That’s a comprehensive list! Cisco ACLs are a cornerstone of network security, and they’ve evolved significantly. Let’s break down each type.

At their core, all ACLs are ordered lists of permit or deny statements that filter traffic. The first match wins, and there’s an implicit deny any at the end of every ACL.

Foundational ACL Types (IPv4):

These are the building blocks:

1. Standard ACLs

   • Description: The simplest type. They filter traffic based only on the source IP address.

   • Syntax:

     • Numbered: access-list <1-99 | 1300-1999> {permit | deny} source_ip [wildcard_mask]

     • Named: ip access-list standard <ACL_NAME> then permit | deny source_ip [wildcard_mask]

   • Wildcard Mask: Used to specify a range of IP addresses. A 0 means “match this bit,” and a 1 means “don’t care about this bit.”

     • 0.0.0.0 for a single host (e.g., 192.168.1.1 0.0.0.0 or host 192.168.1.1)

     • 0.0.0.255 for a /24 subnet (e.g., 192.168.1.0 0.0.0.255)

     • 255.255.255.255 for any

   • Placement Best Practice: Apply as close to the destination as possible. If applied too close to the source, it might block legitimate traffic destined for other parts of the network.

   • Use Case: Broad filtering, e.g., “Only allow this specific subnet into the server farm.”

2. Extended ACLs

   • Description: Much more granular and powerful. They filter traffic based on:

     • Source IP address

     • Destination IP address

     • Protocol (e.g., ip, tcp, udp, icmp, gre, ospf, eigrp)

     • Source port number (for TCP/UDP, often using operators like eq (equals), gt (greater than), lt (less than), range)

     • Destination port number (for TCP/UDP)

     • TCP flags (e.g., established keyword to allow only established TCP connections, useful for inbound filtering)

   • Syntax:

     • Numbered: access-list <100-199 | 2000-2699> {permit | deny} protocol source_ip [wildcard] [source_port] destination_ip [wildcard] [destination_port] [established] [log]

     • Named: ip access-list extended <ACL_NAME> then permit | deny protocol source_ip [wildcard] [source_port] destination_ip [wildcard] [destination_port] [established] [log]

   • Placement Best Practice: Apply as close to the source of the traffic you want to filter as possible. This prevents unwanted traffic from traversing your network unnecessarily.

   • Use Cases: Specific filtering, e.g., “Allow only HTTP/HTTPS traffic from the internal LAN to the web server,” “Block Telnet from external networks.”

3. Named ACLs

   • Description: Not a separate filtering capability, but a more user-friendly way to configure Standard and Extended ACLs using names instead of numbers.

   • Benefits:

     • Readability: Easier to understand the purpose of an ACL (e.g., WEB_SERVER_ACCESS vs. 101).

     • Editing: Allows for easier insertion and deletion of individual access control entries (ACEs) using sequence numbers, without having to delete and re-create the entire ACL.

   • Syntax:

     • ip access-list standard <ACL_NAME>

     • ip access-list extended <ACL_NAME>

   • Usage: All modern Cisco configurations should prefer named ACLs.

Advanced IPv4 ACL Types:

These build upon the foundational types for more dynamic or specific scenarios:

4. Dynamic ACLs (Lock-and-Key Security)

   • Description: A feature that allows users to gain temporary access through a firewall by authenticating via a secondary method (like Telnet or SSH) before the main traffic is permitted.

   • How it Works:

     1. User attempts to connect to a protected resource. The initial access-list denies this, but directs them to authenticate (e.g., Telnet to the router).

     2. User Telnet/SSH to the router and authenticates (e.g., with username/password, TACACS+, RADIUS).

     3. Upon successful authentication, the router dynamically inserts a temporary permit entry into a pre-existing extended ACL. This entry typically allows the user’s IP address to access specific resources for a limited time.

     4. After a timeout or session termination, the dynamic entry is removed.

   • Use Cases: Providing temporary, authenticated access for remote users or administrators to sensitive internal resources without requiring a full VPN tunnel.

   • Security Note: While useful, exposing Telnet or SSH to the internet for initial authentication has its own security implications. It’s often used in conjunction with other security layers.

5. Reflexive ACLs

   • Description: A type of extended ACL that allows outbound traffic and then dynamically creates temporary inbound permit entries to allow only the return traffic for those specific outbound sessions. It works by keeping track of the state of connections at Layer 4 (similar to a stateful firewall, but less sophisticated).

   • How it Works:

     1. An outbound extended ACL contains a permit ip any any reflect <NAME> statement.

     2. When a client initiates an outbound connection (e.g., sends a SYN packet), the router creates a temporary, reflection entry (a “reflexive entry”) in a separate, hidden inbound ACL for the expected return traffic.

     3. The return traffic (e.g., SYN-ACK, subsequent data) matches this temporary inbound entry and is permitted.

     4. Once the session ends (FIN/RST or timeout), the temporary entry is removed.

   • Benefits: More secure than simple extended ACLs because they only permit return traffic if it’s explicitly initiated from inside the network. Better than completely open inbound ports.

   • Use Cases: Securing internal networks by only allowing inbound traffic that is part of an established outbound session, without needing a full stateful firewall. Often used on perimeter routers.

   • Syntax: Involves two ACLs: one outbound (with reflect) and one inbound (with evaluate).

