Access Control Lists (ACLs)
Packet filters applied to router interfaces
ACLs are ordered lists of permit/deny statements. The router checks each statement top-down and acts on the first match. An implicit deny any is always at the end.
Implicit deny: If no ACE matches a packet, it is dropped. Always add a permit statement if you want some traffic through.
Standard ACLFilters by source IP only (1–99, 1300–1999)
Extended ACLSource + dest IP, protocol, port (100–199, 2000–2699)
Named ACLStandard or extended, referenced by name
Placement ruleStandard → close to destination
Placement ruleExtended → close to source
Directionin = entering interface, out = leaving
Wildcard Masks
Inverse of subnet mask — used in ACL rules and OSPF
A 0 bit = must match. A 1 bit = don't care (any value). Calculate as: 255.255.255.255 − subnet mask.
/24 mask 255.255.255.0 → wildcard 0.0.0.255
/28 mask 255.255.255.240 → wildcard 0.0.0.15
/30 mask 255.255.255.252 → wildcard 0.0.0.3
/28 mask 255.255.255.240 → wildcard 0.0.0.15
/30 mask 255.255.255.252 → wildcard 0.0.0.3
| Shorthand | Wildcard | Meaning |
|---|---|---|
host 10.1.1.1 | 0.0.0.0 | Exact single host |
any | 255.255.255.255 | Any IP address |
10.1.1.0 0.0.0.255 | 0.0.0.255 | Entire /24 subnet |
172.16.0.0 0.0.255.255 | 0.0.255.255 | Entire /16 range |
ACL Examples — Standard vs Extended
How ACL entries are structured and applied
Standard ACL — Permit only 192.168.10.0/24
SEQACTIONRULE
10
PERMIT
192.168.10.0 0.0.0.255
20
DENY
any (implicit)
R1(config)# access-list 10 permit 192.168.10.0 0.0.0.255
R1(config)# interface Gi0/0/0
R1(config-if)# ip access-group 10 out
# Standard → apply close to DESTINATION
Extended ACL — Block Telnet from 10.x to any
SEQACTIONRULE
10
DENY
tcp 10.0.0.0 0.255.255.255 any eq 23
20
PERMIT
ip any any
R1(config)# ip access-list extended BLOCK-TELNET
R1(config-ext-nacl)# deny tcp 10.0.0.0 0.255.255.255 any eq 23
R1(config-ext-nacl)# permit ip any any
R1(config)# interface Gi0/0/1
R1(config-if)# ip access-group BLOCK-TELNET in
# Extended → apply close to SOURCE
NAT & PAT
Network Address Translation — private ↔ public IP mapping
NAT translates private IPs to public IPs. PAT (Port Address Translation / NAT Overload) maps many private IPs to a single public IP using unique port numbers.
Inside Local
192.168.1.10
→
NAT ROUTER
translates address
→
Inside Global
209.165.200.5
Inside LocalPrivate IP of internal host
Inside GlobalPublic IP seen by outside
Outside LocalDestination as seen from inside
Outside GlobalReal IP of external host
Static NAT1-to-1 permanent mapping
Dynamic NATPool of public IPs, first-come
PAT / OverloadMany-to-one using port numbers
Layer 2 Security Features
Port Security, DHCP Snooping, DAI, and 802.1X
Port Security
Limits which MAC addresses can connect to a switch port. Violation actions: protect, restrict, shutdown (default).
S1(config-if)# switchport port-security
S1(config-if)# switchport port-security maximum 2
S1(config-if)# switchport port-security mac-address sticky
S1(config-if)# switchport port-security violation shutdown
DHCP Snooping & DAI
DHCP Snooping: Blocks rogue DHCP servers. Ports are trusted or untrusted.
DAI (Dynamic ARP Inspection): Validates ARP packets using the DHCP Snooping binding table — prevents ARP spoofing.
DAI (Dynamic ARP Inspection): Validates ARP packets using the DHCP Snooping binding table — prevents ARP spoofing.
