Access Control Lists (ACLs)
Packet filters applied to router interfaces
ACLs are ordered lists of permit/deny statements. The router checks each statement top-down and acts on the first match. An implicit deny any is always at the end.
Implicit deny: If no ACE matches a packet, it is dropped. Always add a permit statement if you want some traffic through.
Standard ACLFilters by source IP only (1–99, 1300–1999)
Extended ACLSource + dest IP, protocol, port (100–199, 2000–2699)
Named ACLStandard or extended, referenced by name
Placement ruleStandard → close to destination
Placement ruleExtended → close to source
Directionin = entering interface, out = leaving
Wildcard Masks
Inverse of subnet mask — used in ACL rules and OSPF
A 0 bit = must match. A 1 bit = don't care (any value). Calculate as: 255.255.255.255 − subnet mask.
/24 mask 255.255.255.0 → wildcard 0.0.0.255
/28 mask 255.255.255.240 → wildcard 0.0.0.15
/30 mask 255.255.255.252 → wildcard 0.0.0.3
/28 mask 255.255.255.240 → wildcard 0.0.0.15
/30 mask 255.255.255.252 → wildcard 0.0.0.3
| Shorthand | Wildcard | Meaning |
|---|---|---|
host 10.1.1.1 | 0.0.0.0 | Exact single host |
any | 255.255.255.255 | Any IP address |
10.1.1.0 0.0.0.255 | 0.0.0.255 | Entire /24 subnet |
172.16.0.0 0.0.255.255 | 0.0.255.255 | Entire /16 range |
ACL Examples — Standard vs Extended
How ACL entries are structured and applied
Standard ACL — Permit only 192.168.10.0/24
SEQACTIONRULE
10
PERMIT
192.168.10.0 0.0.0.255
20
DENY
any (implicit)
R1(config)# access-list 10 permit 192.168.10.0 0.0.0.255
R1(config)# interface Gi0/0/0
R1(config-if)# ip access-group 10 out
# Standard → apply close to DESTINATION
Extended ACL — Block Telnet from 10.x to any
SEQACTIONRULE
10
DENY
tcp 10.0.0.0 0.255.255.255 any eq 23
20
PERMIT
ip any any
R1(config)# ip access-list extended BLOCK-TELNET
R1(config-ext-nacl)# deny tcp 10.0.0.0 0.255.255.255 any eq 23
R1(config-ext-nacl)# permit ip any any
R1(config)# interface Gi0/0/1
R1(config-if)# ip access-group BLOCK-TELNET in
# Extended → apply close to SOURCE
NAT & PAT
Network Address Translation — private ↔ public IP mapping
NAT translates private IPs to public IPs. PAT (Port Address Translation / NAT Overload) maps many private IPs to a single public IP using unique port numbers.
Inside Local
192.168.1.10
→
NAT ROUTER
translates address
→
Inside Global
209.165.200.5
Inside LocalPrivate IP of internal host
Inside GlobalPublic IP seen by outside
Outside LocalDestination as seen from inside
Outside GlobalReal IP of external host
Static NAT1-to-1 permanent mapping
Dynamic NATPool of public IPs, first-come
PAT / OverloadMany-to-one using port numbers
Layer 2 Security Features
Port Security, DHCP Snooping, DAI, and 802.1X
Port Security
Limits which MAC addresses can connect to a switch port. Violation actions: protect, restrict, shutdown (default).
S1(config-if)# switchport port-security
S1(config-if)# switchport port-security maximum 2
S1(config-if)# switchport port-security mac-address sticky
S1(config-if)# switchport port-security violation shutdown
DHCP Snooping & DAI
DHCP Snooping: Blocks rogue DHCP servers. Ports are trusted or untrusted.
DAI (Dynamic ARP Inspection): Validates ARP packets using the DHCP Snooping binding table — prevents ARP spoofing.
DAI (Dynamic ARP Inspection): Validates ARP packets using the DHCP Snooping binding table — prevents ARP spoofing.
