Access Control Lists

Standard, extended, and named access control lists for traffic filtering and classification.

Standard ACLs

Standard numbered ACL — matches source IP only; place close to destination

configure terminal
access-list 10 permit 10.50.1.0 0.0.0.255
access-list 10 deny any log
end

Standard named ACL — easier to edit and reorder; sequence numbers allow insertion

configure terminal
ip access-list standard ALLOW-MGMT
 10 permit 10.50.1.0 0.0.0.255
 20 permit 10.50.100.0 0.0.0.255
 30 deny any log
end

Extended ACLs

Extended numbered ACL — matches source, destination, protocol, port; place close to source

configure terminal
access-list 100 permit tcp 10.50.1.0 0.0.0.255 host 10.50.2.10 eq 443
access-list 100 permit tcp 10.50.1.0 0.0.0.255 host 10.50.2.10 eq 22
access-list 100 deny ip any any log
end

Extended named ACL — production standard; always use named over numbered

configure terminal
ip access-list extended OUTSIDE-IN
 10 remark --- Allow HTTPS from data VLAN to web server ---
 20 permit tcp 10.50.1.0 0.0.0.255 host 10.50.2.10 eq 443
 30 remark --- Allow DNS queries to DNS server ---
 40 permit udp any host 10.50.1.50 eq 53
 50 permit tcp any host 10.50.1.50 eq 53
 60 remark --- Allow established return traffic ---
 70 permit tcp any any established
 80 remark --- Deny and log everything else ---
 90 deny ip any any log
end

Protocol and Port Matching

TCP/UDP port matching — eq (equal), gt (greater than), lt (less than), range (inclusive), neq (not equal)

configure terminal
ip access-list extended PORT-EXAMPLES
 10 permit tcp any any eq 80
 20 permit tcp any any eq 443
 30 permit tcp any any range 1024 65535
 40 permit udp any any eq 53
 50 permit tcp any host 10.50.1.20 eq 22
 60 deny tcp any any eq 23
end

Common protocol keywords — ICMP, TCP, UDP, IP (all protocols), GRE, ESP, OSPF, EIGRP

configure terminal
ip access-list extended PROTOCOL-EXAMPLES
 10 permit icmp any any echo
 20 permit icmp any any echo-reply
 30 permit ospf any any
 40 permit esp any any
 50 permit gre any any
end

Applying ACLs to Interfaces

Apply ACL to interface — in (inbound traffic entering interface) or out (outbound traffic leaving interface)

configure terminal
interface GigabitEthernet0/0/0
 ip access-group OUTSIDE-IN in
end

Apply ACL to VTY lines — restrict SSH/Telnet access to management subnet

configure terminal
line vty 0 15
 access-class ALLOW-MGMT in
end

One ACL per interface, per direction, per protocol — applying a new ACL replaces the old one

! Verify what is applied
show ip interface GigabitEthernet0/0/0 | include access list

ACL Remarks

Remark — document ACL purpose; critical for maintainability in production

configure terminal
ip access-list extended WEB-TRAFFIC
 10 remark --- Permit HTTPS from internal users ---
 20 permit tcp 10.50.0.0 0.0.255.255 any eq 443
 30 remark --- Permit HTTP for redirect ---
 40 permit tcp 10.50.0.0 0.0.255.255 any eq 80
 50 remark --- Implicit deny all ---
 60 deny ip any any log
end

ACL Editing and Resequencing

Insert a rule between existing sequence numbers

configure terminal
ip access-list extended OUTSIDE-IN
 25 permit tcp any host 10.50.2.10 eq 8443
end

Resequence ACL — renumber entries starting at 10, incrementing by 10

ip access-list resequence OUTSIDE-IN 10 10

Delete a specific line by sequence number

configure terminal
ip access-list extended OUTSIDE-IN
 no 25
end

ACL Logging

Log keyword — generates syslog message for matches; use on deny rules for security monitoring

configure terminal
ip access-list extended SECURITY-ACL
 10 permit tcp 10.50.1.0 0.0.0.255 any eq 443
 20 deny ip any any log
end

Log-input — includes source MAC and input interface in log message; more detail for forensics

configure terminal
ip access-list extended FORENSIC-ACL
 90 deny ip any any log-input
end

Object Groups

Object groups — simplify complex ACLs by grouping IPs and ports; reduces ACL line count significantly

configure terminal
object-group network WEB-SERVERS
 host 10.50.2.10
 host 10.50.2.11
 host 10.50.2.12
!
object-group service WEB-PORTS tcp
 eq 80
 eq 443
 eq 8443
!
ip access-list extended WEB-ACCESS
 10 permit tcp 10.50.0.0 0.0.255.255 object-group WEB-SERVERS object-group WEB-PORTS
 20 deny ip any any log
end

Verify object groups

show object-group
show object-group name WEB-SERVERS

ACL Verification

Show all ACLs — displays sequence numbers, hit counts, and rules

show access-lists
show access-lists OUTSIDE-IN
show ip access-lists

Show hit counts — identifies unused rules and high-traffic matches

show access-lists OUTSIDE-IN
! Output includes match count per line:
!   20 permit tcp 10.50.1.0 0.0.0.255 host 10.50.2.10 eq 443 (1547 matches)

Clear ACL counters — reset hit counts for fresh measurement

clear access-list counters
clear access-list counters OUTSIDE-IN

Show which ACLs are applied to an interface

show ip interface GigabitEthernet0/0/0 | include access list

Verification Summary

Key show commands for ACL troubleshooting

show access-lists
show ip access-lists OUTSIDE-IN
show ip interface GigabitEthernet0/0/0 | include access list
show object-group
show running-config | section access-list