic. Routinely double-check your calculation: Wildcard Mask = 255.255.255.255 - Subnet Mask. The host keyword (host 192.168.1.1) is equivalent to using a wildcard mask of 0.0.0.0 and is preferred for single addresses.

Applying the ACL in the Wrong Direction: Applying an inbound (in) ACL when you need an outbound (out) filter will have no effect on the traffic you intend to control. Always diagram the traffic flow and remember the direction is relative to the router interface you are configuring.

Summary

• ACLs are ordered rule sets that use permit/deny statements to filter traffic; they conclude with an implicit deny all.
• Standard ACLs (1-99, 1300-1999) filter on source IP only, while Extended ACLs (100-199, 2000-2699) filter on source/destination IP, protocol, and port, offering precise control.
• Wildcard masks, the inverse of subnet masks, define address ranges in ACLs. Use the host keyword for a single address and any for all addresses.
• Place standard ACLs near the destination and extended ACLs near the source to achieve effective filtering without unintended side effects.
• Named ACLs are preferred for manageability, and verification commands like show access-lists are essential for confirming correct operation and troubleshooting.
• Always test ACL configurations thoroughly, as mistakes in rule order, wildcard masks, or interface direction are common causes of network failures in both real-world and exam scenarios.