S1(config)# ip dhcp snooping
S1(config)# ip dhcp snooping vlan 10
S1(config-if)# ip dhcp snooping trust (uplink only)
S1(config)# ip arp inspection vlan 10
S1(config-if)# ip arp inspection trust (uplink only)
Security & ACL Drills
Multiple choice questions on ACLs, NAT, and Layer 2 security.
0
Correct
0
Wrong
0
Streak 🔥
60s
QUESTION 1 · SECURITY
Packet Tracer Labs
Step-by-step security configuration walkthroughs.
Security Topology Diagrams
Security Cheatsheet
Standard & Extended ACLs
# Numbered standard ACL (1–99)
R1(config)# access-list 10 permit 192.168.1.0 0.0.0.255
R1(config)# access-list 10 deny any
# Named extended ACL
R1(config)# ip access-list extended FILTER-WEB
R1(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any eq 80
R1(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any eq 443
R1(config-ext-nacl)# deny ip any any
# Apply to interface
R1(config)# interface Gi0/0/0
R1(config-if)# ip access-group 10 out
R1(config-if)# ip access-group FILTER-WEB in
# Verify
R1# show access-lists
R1# show ip interface Gi0/0/0
NAT / PAT Configuration
# Step 1 — Define inside/outside interfaces
R1(config)# interface Gi0/0/0
R1(config-if)# ip nat inside
R1(config)# interface Gi0/0/1
R1(config-if)# ip nat outside
# Step 2a — Static NAT (1-to-1)
R1(config)# ip nat inside source static 192.168.1.10 209.165.200.5
# Step 2b — PAT / Overload (many-to-one)
R1(config)# access-list 1 permit 192.168.1.0 0.0.0.255
R1(config)# ip nat inside source list 1 interface Gi0/0/1 overload
# Verify
R1# show ip nat translations
R1# show ip nat statistics
Port Security
# Must be an access port first
S1(config)# interface Fa0/1
S1(config-if)# switchport mode access
S1(config-if)# switchport port-security
# Set max MACs (default=1)
S1(config-if)# switchport port-security maximum 3
# Allow sticky learning
S1(config-if)# switchport port-security mac-address sticky
# Violation action
S1(config-if)# switchport port-security violation shutdown
# Options: protect | restrict | shutdown
# Recover err-disabled port
S1(config-if)# shutdown
S1(config-if)# no shutdown
S1# show port-security interface Fa0/1
DHCP Snooping & DAI
# DHCP Snooping
S1(config)# ip dhcp snooping
S1(config)# ip dhcp snooping vlan 10,20
# Trust the uplink (toward real DHCP server)
S1(config)# interface Gi0/1
S1(config-if)# ip dhcp snooping trust
# Untrusted ports are default — no command needed
# Dynamic ARP Inspection (DAI)
S1(config)# ip arp inspection vlan 10,20
# Trust uplink for ARP too
S1(config)# interface Gi0/1
S1(config-if)# ip arp inspection trust
# Verify
S1# show ip dhcp snooping binding
S1# show ip arp inspection
Common Port Numbers for ACLs
Use these with extended ACL
eq, lt, gt, range operatorsFTP-data20
FTP21
SSH22
Telnet23
SMTP25
DNS53
DHCP server67
DHCP client68
HTTP80
NTP123
SNMP161
HTTPS443
SMB445
IMAP143
POP3110
RDP3389
Interactive Calculators
Tools for ACL wildcard mask calculations.
Wildcard Mask Calculator
Enter a subnet mask or prefix — get the wildcard instantly
0.0.0.255
Wildcard Mask
255.255.255.0
Subnet Mask
ACL example:
permit ip 192.168.1.0 0.0.0.255
ACL Port Number Reference
Common ports for extended ACL rules
FTP-data20
FTP21
SSH22
Telnet23
SMTP25
DNS53
DHCP srv67
HTTP80
POP3110
IMAP143
HTTPS443
SMB445
SNMP161
RDP3389
Topic Checklist
Track your progress through security concepts.
0%
Complete