🔒 08.0. Module 08: Access Control Lists (ACLs) Introduction

Access Control Lists (ACLs) are a fundamental security feature used in Cisco networks to control and filter network traffic. ACLs help enforce security policies by defining which packets are permitted or denied based on various criteria such as IP address, protocol, or port number.

🌟 1. Why Use Access Control Lists (ACLs)?

Traffic Filtering – Controls which packets can enter or leave a network.

Security – Blocks unauthorized access to critical resources.

Performance Optimization – Reduces unnecessary traffic on network links.

DoS Attack Mitigation – Prevents malicious traffic from overwhelming a network.

Traffic Prioritization – Controls bandwidth usage for different applications.

🔑 2. How ACLs Work

ACLs consist of rules that determine whether to permit or deny packets based on specific criteria.
Each ACL has an implicit deny at the end, meaning that if a packet does not match any rule, it is automatically denied.

✅ Basic ACL Operation:

Incoming (Inbound) ACLs: Applied before packets enter an interface.

Outgoing (Outbound) ACLs: Applied before packets exit an interface.

📌 3. Types of ACLs

ACL Type	Description
Standard ACLs (1-99, 1300-1999)	Filters traffic based only on the source IP address.
Extended ACLs (100-199, 2000-2699)	Filters traffic based on source & destination IP, protocol, and port numbers.
Numbered ACLs	Uses a specific ACL number to define rules.
Named ACLs	Uses a custom name instead of a number, making management easier.
IPv6 ACLs	Similar to IPv4 ACLs but designed for IPv6 traffic filtering.

🛠️ 4. Basic ACL Configuration

✅ Example: Standard ACL (Blocking a Host)

!
access-list 10 deny 192.168.1.100
access-list 10 permit any
!
interface GigabitEthernet0/0
 ip access-group 10 in
!

🔹 Blocks traffic from 192.168.1.100 while allowing all others.

✅ Example: Extended ACL (Blocking SSH Traffic)

!
access-list 101 deny tcp any any eq 22
access-list 101 permit ip any any
!
interface GigabitEthernet0/0
 ip access-group 101 in
!

🔹 Blocks all SSH traffic (TCP port 22) while allowing everything else.

🔍 5. ACLs in Action

✅ Common Use Cases for ACLs:
- Block Unauthorized Users: Prevent access from untrusted IPs.
- Restrict Remote Management: Allow SSH only from trusted sources.
- Filter Web Traffic: Permit or deny HTTP/HTTPS traffic.
- Prevent DoS Attacks: Limit excessive traffic to sensitive devices.

✅ 6. Best Practices for ACL Implementation

Apply ACLs Close to the Source (for Extended ACLs) – Reduces unnecessary network load.

Apply ACLs Close to the Destination (for Standard ACLs) – Prevents blocking too much traffic.

Use Specific Rules Before General Rules – Avoid unintentional blocking of legitimate traffic.

Always End with a Permit Rule (if needed) – To allow remaining required traffic.

Test ACLs Before Deployment – Use “show access-lists” to verify rules.

🔒 08.1. Introduction to Access Control Lists (ACLs)

Access Control Lists (ACLs) are a fundamental security feature in Cisco networks used to filter network traffic and enforce security policies. ACLs allow administrators to permit or deny packets based on defined criteria such as IP address, protocol, or port numbers.

🌟 1. Why Are ACLs Important?

✅ Security: Blocks unauthorized access to sensitive devices and services.
✅ Traffic Control: Limits network congestion by filtering unnecessary traffic.
✅ Access Restriction: Allows only trusted users or devices to access specific resources.
✅ DoS Attack Prevention: Protects against attacks by controlling traffic flow.
✅ Policy Enforcement: Implements corporate security rules at the network level.

🔑 2. How Do ACLs Work?

ACLs contain rules that match packets based on criteria such as:
- Source IP address
- Destination IP address
- Protocol (TCP, UDP, ICMP, etc.)
- Port numbers (HTTP-80, SSH-22, etc.)

✅ Key ACL Characteristics:

Inbound ACLs: Applied before a packet enters an interface.

Outbound ACLs: Applied before a packet exits an interface.

Implicit Deny Rule: Any packet that does not match any ACL rule is automatically denied.

