5.2 Configure and verify infrastructure security features
📘CCNP Encore (350-401-ENCORE-v1.1)
1. What is an ACL?
An Access Control List (ACL) is a set of rules used on network devices (routers and switches) to control traffic flow.
ACLs decide:
- Which traffic is allowed
- Which traffic is denied
Each ACL rule checks packet information such as:
- Source IP address
- Destination IP address
- Protocol (IP, TCP, UDP, ICMP)
- Port numbers (for TCP/UDP)
👉 In simple words:
An ACL acts like a security filter for network traffic.
2. Why ACLs Are Important in an IT Network
ACLs are used to:
- Improve network security
- Restrict unauthorized access
- Control who can reach what
- Reduce unnecessary traffic
- Protect critical servers and devices
Common IT Use Cases
- Allow users to access internal servers but block access to management interfaces
- Allow web traffic but block file-sharing traffic
- Prevent certain subnets from communicating with others
- Secure device access (VTY, SSH, SNMP)
3. How ACLs Work (Packet Processing Logic)
ACLs work in a top-down order.
- A packet enters the device
- ACL rules are checked one by one
- The first matching rule is applied
- If no rule matches → implicit deny
Important Rule:
Every ACL ends with an invisible rule:
deny any
This is called the implicit deny.
4. Permit and Deny Actions
Each ACL entry (ACE) has one of two actions:
- permit → allow the traffic
- deny → block the traffic
If traffic is denied:
- It is dropped
- No forwarding occurs
- Optionally, it can be logged
5. Types of ACLs (Exam Critical)
5.1 Standard ACLs
Standard ACLs filter traffic based only on:
- Source IP address
They cannot filter:
- Destination IP
- Protocol
- Port number
Characteristics
- Numbered range: 1–99 and 1300–1999
- Simple and limited
- Less precise control
Example Use
- Allow or block traffic from a specific subnet entirely
5.2 Extended ACLs
Extended ACLs filter traffic based on:
- Source IP
- Destination IP
- Protocol (IP, TCP, UDP, ICMP)
- Source port
- Destination port
Characteristics
- Numbered range: 100–199 and 2000–2699
- Much more detailed and powerful
- Most commonly used in real networks
Example Use
- Allow HTTP traffic to a server but block all other protocols
5.3 Named ACLs
ACLs can also be created using names instead of numbers.
Advantages
- Easier to understand
- Easier to edit
- Can be standard or extended
Example:
ip access-list extended WEB_ACL
6. Placement of ACLs (Very Important for Exam)
Standard ACL Placement
- Place close to the destination
Why?
- Because standard ACLs only check source IP
- Placing them too early can block valid traffic
Extended ACL Placement
- Place close to the source
Why?
- Extended ACLs are specific
- Blocking traffic early saves bandwidth and processing
7. Direction of ACL Application
ACLs can be applied in two directions:
- Inbound (in)
- Outbound (out)
Inbound ACL
- Traffic is filtered before routing
- More efficient
- Commonly used
Outbound ACL
- Traffic is filtered after routing
- Used when inbound filtering is not possible
8. Wildcard Masks (Very Important Topic)
ACLs use wildcard masks, not subnet masks.
Wildcard Mask Basics
0→ must match1→ ignore
Example
192.168.1.0 0.0.0.255
Means:
- Match all IPs from 192.168.1.0 to 192.168.1.255
Common Wildcard Shortcuts
| Keyword | Meaning |
|---|---|
host | Matches a single IP |
any | Matches all IPs |
Examples:
host 192.168.1.10
any
9. ACL Sequence Numbers
ACL rules are processed in order.
- Each rule has a sequence number
- Default increment: 10
- Lower numbers are processed first
Why Sequence Numbers Matter
- Allow insertion of new rules
- Control rule priority
10. Editing ACLs (Exam Focus)
Numbered ACLs
- Must be deleted and recreated to modify
no access-list 101
Named ACLs
- Can be edited directly
- Supports adding, deleting, and reordering rules
Named ACLs are preferred in modern networks.
11. Applying ACLs to Interfaces
ACLs do nothing until applied.
Applying to an Interface
ip access-group <ACL> in
ip access-group <ACL> out
An ACL can be:
- Applied to multiple interfaces
- Applied only once per direction per interface
12. ACLs on VTY Lines (Management Access)
ACLs can control:
- SSH access
- Telnet access
Applied using:
access-class <ACL> in
This protects device management planes.
13. Logging with ACLs
ACLs can log matches for monitoring and troubleshooting.
deny ip any any log
Logging Uses
- Security monitoring
- Detect unauthorized access attempts
- Troubleshooting policy behavior
14. Verification and Troubleshooting ACLs
Common Verification Commands
show access-lists
show ip access-lists
show ip interface
What to Check
- Correct ACL applied
- Correct direction (in/out)
- Rule order
- Implicit deny issues
- Packet counters increasing
15. Best Practices for ACLs (Exam + Real Networks)
- Use extended ACLs whenever possible
- Place ACLs correctly (source vs destination)
- Order rules from specific to general
- Always include required permits before denies
- Remember the implicit deny
- Use named ACLs for better management
- Document ACL purpose clearly
16. Common ACL Mistakes (Exam Traps)
- Forgetting the implicit deny
- Wrong wildcard mask
- Incorrect direction (in vs out)
- Applying ACL to wrong interface
- Using standard ACL when extended is needed
- Blocking management access accidentally
17. ACLs and Infrastructure Security (ENCOR Context)
In CCNP ENCOR, ACLs are part of:
- Infrastructure security
- Traffic control
- Network segmentation
- Management plane protection
ACLs are foundational and often work with:
- Control Plane Policing (CoPP)
- Device hardening
- AAA and secure management
18. Exam Summary (What You Must Remember)
✔ What ACLs are
✔ How ACLs work (top-down, first match)
✔ Implicit deny
✔ Standard vs Extended ACLs
✔ Named vs Numbered ACLs
✔ Wildcard masks
✔ ACL placement rules
✔ Inbound vs Outbound
✔ Verification commands
✔ Common mistakes