     ! Outbound ACL
     ip access-list extended OUTBOUND_FILTER
      permit tcp any any reflect WEB_REFLEXIVE
     ! Inbound ACL
     ip access-list extended INBOUND_FILTER
      evaluate WEB_REFLEXIVE
      deny ip any any log
     ! Apply to interfaces
     interface GigabitEthernet0/0
      ip access-group OUTBOUND_FILTER out
      ip access-group INBOUND_FILTER in
     

Specialized and Context-Aware ACLs:

6. Timed ACLs

   • Description: ACLs that are active only during specific times of the day or on certain days of the week.

   • How it Works: You define a time-range (with periodic or absolute start/end times) and then apply that time-range to an ACE within a standard or extended ACL.

   • Use Cases:

     • Restricting access to certain resources during non-business hours.

     • Allowing maintenance traffic only during specific windows.

     • Enforcing “internet access only during lunch breaks.”

   • Syntax:

     time-range WEEKDAYS_ONLY
      periodic Monday 09:00 to Friday 17:00
     ip access-list extended WORK_ACCESS
      permit tcp any host 10.1.1.1 eq www time-range WEEKDAYS_ONLY
      deny ip any any log
     

7. VLAN ACLs (VACLs) / Port ACLs (PACLs) / Router ACLs (RACLs)

   • This category refers to where the ACL is applied and the scope of its filtering:

     • Router ACLs (RACLs): Standard or Extended ACLs applied to a routed interface (e.g., a router physical interface, a Layer 3 EtherChannel, or a Switch Virtual Interface – SVI). These filter traffic entering or exiting a routed port. This is the most common use of ACLs.

     • VLAN ACLs (VACLs): Applied to an entire VLAN. They can filter traffic between devices within the same VLAN (inter-VLAN traffic) or between different VLANs when traffic is bridged, not routed. VACLs inspect all traffic that enters or exits any port associated with the VLAN.

       • Note: VACLs are typically configured on Layer 3 switches. They are less granular than PACLs as they affect the entire VLAN.

       • Syntax (Example):

         vlan access-map MY_VACL_MAP 10
          match ip address MY_VACL_ACL
          action drop
         vlan access-map MY_VACL_MAP 20
          action forward
         vlan filter MY_VACL_MAP vlan-list 10 20
         

     • Port ACLs (PACLs): Applied to an individual Layer 2 switch port. They filter traffic entering or exiting that specific Layer 2 port.

       • Benefits: More granular than VACLs, as they apply per-port, allowing different policies for different devices within the same VLAN.

       • Limitation: Do not apply to traffic that is routed by an SVI. They filter Layer 2 forwarded traffic.

       • Syntax (Example):

         interface GigabitEthernet0/1
          ip access-group MY_PACL in
         

   • Common Use Case: Enhancing security within a switch by providing more granular control over traffic flows before it even hits a router interface.

8. Control Plane ACLs (CoPP – Control Plane Policing)

   • Description: A specialized type of ACL applied to the control plane of a router or switch. The control plane handles traffic destined to the device itself (e.g., routing protocol updates, Telnet/SSH management sessions, SNMP, ICMP).

   • Purpose: Protects the router’s or switch’s CPU from malicious attacks (like DoS attacks targeting the device’s management interfaces) or excessive legitimate traffic that could overwhelm its processing capabilities.

   • How it Works: Uses a class-map and policy-map (Quality of Service – QoS framework) to define what traffic is destined for the control plane and then applies an ACL to filter or rate-limit that traffic.

   • Use Cases: Preventing router/switch crashes due to attacks, ensuring management access remains available even under high load.

   • Important: This does NOT filter transit traffic; only traffic aimed at the device itself.

IPv6 Specific ACLs:

9. IPv6 ACLs

   • Description: The equivalent of IPv4 ACLs, but designed specifically for IPv6 addresses and protocols. They use the same logic (sequence, first match, implicit deny).

   • Syntax:

     • Numbered (less common/standardized in IPv6): ipv6 access-list <ACL_NAME> then permit | deny protocol source_ipv6 [prefix_length] destination_ipv6 [prefix_length] [source_port] [destination_port]

     • Named (Standard for IPv6): ipv6 access-list <ACL_NAME>

   • Key Differences/Features:

     • Uses IPv6 addresses and prefix lengths (e.g., /64) instead of IPv4 addresses and wildcard masks.

     • Supports IPv6-specific protocols and next headers (e.g., icmp, tcp, udp, ospfv3, eigrp, ah, esp, fragment).

     • The log keyword is used similarly for logging.

     • The established keyword is still used for TCP.

   • Use Cases: Implementing security policies in IPv6 networks, similar to how IPv4 ACLs are used.

Other Terms You Might Encounter:

• Turbo ACL / Hardware-Accelerated ACL:

  • Description: This isn’t a type of ACL but refers to how ACLs are processed on modern Cisco devices. Many routers and switches (especially enterprise-grade ones) have dedicated ASICs (Application-Specific Integrated Circuits) or specialized hardware that can process ACLs at line rate (very high speed) without impacting the main CPU.

  • Benefit: Enables very high throughput and low latency even with complex ACLs, preventing performance bottlenecks.

  • Relevance: Most modern Cisco devices accelerate ACL processing in hardware by default for optimal performance.

Summary:

Cisco ACLs are a versatile and powerful tool for network security. While the core concepts of permit/deny and top-down processing remain constant, the various types and their placement (Router, VLAN, Port) allow for highly granular and context-aware traffic filtering. Understanding the differences between Standard, Extended, Named, and advanced types like Dynamic and Reflexive, as well as the security implications of each, is fundamental for securing Cisco-powered networks.