📌 3. Types of ACLs

ACL Type	Description
Standard ACLs	Filters traffic based only on source IP.
Extended ACLs	Filters traffic based on source & destination IP, protocol, and port.
Numbered ACLs	Uses a number (1-99 for Standard, 100-199 for Extended).
Named ACLs	Uses a custom name instead of a number, making it easier to manage.
IPv6 ACLs	Similar to IPv4 ACLs but designed for IPv6 traffic filtering.

🛠️ 4. Example ACL Configurations

✅ Standard ACL: Blocking a Specific Host

!
access-list 10 deny 192.168.1.100
access-list 10 permit any
!
interface GigabitEthernet0/0
 ip access-group 10 in
!

🔹 Blocks traffic from 192.168.1.100 but allows all others.

✅ Extended ACL: Blocking SSH Traffic

!
access-list 101 deny tcp any any eq 22
access-list 101 permit ip any any
!
interface GigabitEthernet0/0
 ip access-group 101 in
!

🔹 Blocks all SSH traffic (TCP port 22) while allowing all other traffic.

🔍 5. Where Are ACLs Applied?

ACLs are applied to interfaces on routers and firewalls to filter traffic in both directions: - Inbound ACLs: Applied before packets enter an interface. - Outbound ACLs: Applied before packets leave an interface.

✅ 6. Best Practices for ACL Implementation

✔ Standard ACLs: Apply close to the destination to avoid blocking too much traffic.
✔ Extended ACLs: Apply close to the source to stop unwanted traffic early.
✔ Use Specific Rules First: Prevent unintended traffic filtering.
✔ Test ACLs Before Deployment: Use show access-lists to verify rules.
✔ Remember Implicit Deny: If no rules match, traffic is automatically denied.

🔍 08.2. Wildcard Masking in Access Control Lists (ACLs)

Wildcard masking is a crucial component of Access Control Lists (ACLs) on Cisco devices. It determines how IP addresses are matched in an ACL rule, allowing for flexible and efficient filtering of network traffic.

🌟 1. What is a Wildcard Mask?

A wildcard mask is used in ACLs to specify a range of IP addresses instead of a single address.
- It is the inverse of a subnet mask.
- A 0 bit means the corresponding bit in the IP address must match exactly.
- A 1 bit means the corresponding bit in the IP address can be anything.

Example:
For the subnet 192.168.1.0/24:
- Subnet Mask: 255.255.255.0
- Wildcard Mask: 0.0.0.255

This wildcard mask allows traffic from 192.168.1.0 to 192.168.1.255.

🔑 2. How Wildcard Masks Work

Each octet of the wildcard mask determines how the router interprets the corresponding IP address octet:
- 0 = Match Exactly
- 1 = Ignore the Bit (Wildcard)

✅ Example 1: Matching a Specific IP

access-list 10 permit 192.168.1.100 0.0.0.0

🔹 Allows traffic only from 192.168.1.100 (Wildcard Mask: 0.0.0.0 means “match exactly”).

✅ Example 2: Matching an Entire Subnet

access-list 20 permit 192.168.1.0 0.0.0.255

🔹 Allows traffic from 192.168.1.0 to 192.168.1.255 (Wildcard Mask: 0.0.0.255).

✅ Example 3: Matching a Range of IPs

To allow only even-numbered hosts from 192.168.1.0 to 192.168.1.254:

access-list 30 permit 192.168.1.0 0.0.0.254

🔹 Matches every even-numbered host (0, 2, 4, …, 254).

📌 3. Common Wildcard Masks and Their Uses

Wildcard Mask	Matches
`0.0.0.0`	A single specific IP address
`0.0.0.255`	A full /24 subnet (256 addresses)
`0.0.3.255`	A /22 subnet (1024 addresses)
`0.0.15.255`	A /20 subnet (4096 addresses)

🛠️ 4. Calculating Wildcard Masks

Formula:

Wildcard Mask = 255.255.255.255 - Subnet Mask

Example:
For Subnet Mask: 255.255.255.240 (/28)

Wildcard Mask = 255.255.255.255 - 255.255.255.240 = 0.0.0.15

🔹 This matches 16 IPs in a subnet.

🔍 5. Verification and Testing Wildcard Masks

To check applied ACLs:

show access-lists

To test an ACL:

debug ip packet detail

✅ 6. Best Practices for Using Wildcard Masks in ACLs

✔ Use the shortest mask possible to reduce overhead.
✔ Apply standard ACLs close to the destination to prevent blocking too much traffic.
✔ Apply extended ACLs close to the source to stop unwanted traffic early.
✔ Double-check wildcard masks to avoid unintended matches.

