5.2.a ACLs
Aligned to Cisco's 350-401 ENCOR v1.2 exam topics.
On this page
ACLs are simple until they are not. Most mistakes come from the same places: direction, wildcard masks, sequence order, implicit deny, and forgetting where the ACL is applied.
What an ACL does
An ACL compares traffic to ordered statements. First match wins. If nothing matches, the implicit deny at the end drops the packet.
For an interface ACL:
- Inbound means traffic entering the interface.
- Outbound means traffic leaving the interface.
seq 10 permit tcp users · app eq 443 · match, permit, STOP -> seq 20 permit udp users · dns eq 53 · match, permit, STOP -> seq 30 deny ip users · any · match, deny, STOP -> implicit deny · no earlier match · DROPFor VTY access-class, the ACL filters management connection sources, not forwarded user traffic.
The direction is evaluated from the device interface's point of view, not from the user's point of view. On a user SVI, an inbound ACL sees packets as they enter the L3 switch from the user VLAN. On a server SVI, an outbound ACL sees packets as they leave the L3 switch toward the server VLAN. Most exam mistakes are direction mistakes, not wildcard-mask mistakes.
Standard ACL example
Use standard ACLs when matching only source IPv4 addresses.
ip access-list standard MGMT-SOURCES
permit 10.10.10.0 0.0.0.255
deny any log
line vty 0 4
access-class MGMT-SOURCES inThis says: only hosts from 10.10.10.0/24 may attempt VTY access.
Do not copy this final deny any log habit blindly into high-rate data-plane ACLs. Logging can be useful for management-plane tests, but excessive ACL logging on transit traffic can punish the CPU and distort troubleshooting.
Extended ACL example
Use extended ACLs when matching source, destination, protocol, and ports.
ip access-list extended USERS-TO-APP
remark Users may reach app servers over HTTPS
permit tcp 10.10.10.0 0.0.0.255 10.20.20.0 0.0.0.255 eq 443
remark Users may resolve DNS through the internal resolver
permit udp 10.10.10.0 0.0.0.255 host 10.30.30.53 eq 53
permit tcp 10.10.10.0 0.0.0.255 host 10.30.30.53 eq 53
deny ip 10.10.10.0 0.0.0.255 10.20.20.0 0.0.0.255 log
permit ip any any
interface Vlan10
description User VLAN
ip access-group USERS-TO-APP inThe final permit ip any any allows unrelated traffic. Without it, the implicit deny blocks everything not already permitted.
When editing a live ACL, use sequence numbers deliberately:
show ip access-lists USERS-TO-APP
ip access-list extended USERS-TO-APP
15 permit icmp 10.10.10.0 0.0.0.255 10.20.20.0 0.0.0.255 echoDo not remove and rebuild a production ACL as the first move. That can temporarily detach the intended filtering logic or reorder statements.
IPv6 ACL example
IPv6 ACLs use prefix notation, not wildcard masks.
ipv6 access-list V6-USERS-TO-APP
permit tcp 2001:db8:10::/64 2001:db8:20::/64 eq 443
deny ipv6 2001:db8:10::/64 2001:db8:20::/64 log
permit ipv6 any any
interface Vlan10
ipv6 traffic-filter V6-USERS-TO-APP inVerification
show access-lists
show ip access-lists USERS-TO-APP
show ipv6 access-list V6-USERS-TO-APP
show ip interface Vlan10
show ipv6 interface Vlan10Look for:
- ACL applied in the expected direction.
- Correct sequence order.
- Counters increasing on the expected lines.
- No accidental drop from the implicit deny.
Lab
Goal: Permit only required application traffic from users to servers.
Topology:
Users VLAN 10
L3 switch / router
Servers VLAN 20
DNS 10.30.30.53Tasks:
- Create an extended ACL named
USERS-TO-APP. - Permit users to reach servers on TCP/443.
- Permit users to reach DNS on UDP/TCP 53.
- Deny other users-to-servers traffic with logging.
- Permit everything else.
- Apply the ACL inbound on the users SVI.
- Test HTTPS, DNS, SSH to server, and ping to unrelated networks.
- Verify ACL counters.
Success criteria:
- HTTPS to app servers works.
- DNS works.
- SSH or other non-allowed server traffic fails.
- ACL counters match your tests.
Exam traps
- Wildcard
0.0.0.255means “match the first three octets, ignore the last octet.” host 10.1.1.10is the same as10.1.1.10 0.0.0.0.- First match wins. Put specific denies/permits before broad statements.
- Removing an ACL line by sequence is safer than deleting and rebuilding a live ACL blindly.
- ACLs do not inspect application identity like an NGFW. They match headers and addresses/ports.