S1(config)# ip dhcp snooping
S1(config)# ip dhcp snooping vlan 10
S1(config-if)# ip dhcp snooping trust (uplink only)
S1(config)# ip arp inspection vlan 10
S1(config-if)# ip arp inspection trust (uplink only)
ACL Processing Logic
Top-down evaluation with implicit deny-all at the end
ACEs (Access Control Entries) are evaluated top-down, first match wins. The moment a packet matches an ACE the action is taken and evaluation stops. Every ACL ends with an implicit deny any — if no ACE matches, the packet is dropped. Always add a permit before the end if you want any traffic through.
Numbered vs Named
Numbered standard1–99, 1300–1999 — source IP only
Numbered extended100–199, 2000–2699 — src/dst IP, port, protocol
Named ACLAny name — can delete individual ACEs with
noNumbered editMust delete entire ACL and re-enter to edit
Sequence numbersNamed ACLs: insert ACE at specific position (e.g. seq 15)
Placement Rules
Standard ACLPlace as CLOSE to destination as possible
Extended ACLPlace as CLOSE to source as possible
Inbound (in)Applied before routing decision — filters incoming traffic
Outbound (out)Applied after routing decision — filters exiting traffic
Max per interfaceOne ACL per interface per direction per protocol
Named Extended ACL with Operators
R1(config)# ip access-list extended CORP-FILTER
! Operators: eq (equal), neq (not equal), gt (greater than), lt (less than), range
R1(config-ext-nacl)# 10 permit tcp 10.1.0.0 0.0.0.255 any eq 443
R1(config-ext-nacl)# 20 permit tcp 10.1.0.0 0.0.0.255 any eq 80
R1(config-ext-nacl)# 30 deny tcp any any range 1 1023
R1(config-ext-nacl)# 40 permit ip any any
! Apply to interface
R1(config-if)# ip access-group CORP-FILTER in
! Edit a named ACL — insert ACE at sequence 15
R1(config-ext-nacl)# 15 permit tcp 10.1.0.0 0.0.0.255 any eq 22
! Verify
R1# show ip access-lists CORP-FILTER
R1# show ip interface Gi0/0 | include access list
NAT Types Comparison
Static vs Dynamic vs PAT — when to use each
NAT translates private RFC 1918 addresses to routable public addresses. PAT (also called NAT overload) is most common in SOHO and enterprise edge — it maps thousands of inside hosts to a single public IP using unique port numbers.
| Type | Mapping | Use Case | Public IPs Needed |
|---|---|---|---|
| Static NAT | 1 private → 1 public (fixed) | Servers that need consistent inbound access | One per host |
| Dynamic NAT | 1 private → 1 public (from pool) | Many hosts, limited public IPs (no overload) | Pool of addresses |
| PAT / Overload | Many private → 1 public (port-based) | Typical enterprise/home internet access | One address |
PAT Configuration & Verification
! Define inside/outside interfaces
R1(config-if)# ip nat inside ! LAN-facing
R1(config-if)# ip nat outside ! WAN-facing
! Create ACL for inside hosts
R1(config)# ip access-list standard NAT-HOSTS
R1(config-std-nacl)# permit 192.168.0.0 0.0.255.255
! PAT overload to exit interface IP
R1(config)# ip nat inside source list NAT-HOSTS interface Gi0/1 overload
! Verify translations
R1# show ip nat translations
R1# show ip nat statistics
R1# debug ip nat
SSH Hardening & 802.1X
Secure management access and port-based authentication
SSH encrypts management traffic (Telnet is cleartext — always replace it). 802.1X enforces identity-based access control at the switch port level using EAP and a RADIUS server.
SSH Hardening (Full Checklist)
! 1. Set hostname and domain (required for crypto keys)
R1(config)# hostname R1
R1(config)# ip domain-name corp.local
! 2. Generate RSA keypair (min 2048 bits recommended)
R1(config)# crypto key generate rsa modulus 2048
! 3. Enable SSHv2 only
R1(config)# ip ssh version 2
R1(config)# ip ssh time-out 60
R1(config)# ip ssh authentication-retries 2
! 4. Restrict VTY lines to SSH only
R1(config)# line vty 0 15
R1(config-line)# transport input ssh
R1(config-line)# login local
R1(config)# username admin privilege 15 secret Str0ngP@ss
! 5. Disable Telnet globally
R1(config)# no service telnet
802.1X on Switch Port
SW1(config)# aaa new-model
SW1(config)# radius-server host 10.0.0.5 key RadSecret
SW1(config)# aaa authentication dot1x default group radius
SW1(config)# dot1x system-auth-control
SW1(config-if)# authentication port-control auto
SW1(config-if)# dot1x pae authenticator
Security & ACL Drills
Multiple choice questions on ACLs, NAT, and Layer 2 security.