🔧 08.3. Configure ACLs (Access Control Lists)

Access Control Lists (ACLs) are used in Cisco routers and switches to filter network traffic and enforce security policies. Properly configuring ACLs ensures that only authorized traffic is allowed while blocking unauthorized access.

🌟 1. Steps to Configure an ACL

To configure an ACL on a Cisco router or switch:

1️⃣ Define the ACL rules (permit/deny traffic based on IP, protocol, or port).
2️⃣ Apply the ACL to an interface (inbound or outbound).
3️⃣ Verify ACL operation (test traffic flow and log results).

🔑 2. Types of ACLs

ACL Type	Description	Example Usage
Standard ACL (1-99, 1300-1999)	Filters based only on source IP.	Block traffic from a specific host.
Extended ACL (100-199, 2000-2699)	Filters traffic based on source & destination IP, protocol, and port numbers.	Block SSH, HTTP, or specific subnets.
Named ACL	Uses a custom name instead of a number.	Easier to manage, supports additional features.
IPv6 ACL	Filters IPv6 traffic instead of IPv4.	Secure IPv6 networks.

🛠️ 3. Standard ACL Configuration

A Standard ACL filters traffic based only on the source IP address.

✅ Example: Blocking a Single IP (192.168.1.100)

!
access-list 10 deny 192.168.1.100
access-list 10 permit any
!
interface GigabitEthernet0/0
 ip access-group 10 in
!

🔹 This ACL denies all traffic from 192.168.1.100 but allows everything else.

🛠️ 4. Extended ACL Configuration

An Extended ACL filters traffic based on source and destination IP, protocol, and ports.

✅ Example: Blocking SSH (Port 22) and HTTP (Port 80) Traffic

!
access-list 101 deny tcp any any eq 22
access-list 101 deny tcp any any eq 80
access-list 101 permit ip any any
!
interface GigabitEthernet0/0
 ip access-group 101 in
!

🔹 This ACL blocks SSH and HTTP traffic but allows everything else.

🛠️ 5. Named ACL Configuration

Named ACLs are more user-friendly and easier to manage.

✅ Example: Named ACL to Block a Specific Subnet

!
ip access-list extended BLOCK_SUBNET
 deny ip 192.168.10.0 0.0.0.255 any
 permit ip any any
!
interface GigabitEthernet0/1
 ip access-group BLOCK_SUBNET out
!

🔹 Blocks all traffic from 192.168.10.0/24 while allowing other traffic.

🔍 6. Verifying and Monitoring ACLs

✅ Check Active ACLs

show access-lists

✅ Check ACLs Applied to an Interface

show running-config | include access-group

✅ Debug Traffic Matching an ACL

debug ip packet detail

✅ 7. Best Practices for Configuring ACLs

✔ Use Standard ACLs close to the destination to avoid over-blocking.
✔ Use Extended ACLs close to the source to prevent unnecessary traffic.
✔ Apply ACLs in the correct direction (inbound or outbound).
✔ Always include a final “permit” rule if needed (implicit deny blocks unmatched traffic).
✔ Use descriptive names in Named ACLs for easier troubleshooting.
✔ Test ACLs before deployment to avoid misconfigurations.

🚀 Final Thoughts

ACLs are a powerful tool for controlling network traffic and securing infrastructure. Configuring Standard, Extended, and Named ACLs properly ensures that your network remains efficient and protected.

🔧 08.4. Modify ACLs (Access Control Lists)

Once an Access Control List (ACL) is created and applied to an interface, modifying it can be challenging, especially with numbered ACLs. Understanding how to efficiently edit, remove, and update ACL rules is crucial for maintaining network security and traffic control.

🌟 1. Why Modify ACLs?

✅ Adjust network policies – Allow or deny new IPs, services, or ports.
✅ Refine security – Strengthen or weaken ACL rules as needed.
✅ Fix misconfigurations – Correct mistakes without removing the entire ACL.
✅ Optimize performance – Remove unnecessary rules that slow down processing.

🔑 2. Methods for Modifying ACLs

Method	Best For	Modification Type
Editing Numbered ACLs	Standard or Extended ACLs (1-99, 100-199)	Requires deleting and re-creating the ACL.
Editing Named ACLs	Named ACLs (easier to modify)	Allows direct modifications without deletion.

