🔒

ACL Fundamentals and Configuration

Jun 17, 2025

View transcript

Overview

This lecture covers the fundamentals of standard Access Control Lists (ACLs) on Cisco routers, focusing on their purpose, logic, configuration, and application for CCNA-level exams.

What Are ACLs?

  • ACLs (Access Control Lists) are used to control network traffic by permitting or denying packets based on criteria like source IP.
  • They function as packet filters, instructing routers to permit or discard specific traffic.
  • ACLs can be used for security (controlling network access), and other purposes covered later in the course.

ACL Logic and Processing

  • ACLs are made up of ordered Access Control Entries (ACEs).
  • ACEs are processed in order, top-to-bottom; the first match determines the action, and the rest are ignored.
  • The order of ACEs is critical to ensuring correct behavior.
  • Every ACL has an implicit deny at the end, meaning unmatched packets are denied by default.
  • Only one ACL can be applied per interface per direction (inbound or outbound).

Types of ACLs

  • Standard ACLs: Filter only by source IP address.
    • Standard numbered ACLs: identified by numbers (1–99, 1300–1999).
    • Standard named ACLs: identified by names.
  • Extended ACLs: (Covered in next lecture) Can filter by source/destination IP and port.
  • For CCNA, focus is on IPv4 standard ACLs.

Standard Numbered ACLs: Configuration

  • Use access-list <number> <permit|deny> <IP> <wildcard-mask>.
  • /32 hosts can omit the wildcard mask or use the host keyword.
  • 'any' keyword or 0.0.0.0 255.255.255.255 matches all addresses.
  • Remarks can be added using access-list <number> remark <text>.
  • Apply ACLs to an interface using ip access-group <number> in|out.

Standard Named ACLs: Configuration

  • Enter config mode with ip access-list standard <name>.
  • ACEs configured within config mode, can specify entry numbers.
  • Sequence numbers control ACE order.
  • Apply using ip access-group <name> in|out.

Best Practices & Application

  • Standard ACLs should be applied as close to the destination as possible to avoid over-blocking traffic.
  • Show commands: show access-lists, show ip access-lists, and filtered show running-config.
  • Careful planning ensures requirements are met without unwanted blocking.

Quiz Takeaways

  • ACLs are processed top-to-bottom; first match wins.
  • The implicit deny means unmatched packets are dropped.
  • Applying a new ACL in the same direction on the same interface replaces the previous one.
  • Placement and direction (inbound/outbound) are vital for correct filtering behavior.

Key Terms & Definitions

  • ACL (Access Control List) — A list on a router that filters packets based on set criteria.
  • ACE (Access Control Entry) — An individual permit or deny rule within an ACL.
  • Implicit Deny — Default behavior denying all packets not explicitly permitted by the ACL.
  • Wildcard Mask — A mask that specifies which bits to ignore when matching IPs.
  • Standard ACL — ACL filtering only by source IP.
  • Extended ACL — ACL filtering by source/destination IP and ports.
  • Inbound/Outbound — Direction of traffic relative to an interface.

Action Items / Next Steps

  • Review and practice standard ACL configuration commands.
  • Complete the packet tracer lab and Anki flashcards linked in the supplementary materials.
  • Watch the next lecture (Day 35) for extended ACLs.

Full transcript