0
Correct
0
Wrong
0
Streak 🔥
60s
QUESTION 1 · SECURITY
Packet Tracer Labs
Step-by-step security configuration walkthroughs.
Security Topology Diagrams
Security Cheatsheet
Standard & Extended ACLs
# Numbered standard ACL (1–99)
R1(config)# access-list 10 permit 192.168.1.0 0.0.0.255
R1(config)# access-list 10 deny any
# Named extended ACL
R1(config)# ip access-list extended FILTER-WEB
R1(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any eq 80
R1(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any eq 443
R1(config-ext-nacl)# deny ip any any
# Apply to interface
R1(config)# interface Gi0/0/0
R1(config-if)# ip access-group 10 out
R1(config-if)# ip access-group FILTER-WEB in
# Verify
R1# show access-lists
R1# show ip interface Gi0/0/0
NAT / PAT Configuration
# Step 1 — Define inside/outside interfaces
R1(config)# interface Gi0/0/0
R1(config-if)# ip nat inside
R1(config)# interface Gi0/0/1
R1(config-if)# ip nat outside
# Step 2a — Static NAT (1-to-1)
R1(config)# ip nat inside source static 192.168.1.10 209.165.200.5
# Step 2b — PAT / Overload (many-to-one)
R1(config)# access-list 1 permit 192.168.1.0 0.0.0.255
R1(config)# ip nat inside source list 1 interface Gi0/0/1 overload
# Verify
R1# show ip nat translations
R1# show ip nat statistics
Port Security
# Must be an access port first
S1(config)# interface Fa0/1
S1(config-if)# switchport mode access
S1(config-if)# switchport port-security
# Set max MACs (default=1)
S1(config-if)# switchport port-security maximum 3
# Allow sticky learning
S1(config-if)# switchport port-security mac-address sticky
# Violation action
S1(config-if)# switchport port-security violation shutdown
# Options: protect | restrict | shutdown
# Recover err-disabled port
S1(config-if)# shutdown
S1(config-if)# no shutdown
S1# show port-security interface Fa0/1
DHCP Snooping & DAI
# DHCP Snooping
S1(config)# ip dhcp snooping
S1(config)# ip dhcp snooping vlan 10,20
# Trust the uplink (toward real DHCP server)
S1(config)# interface Gi0/1
S1(config-if)# ip dhcp snooping trust
# Untrusted ports are default — no command needed
# Dynamic ARP Inspection (DAI)
S1(config)# ip arp inspection vlan 10,20
# Trust uplink for ARP too
S1(config)# interface Gi0/1
S1(config-if)# ip arp inspection trust
# Verify
S1# show ip dhcp snooping binding
S1# show ip arp inspection
Common Port Numbers for ACLs
Use these with extended ACL
eq, lt, gt, range operatorsFTP-data20
FTP21
SSH22
Telnet23
SMTP25
DNS53
DHCP server67
DHCP client68
HTTP80
NTP123
SNMP161
HTTPS443
SMB445
IMAP143
POP3110
RDP3389
Interactive Calculators
Tools for ACL wildcard mask calculations.
Wildcard Mask Calculator
Enter a subnet mask or prefix — get the wildcard instantly
0.0.0.255
Wildcard Mask
255.255.255.0
Subnet Mask
ACL example:
permit ip 192.168.1.0 0.0.0.255
ACL Port Number Reference
Common ports for extended ACL rules
FTP-data20
FTP21
SSH22
Telnet23
SMTP25
DNS53
DHCP srv67
HTTP80
POP3110
IMAP143
HTTPS443
SMB445
SNMP161
RDP3389
Topic Checklist
Track your progress through security concepts.
0%
Complete