🛠️ 3. Modifying Numbered ACLs (Requires Re-Creation)

✅ Example: Removing an ACL from an Interface

Before modifying a numbered ACL, remove it from the interface:

interface GigabitEthernet0/0
 no ip access-group 101 in

✅ Example: Deleting a Numbered ACL

You cannot modify a numbered ACL line-by-line; you must remove and recreate it:

no access-list 101

✅ Example: Recreating an ACL with Modifications

!
access-list 101 deny tcp any any eq 22
access-list 101 deny tcp any any eq 80
access-list 101 permit ip any any
!
interface GigabitEthernet0/0
 ip access-group 101 in
!

🔹 Key Considerations:
- Numbered ACLs must be removed before making changes.
- Be careful when deleting ACLs – traffic filtering will stop until the new ACL is applied.

🛠️ 4. Modifying Named ACLs (Direct Editing Possible)

✅ Example: Adding a New Rule to a Named ACL

ip access-list extended BLOCK_TRAFFIC
 deny tcp any any eq 23
 permit ip any any

🔹 This command modifies an existing named ACL by adding a rule to block Telnet (TCP 23).

✅ Example: Removing a Rule from a Named ACL

ip access-list extended BLOCK_TRAFFIC
 no deny tcp any any eq 23

🔹 This removes the rule blocking Telnet traffic without affecting other ACL rules.

✅ Example: Reordering Rules in a Named ACL

ip access-list extended BLOCK_TRAFFIC
 sequence 10 deny tcp any any eq 23
 sequence 20 permit ip any any

🔹 Using sequence numbers allows easy rule reordering.

🔍 5. Verifying ACL Modifications

✅ Check Applied ACLs

show access-lists

✅ Check ACLs on an Interface

show running-config | include access-group

✅ Monitor ACL Activity

debug ip packet detail

✅ 6. Best Practices for Modifying ACLs

✔ Use Named ACLs for easier editing – no need to delete and re-create.
✔ Remove ACLs from interfaces before modifying them to prevent errors.
✔ Always verify ACL changes before applying them to production.
✔ Use sequence numbers to keep ACL rules organized and manageable.
✔ Back up ACL configurations before making major modifications.

🚀 Final Thoughts

Modifying ACLs is a critical skill for network administrators. While numbered ACLs require recreation, named ACLs allow direct editing, making them easier to manage.

🔧 08.5. Implement ACLs (Access Control Lists)

Once an Access Control List (ACL) is configured, the next step is to implement it correctly on a Cisco router or switch. Proper implementation ensures that ACLs effectively filter traffic without causing unintended disruptions.

🌟 1. Steps to Implement ACLs

1️⃣ Create an ACL – Define rules to permit or deny traffic.
2️⃣ Apply the ACL to an interface – Specify inbound or outbound direction.
3️⃣ Verify ACL operation – Test traffic flow and monitor logs.

🔑 2. Where to Apply ACLs?

✅ Standard ACLs – Apply near the destination to avoid over-filtering.
✅ Extended ACLs – Apply near the source to block unwanted traffic early.
✅ Inbound ACLs – Applied to packets entering an interface.
✅ Outbound ACLs – Applied to packets leaving an interface.

🛠️ 3. Implementing a Standard ACL

📌 Example: Block traffic from 192.168.1.100

!
access-list 10 deny 192.168.1.100
access-list 10 permit any
!
interface GigabitEthernet0/0
 ip access-group 10 in
!

🔹 Blocks all incoming traffic from 192.168.1.100 on interface G0/0.

🛠️ 4. Implementing an Extended ACL

📌 Example: Block SSH (Port 22) and HTTP (Port 80)

!
access-list 101 deny tcp any any eq 22
access-list 101 deny tcp any any eq 80
access-list 101 permit ip any any
!
interface GigabitEthernet0/1
 ip access-group 101 in
!

🔹 Blocks SSH & HTTP traffic while allowing everything else.

🛠️ 5. Implementing a Named ACL

Named ACLs allow easier modification compared to numbered ACLs.

📌 Example: Blocking a Subnet

!
ip access-list extended BLOCK_SUBNET
 deny ip 192.168.10.0 0.0.0.255 any
 permit ip any any
!
interface GigabitEthernet0/2
 ip access-group BLOCK_SUBNET out
!

🔹 Blocks all outbound traffic from 192.168.10.0/24.

