An ACL (Access Control List) is a set of rules used on routers and Layer-3 switches to permit or deny network traffic based on conditions like source IP, destination IP, protocol, and port numbers.
- Improve network security (block unwanted traffic)
- Control access between VLANs and subnets
- Reduce attack surface in enterprise networks
- Limit access to servers (HIS/LIS/Database/CCTV)
- Standard ACL: Filters only by source IP
- Extended ACL: Filters by source + destination + protocol + port
Extended ACLs are more powerful and commonly used in real networks.
- Inbound: Filters traffic coming into an interface
- Outbound: Filters traffic going out of an interface
Best practice: Apply ACLs where it saves bandwidth and stops traffic early.
- Standard ACL: Place close to the destination
- Extended ACL: Place close to the source
This reduces unnecessary traffic and makes troubleshooting easier.
Every ACL ends with an invisible rule: deny all. So if you forget to permit required traffic, it will get blocked.
Example: Allow only the Billing VLAN to access the HIS server, but block Guest Wi-Fi from reaching internal servers.
- Permit Billing → HIS Server (TCP 443 / 1433 etc.)
- Deny Guest VLAN → Internal Subnets
- Permit Guest VLAN → Internet
- Wrong direction (inbound/outbound)
- Wrong placement (source vs destination)
- Forgetting "permit" for required traffic
- Rule order issue (top-down processing)
- Not testing after applying