CCNA Lab 5: ACLs on Layer 2 Switches

ACLs (Access Control Lists) on switches come in three varieties, each serving a different purpose.

Types of ACLs on Switches

ACL Type	Applied To	Filters
Port ACL (PACL)	Layer 2 interface	Ingress traffic on a port
VLAN ACL (VACL)	VLAN	All traffic entering the VLAN
Router ACL (RACL)	SVI / Routed interface	Inter-VLAN traffic

Port ACLs — Restrict a Specific Port

Port ACLs apply to traffic entering a switch port. They filter at Layer 2 and can use both MAC and IP addresses.

Standard IP Port ACL

ip access-list standard BLOCK_10
 deny   10.0.0.0 0.255.255.255
 permit any
 
interface GigabitEthernet0/1
 ip access-group BLOCK_10 in

MAC ACL (Layer 2 Only)

Block a specific MAC address from accessing the network:

mac access-list extended BLOCK_MAC
 deny any host 00:11:22:33:44:55
 permit any any
 
interface GigabitEthernet0/2
 mac access-group BLOCK_MAC in

Extended IP Port ACL

Block a specific host on a port from reaching specific services:

ip access-list extended RESTRICT_HOST
 deny tcp host 10.0.10.50 any eq 22
 deny tcp host 10.0.10.50 any eq 443
 permit ip any any
 
interface GigabitEthernet0/3
 ip access-group RESTRICT_HOST in

VLAN ACLs (VACLs) — Filter Within a VLAN

VACLs filter all traffic entering a VLAN, regardless of port.

ip access-list extended BLOCK_P2P
 deny tcp any any eq 6881
 deny tcp any any range 6881 6889
 permit ip any any
 
vlan access-map BLOCK_P2P 10
 match ip address BLOCK_P2P
 action drop
 
vlan access-map BLOCK_P2P 20
 action forward
 
vlan filter BLOCK_P2P vlan-list 10,20

This blocks BitTorrent traffic on VLANs 10 and 20.

Router ACLs — Inter-VLAN Security

Apply ACLs to SVIs (Switch Virtual Interfaces) to control traffic between VLANs.

ip access-list extended INTER_VLAN
 remark Allow management to servers
 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
 remark Deny everything else
 deny ip any any
 
interface Vlan10
 ip access-group INTER_VLAN in

Common ACL Mistakes

Mistake 1: Implicit Deny

Every ACL ends with an implicit deny any. If you forget the permit any at the end, all traffic not explicitly permitted is dropped.

! This blocks everything except HTTP and HTTPS
ip access-list extended WEB_ONLY
 permit tcp any any eq 80
 permit tcp any any eq 443
! Everything else is DENIED

Mistake 2: Wrong Direction

Apply ACLs in the correct direction:

Inbound — filters traffic arriving at the interface
Outbound — filters traffic leaving the interface

Mistake 3: Sequence Order

ACLs process top-to-bottom. The first match wins. Put specific rules before general rules:

! Correct
ip access-list extended CORRECT
 permit tcp host 10.0.0.1 host 10.0.0.2 eq 22   ! specific first
 deny tcp any any eq 22                          ! general after
 
! Wrong — the deny catches everything including 10.0.0.1
ip access-list extended WRONG
 deny tcp any any eq 22                          ! matches first
 permit tcp host 10.0.0.1 host 10.0.0.2 eq 22   ! never reached

Mistake 4: PACL Order of Operations

On a switch port, these features apply in order:

PACL
VACL
Router ACL (if routed)

A packet must pass ALL applicable ACLs. If a PACL denies and a VACL permits, the packet is still dropped.

Verification

show access-lists
show ip access-lists
show mac access-lists
show vlan access-map
show running-config | section access-list

Count hits:

show access-lists BLOCK_P2P
Extended IP access list BLOCK_P2P
    10 deny tcp any any eq 6881 (15 matches)
    20 deny tcp any any range 6881 6889 (3 matches)
    30 permit ip any any

Best Practices

Explicit deny — Add deny ip any any log at the end of every ACL for logging
Hit counts — Monitor hit counts to confirm ACLs are effective
Naming convention — Use descriptive names like BLOCK_RDP_WAN or ALLOW_MGMT_ONLY
Comments — Use remark to document each entry’s purpose
TFTP backup — ACLs are part of the config; include them in backups
Sequence numbers — Use ip access-list extended mode (vs legacy access-list) for easy editing