🔍 6. Verifying ACL Implementation

✅ Check Active ACLs

show access-lists

✅ Check ACLs Applied to Interfaces

show ip interface GigabitEthernet0/0

✅ Monitor ACL Matches

debug ip packet detail

✅ 7. Best Practices for Implementing ACLs

✔ Use Standard ACLs near the destination to avoid over-filtering.
✔ Use Extended ACLs near the source to stop unwanted traffic early.
✔ Apply ACLs in the correct direction (inbound or outbound).
✔ Test ACLs before deploying them in production.
✔ Log ACL activity to monitor unauthorized traffic attempts.

🚀 Final Thoughts

Properly implementing ACLs is crucial for security and network efficiency. Ensuring that ACLs are placed correctly, tested, and logged prevents unwanted disruptions.

🔒 08.6. Mitigate Attacks with ACLs (Access Control Lists)

Access Control Lists (ACLs) are a crucial security feature that helps mitigate network attacks by controlling traffic flow. Properly implemented ACLs block malicious traffic, prevent unauthorized access, and reduce attack surfaces.

🌟 1. How ACLs Help Mitigate Attacks

✅ Block Unauthorized Access – Restrict access to trusted hosts and networks.
✅ Prevent DoS (Denial of Service) Attacks – Limit excessive requests to critical services.
✅ Mitigate Spoofing Attacks – Drop packets with fake source IPs.
✅ Restrict Unwanted Traffic – Prevent access to sensitive areas of the network.
✅ Enhance Logging and Monitoring – Identify malicious behavior.

🔑 2. Types of Attacks Mitigated by ACLs

Attack Type	How ACLs Help
IP Spoofing	Denies packets with invalid source IPs.
DoS/DDoS Attacks	Blocks excessive traffic from suspicious sources.
Brute-Force Attacks	Limits repeated failed login attempts.
Unwanted Remote Access	Blocks unauthorized SSH, Telnet, or RDP access.
Malware Communication	Prevents infected devices from reaching command servers.

🛠️ 3. Configuring ACLs to Mitigate Attacks

✅ 1. Block Unauthorized Telnet & SSH Access

📌 Example: Allow SSH Only from Trusted IP (192.168.1.50)

!
access-list 110 permit tcp host 192.168.1.50 any eq 22
access-list 110 deny tcp any any eq 22
access-list 110 deny tcp any any eq 23
access-list 110 permit ip any any
!
interface GigabitEthernet0/0
 ip access-group 110 in
!

🔹 Only 192.168.1.50 can SSH; all other SSH and Telnet access is blocked.

✅ 2. Block DoS/DDoS Attacks Using Rate-Limiting

📌 Example: Limit ICMP Requests (Prevent Ping Flood)

!
access-list 120 permit icmp any any echo-reply
access-list 120 deny icmp any any echo log
access-list 120 permit ip any any
!
interface GigabitEthernet0/1
 ip access-group 120 in
!

🔹 Allows ping replies but blocks excessive ICMP echo requests.

✅ 3. Block Spoofed Private IPs from the Internet

📌 Example: Deny Traffic from Private IPs on the Public Interface

!
access-list 130 deny ip 10.0.0.0 0.255.255.255 any
access-list 130 deny ip 172.16.0.0 0.15.255.255 any
access-list 130 deny ip 192.168.0.0 0.0.255.255 any
access-list 130 permit ip any any
!
interface GigabitEthernet0/2
 ip access-group 130 in
!

🔹 Blocks private IPs (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) from entering via the WAN.

✅ 4. Block Malicious Traffic by Port (Botnets, Malware, and Trojans)

📌 Example: Deny Access to Common Malware-Control Ports

!
access-list 140 deny tcp any any eq 6667
access-list 140 deny tcp any any eq 445
access-list 140 deny udp any any eq 69
access-list 140 permit ip any any
!
interface GigabitEthernet0/3
 ip access-group 140 in
!

🔹 Blocks IRC (6667), SMB (445), and TFTP (69), commonly used in malware attacks.

🔍 4. Verifying and Monitoring ACLs for Attack Prevention

✅ Check Active ACLs

show access-lists

✅ Check ACL Hits (Matching Traffic)

show ip access-lists

✅ Monitor Traffic Flow

debug ip packet detail

✅ Log Denied Packets

access-list 150 deny ip any any log

🔹 Records denied packets for security analysis.

