Adjacent Node
Networking, explained. No BS.
ACLs And Policy
What It Is
An access control list matches packets and takes an action. On routers and switches, ACLs are used for interface filtering, control-plane protection, route filtering, NAT matching, QoS classification, and management access. The modern goal is not just syntax correctness. The goal is policy that is readable, scoped, logged appropriately, and tied to intent.
ACL Types
| Type | Matches | Common Use |
|---|---|---|
| Standard IPv4 ACL | Source IPv4 address | Simple source filtering, route policy, NAT match |
| Extended IPv4 ACL | Protocol, source, destination, ports, flags, options | Traffic filtering and classification |
| Named ACL | Human-readable name | Preferred for maintainability |
| Numbered ACL | Legacy number ranges | Still seen in older configs |
| IPv6 ACL | IPv6 source/destination and next-header fields | IPv6 filtering |
| Object-group policy | Groups addresses and services | Firewalls and some IOS-XE platforms |
Modern note: Use named ACLs with remarks for operational policy. Numbered ACLs are harder to review and maintain.
Matching Basics
| Element | Example | Notes |
|---|---|---|
| Action | permit, deny |
First match wins |
| Protocol | ip, tcp, udp, icmp |
ip means all IPv4 protocols |
| Source | 10.10.20.0 0.0.0.255 |
Wildcard mask, not subnet mask |
| Destination | host 10.10.30.10 |
host equals wildcard 0.0.0.0 |
| Port operator | eq, neq, lt, gt, range |
TCP/UDP only |
| Logging | log, log-input |
Use carefully on busy paths |
| Time range | time-range NAME |
Operationally risky if undocumented |
| TCP flags | established, syn, ack, rst |
Platform support varies |
Watch out: ACLs normally have an implicit deny at the end. If you do not permit it, it is denied.
Wildcard Masks
| Subnet | Wildcard | Matches |
|---|---|---|
| /32 | 0.0.0.0 |
One host |
| /30 | 0.0.0.3 |
Four addresses |
| /29 | 0.0.0.7 |
Eight addresses |
| /28 | 0.0.0.15 |
Sixteen addresses |
| /24 | 0.0.0.255 |
256 addresses |
| /16 | 0.0.255.255 |
65,536 addresses |
| /8 | 0.255.255.255 |
16,777,216 addresses |
Wildcard math: subtract the subnet mask from 255.255.255.255.
Placement And Direction
| Decision | Guidance |
|---|---|
| Inbound | Filters before routing decision on that interface |
| Outbound | Filters after routing decision toward egress interface |
| Close to source | Good for stopping unwanted traffic early |
| Close to destination | Useful when policy protects a specific destination |
| Interface ACL | Transit traffic through interface |
| VTY ACL | Management access to device |
| Control-plane policy | Traffic to the device CPU |
Design note: Document whether the ACL protects users, servers, management, control plane, NAT eligibility, or route policy. Same syntax, very different intent.
Cisco IOS/IOS-XE Examples
Readable extended ACL:
ip access-list extended USERS-TO-SERVERS
remark Allow HTTPS to app server
permit tcp 10.10.20.0 0.0.0.255 host 10.10.30.50 eq 443
remark Allow DNS to resolver
permit udp 10.10.20.0 0.0.0.255 host 10.10.30.53 eq 53
permit tcp 10.10.20.0 0.0.0.255 host 10.10.30.53 eq 53
remark Deny SMB from users to server segment
deny tcp 10.10.20.0 0.0.0.255 10.10.30.0 0.0.0.255 eq 445 log
remark Permit remaining routed traffic by explicit design
permit ip 10.10.20.0 0.0.0.255 anyApply inbound:
interface Vlan20
description User gateway
ip access-group USERS-TO-SERVERS inVTY management ACL:
ip access-list standard MGMT-SOURCES
permit 10.10.10.0 0.0.0.255
deny any log
!
line vty 0 15
access-class MGMT-SOURCES inNotes:
- Add remarks before meaningful groups of rules.
- Put specific denies before broad permits.
- Avoid logging every deny on high-volume paths.
- Validate direction with packet flow, not memory.
Troubleshooting
| Symptom | Check | Likely Cause |
|---|---|---|
| Traffic denied unexpectedly | Rule order, implicit deny, direction | Wrong sequence or missing permit |
| ACL counters do not increment | Interface, direction, routed path | ACL not in packet path |
| NAT does not match | ACL permit/deny meaning for NAT | Wrong ACL semantics |
| CPU/log spike | log on high-volume entry |
Excessive ACL logging |
| Return traffic blocked | Stateful vs stateless behavior | ACL only allows one direction |
| IPv6 still works through block | Separate IPv6 policy | IPv4 ACL does not filter IPv6 |
| Management lockout | VTY ACL, source address, fallback | Bad management ACL |
Commands
show access-lists
show ip access-lists USERS-TO-SERVERS
show ip interface Vlan20
show running-config interface Vlan20
clear access-list counters USERS-TO-SERVERSExpected clues:
- ACL is applied to the expected interface and direction.
- Counters increment on the expected entries.
- There is an explicit final policy, not an accidental implicit deny.
- Return traffic is permitted if the device is not stateful.
- IPv4 and IPv6 policy are both covered where needed.
Watch Out
- Do not edit ACLs remotely without a rollback path.
- Do not use ACLs as a substitute for firewall state when state matters.
- Do not forget that first match wins.
- Do not confuse wildcard masks with subnet masks.
- Do not use
permit ip any anyunless it is an intentional final policy. - Do not log broad busy rules unless you want noise and CPU risk.