ACLs & Firewalls

Access Control Lists filter packets line by line; firewalls add state and inspection at the boundary.

// zone-based firewall

Trusted LAN

Guest

▶

zone-pairs

▶

Internet

Trusted→Internet inspect · Guest→Internet inspect · Internet→Trusted drop

ACL type	Number range	Matches on
Standard	1–99 / 1300–1999	Source IP only
Extended	100–199 / 2000–2699	Src + dst, protocol, ports
Named	name	Either type, editable

// ACL rules

Implicit "deny any" at the end of every ACL
Order matters — first match wins
Apply inbound or outbound on an interface
Wildcard mask = inverse of the subnet mask
Place standard ACLs near the destination, extended near the source

// firewall types

Packet filter	Stateless, by IP / port
Stateful	Tracks connection state
NGFW	+ app awareness, IPS, identity
Proxy	Terminates & inspects sessions

access lists · cisco ios

! Standard (numbered) — source only
access-list 10 permit 10.0.0.0 0.0.0.255
! Extended (named) — src/dst, protocol, ports
ip access-list extended WEB
 permit tcp any host 203.0.113.5 eq 443
 deny   ip any any log
!
interface Gi0/0
 ip access-group WEB in

verify

show access-lists
show ip access-lists WEB
show ip interface Gi0/0

// modern perimeter — Zero Trust & SASE

// Zero Trust principles

"Never trust, always verify" — no implicit trust from network location
Authenticate and authorize every request (identity + device posture)
Micro-segmentation shrinks lateral movement
Least-privilege access, continuously re-evaluated
Assume breach — log and inspect everything

// SASE / SSE building blocks

SASE	SD-WAN + security delivered from the cloud edge
SSE	The security half — SWG + CASB + ZTNA
ZTNA	Per-app access that replaces the flat VPN tunnel
SWG	Secure Web Gateway — URL and malware filtering
CASB	Cloud Access Security Broker — SaaS visibility and control