✅ 5. Best Practices for Using ACLs to Mitigate Attacks

✔ Block all untrusted traffic by default (only allow necessary traffic).
✔ Use logging (log keyword) to monitor suspicious activities.
✔ Apply ACLs at the correct location (inbound for external threats, outbound for internal control).
✔ Update ACLs regularly based on new security threats.
✔ Use rate-limiting for protocols like ICMP, SSH, and HTTP to prevent DoS attacks.

🚀 Final Thoughts

ACLs are powerful tools for mitigating cyber threats. By blocking malicious IPs, restricting remote access, and filtering dangerous traffic, ACLs play a crucial role in network security.

🔒 08.7. IPv6 ACLs (Access Control Lists for IPv6)

IPv6 Access Control Lists (IPv6 ACLs) function similarly to IPv4 ACLs but are specifically designed to filter IPv6 traffic. These ACLs help enforce security policies, control traffic flow, and protect against threats in IPv6 networks.

🌟 1. Why Use IPv6 ACLs?

✅ Traffic Filtering: Control IPv6 packet flow based on source, destination, protocol, or port.
✅ Security Enforcement: Restrict unauthorized access to devices and services.
✅ Mitigation of IPv6 Threats: Prevent ICMPv6 attacks, RA spoofing, and IPv6-based DoS attacks.
✅ Supports Next-Generation Networks: Essential for networks adopting IPv6-based addressing.

🔑 2. Differences Between IPv4 and IPv6 ACLs

Feature	IPv4 ACLs	IPv6 ACLs
Addressing	Uses 32-bit IPv4 addresses	Uses 128-bit IPv6 addresses
Implicit Rules	Implicit `deny all` at the end	Implicit `deny all` at the end
Named ACLs	Supports numbered and named ACLs	Only supports named ACLs
Wildcard Masks	Uses wildcard masks (0.0.0.255)	Uses prefix notation (/64, /48)
Neighbor Discovery (ND)	Not required	Must explicitly allow ND traffic
Supported Protocols	TCP, UDP, ICMP	TCP, UDP, ICMPv6, ND, RIPng

🔹 IPv6 ACLs only support named ACLs—numbered ACLs are not available.

🛠️ 3. Configuring an IPv6 ACL

✅ Step 1: Create the IPv6 ACL

ipv6 access-list BLOCK_TELNET
 deny tcp any any eq 23
 permit ipv6 any any

🔹 This ACL blocks Telnet (port 23) but allows all other IPv6 traffic.

✅ Step 2: Apply the ACL to an Interface

interface GigabitEthernet0/0
 ipv6 traffic-filter BLOCK_TELNET in

🔹 This applies the ACL to filter inbound IPv6 traffic.

🛠️ 4. Common IPv6 ACL Examples

✅ Blocking ICMPv6 (Preventing Ping Requests)

ipv6 access-list BLOCK_ICMP
 deny icmp any any echo-request
 permit ipv6 any any
!
interface GigabitEthernet0/1
 ipv6 traffic-filter BLOCK_ICMP in

🔹 Blocks incoming ICMPv6 echo requests (ping).

✅ Allowing Only a Specific IPv6 Subnet

ipv6 access-list ALLOW_LOCAL
 permit ipv6 2001:DB8:1::/64 any
 deny ipv6 any any
!
interface GigabitEthernet0/2
 ipv6 traffic-filter ALLOW_LOCAL in

🔹 Only allows traffic from 2001:DB8:1::/64; blocks everything else.

✅ Blocking IPv6 Telnet, SSH, and HTTP Traffic

ipv6 access-list BLOCK_SERVICES
 deny tcp any any eq 23  # Telnet
 deny tcp any any eq 22  # SSH
 deny tcp any any eq 80  # HTTP
 permit ipv6 any any
!
interface GigabitEthernet0/3
 ipv6 traffic-filter BLOCK_SERVICES in

🔹 Blocks Telnet, SSH, and HTTP while allowing all other traffic.

✅ Allowing Only Specific IPv6 Hosts

ipv6 access-list ALLOW_ADMIN
 permit ipv6 host 2001:DB8::100 any
 permit ipv6 host 2001:DB8::200 any
 deny ipv6 any any
!
interface GigabitEthernet0/4
 ipv6 traffic-filter ALLOW_ADMIN in

🔹 Only 2001:DB8::100 and 2001:DB8::200 can access this interface.

