# Days 34, 35: Access Control Lists

# CCNA 200-301 Study Guide: Mastering Access Control Lists (ACLs)

## 1.0 Introduction: The Role of ACLs

In network engineering, an Access Control List (ACL) acts as a security bouncer. It inspects every packet attempting to cross a router interface and decides to Permit or Deny it based on specific rules.

Beyond security, ACLs are also used to "match" or classify traffic for:

- NAT (Network Address Translation)
- QoS (Quality of Service)
- Demand Dial Routing

## 2.0 The Core Principles of ACL Processing

ACL logic is strict and predictable. Routers follow three fundamental rules when evaluating a packet against a list:

1. Sequential Order (Top-Down): The router starts at the first line and moves down.
2. First Match Execution: As soon as a match is found, the action (Permit/Deny) is taken, and processing stops. The router does not check subsequent lines.
3. The Implicit Deny: Every ACL ends with an invisible, unwritten deny any any. If a packet doesn't match any of your permit rules, it is dropped.

Instructor's Note: Because of the implicit deny, every functional ACL must contain at least one permit statement, or it will block 100% of traffic.

### Application Rules

- One ACL per interface, per protocol, per direction.
- An interface can have one inbound IPv4 ACL and one outbound IPv4 ACL.

## 3.0 Standard vs. Extended ACLs

<div align="left" dir="ltr" id="bkmrk-feature-standard-acl"><table><colgroup><col width="130"></col><col width="206"></col><col width="266"></col></colgroup><tbody><tr><td>Feature

</td><td>Standard ACL

</td><td>Extended ACL

</td></tr><tr><td>Criteria

</td><td>Source IP Address only.

</td><td>Source/Dest IP, Protocol, and Ports.

</td></tr><tr><td>Number Range

</td><td>1–99 and 1300–1999

</td><td>100–199 and 2000–2699

</td></tr><tr><td>Granularity

</td><td>Low (Sledgehammer)

</td><td>High (Scalpel)

</td></tr><tr><td>Placement

</td><td>Closest to the Destination

</td><td>Closest to the Source

</td></tr></tbody></table>

</div>### The Placement Logic

- Standard (Sledgehammer): Since it only checks the source, placing it near the source might block the user from reaching everything. Place it near the destination to be specific.
- Extended (Scalpel): Since it knows exactly where the packet is going and what port it's using, place it near the source to drop unwanted traffic early and save bandwidth.

## 4.0 Wildcard Masks and Syntax

### 4.1 Wildcard Mask Logic

Wildcard masks are the inverse of subnet masks.

- 0 bit: Match Exactly.
- 1 bit: Ignore ("Don't Care").

Keywords:

- host: Equivalent to wildcard 0.0.0.0 (matches one IP).
- any: Equivalent to wildcard 255.255.255.255 (matches everything).

### 4.2 Configuration Syntax

Standard ACL:

access-list 10 permit 192.168.1.0 0.0.0.255

Extended ACL:

access-list 101 permit tcp 10.1.1.0 0.0.0.255 any eq 80

Pro Tip: The established keyword in Extended ACLs allows return traffic for already active TCP sessions but blocks new connections initiated from the outside.

## 5.0 Essential Protocol and Port Reference

<div align="left" dir="ltr" id="bkmrk-service-protocol-por"><table><colgroup><col width="79"></col><col width="86"></col><col width="56"></col><col width="96"></col></colgroup><tbody><tr><td>Service

</td><td>Protocol

</td><td>Port

</td><td>Transport

</td></tr><tr><td>ICMP

</td><td>1

</td><td>N/A

</td><td>IP

</td></tr><tr><td>TCP

</td><td>6

</td><td>N/A

</td><td>IP

</td></tr><tr><td>UDP

</td><td>17

</td><td>N/A

</td><td>IP

</td></tr><tr><td>SSH

</td><td>N/A

</td><td>22

</td><td>TCP

</td></tr><tr><td>Telnet

</td><td>N/A

</td><td>23

</td><td>TCP

</td></tr><tr><td>DNS

</td><td>N/A

</td><td>53

</td><td>TCP/UDP

</td></tr><tr><td>HTTP

</td><td>N/A

</td><td>80

</td><td>TCP

</td></tr><tr><td>HTTPS

</td><td>N/A

</td><td>443

</td><td>TCP

</td></tr><tr><td>TFTP

</td><td>N/A

</td><td>69

</td><td>UDP

</td></tr></tbody></table>

</div>## 6.0 ACL Management and Verification

### 6.1 Editing with Sequence Numbers

Modern IOS allows you to edit specific lines without deleting the whole list:

1. ip access-list extended 101
2. no 20 (Deletes line 20)
3. 25 permit udp any any eq 53 (Inserts new rule at line 25)

Resequencing: ip access-list resequence 101 10 10 (Starts at 10, increments by 10).

### 6.2 Verification Commands

- show access-lists: The most important command. Shows the rules and the "hit counts" (how many times a rule was matched).
- show ip interface &lt;id&gt;: Confirms if an ACL is applied and in which direction (In/Out).

## 7.0 Key Takeaways Summary

1. Top-Down Logic: Once a match is made, the router stops looking.
2. Implicit Deny: If you don't permit it, it's denied by default.
3. Standard: Match Source IP; place near Destination.
4. Extended: Match Source, Dest, Protocol, Port; place near Source.
5. Troubleshooting: Use show access-lists to check hit counts and verify your logic is actually catching traffic.