🔍 5. Verifying and Monitoring IPv6 ACLs

✅ View Configured IPv6 ACLs

show ipv6 access-list

✅ Check ACLs Applied to an Interface

show ipv6 interface GigabitEthernet0/0

✅ Monitor IPv6 Traffic Matching ACLs

debug ipv6 packet

✅ 6. Best Practices for IPv6 ACLs

✔ Always Allow Neighbor Discovery (ND): IPv6 relies on ND for communication.
✔ Use Named ACLs for Clarity: Helps with readability and easier modifications.
✔ Apply Extended ACLs Close to the Source: Stops unwanted traffic early.
✔ Test ACLs Before Deployment: Avoid accidental disruptions.
✔ Log Denied Packets for Troubleshooting: Use log keyword for monitoring.

🚀 Final Thoughts

IPv6 ACLs enhance security in IPv6 networks by controlling traffic flow, blocking threats, and enforcing access policies.

🔒 08.8. Access Control Lists (ACLs) Summary

Access Control Lists (ACLs) are a crucial security feature in Cisco networks, used to control traffic flow, enforce security policies, and mitigate threats. ACLs help filter traffic based on IP addresses, protocols, and ports, ensuring only authorized communications occur within the network.

🌟 1. Why Are ACLs Important?

✅ Traffic Filtering: Allows or blocks specific packets based on defined rules.
✅ Network Security: Prevents unauthorized access and mitigates attacks.
✅ Performance Optimization: Reduces congestion by filtering unnecessary traffic.
✅ Policy Enforcement: Ensures only approved protocols, users, and devices communicate.
✅ DDoS & Spoofing Protection: Blocks malicious IP addresses and suspicious traffic patterns.

🔑 2. Types of ACLs

ACL Type	Description	Example Usage
Standard ACLs	Filters traffic based only on source IP.	Block access from a specific host.
Extended ACLs	Filters based on source & destination IP, protocol, and ports.	Block Telnet, SSH, HTTP, or entire subnets.
Named ACLs	Uses a custom name instead of a number for easy management.	Easier modifications & better documentation.
Time-Based ACLs	Allows or denies traffic based on time schedules.	Limit access during business hours.
Reflexive ACLs	Dynamically filters return traffic for stateful security.	Secure outbound and inbound connections.
IPv6 ACLs	Filters IPv6 traffic instead of IPv4.	Protect IPv6-enabled networks.

🛠️ 3. Key ACL Commands & Configurations

✅ Standard ACL Example: Blocking a Specific Host

!
access-list 10 deny 192.168.1.100
access-list 10 permit any
!
interface GigabitEthernet0/0
 ip access-group 10 in
!

🔹 Blocks all traffic from 192.168.1.100 but allows everything else.

✅ Extended ACL Example: Blocking SSH & HTTP Traffic

!
access-list 101 deny tcp any any eq 22
access-list 101 deny tcp any any eq 80
access-list 101 permit ip any any
!
interface GigabitEthernet0/1
 ip access-group 101 in
!

🔹 Blocks SSH and HTTP while allowing other traffic.

✅ IPv6 ACL Example: Allowing a Specific IPv6 Subnet

!
ipv6 access-list ALLOW_SUBNET
 permit ipv6 2001:DB8:1::/64 any
 deny ipv6 any any
!
interface GigabitEthernet0/2
 ipv6 traffic-filter ALLOW_SUBNET in
!

🔹 Only 2001:DB8:1::/64 traffic is allowed; all others are blocked.

🔍 4. Verifying and Monitoring ACLs

✅ Check Active ACLs

show access-lists

✅ Check ACLs Applied to an Interface

show ip interface GigabitEthernet0/0

✅ Monitor ACL Activity

debug ip packet detail

✅ 5. Best Practices for ACL Implementation

✔ Apply Standard ACLs near the Destination – Prevents over-filtering traffic.
✔ Apply Extended ACLs near the Source – Stops unwanted traffic as early as possible.
✔ Use Named ACLs for Better Management – Easier modification and readability.
✔ Remember Implicit Deny Rule – Any traffic not explicitly allowed is denied.
✔ Test ACLs Before Deployment – Avoid unintended network disruptions.
✔ Log Denied Traffic for Troubleshooting – Use log keyword to track blocked packets.

🚀 Final Thoughts

ACLs are a powerful tool for controlling network access, enhancing security, and improving traffic efficiency. Proper ACL deployment ensures safe, optimized, and policy-compliant network communication.