LearnNetwork
ACLs, AAA, 802.1X

ACLs, AAA, and 802.1X — the L3/L2 access toolkit

12 min

Three security primitives that combine to control "who can reach what" inside a network.

ACLs — filtering by header fields

An ACL (Access Control List) is an ordered list of permit/deny rules applied to traffic at an interface. Each rule matches on packet header fields; the first match wins. Implicit deny any at the end of every ACL.

Standard vs extended

| ACL type | Matches on | |---|---| | Standard | Source IP only | | Extended | Source + destination IP, protocol, source/dest ports, TCP flags, etc. | | Named | Either of the above, with a name instead of a number |

Cisco numbering (legacy but you'll see it): standard 1–99 + 1300–1999, extended 100–199 + 2000–2699.

Cisco IOSExtended ACL — let DNS in, block telnet, permit everything else
[object Object]

ACLs apply in (before routing) or out (after routing) on an interface. Direction matters — same rule has different effect depending on which way you apply it.

Wildcard masks (the inverse weirdness)

ACLs use wildcard masks, the bitwise inverse of subnet masks. 0.0.0.255 = "match the first 3 octets, ignore the last." 0.0.0.0 = "match exactly this IP." 255.255.255.255 = "ignore everything, match anything." Visually confusing; mechanically simple.

| Common pattern | Wildcard | |---|---| | Single host | 0.0.0.0 | | /24 subnet | 0.0.0.255 | | /16 subnet | 0.0.255.255 | | /30 subnet | 0.0.0.3 | | Any | 255.255.255.255 |

Modern syntax also lets you write host x.x.x.x and any and skip the wildcard.

AAA — Authentication, Authorization, Accounting

You don't want each network engineer logging into a router with a shared local password. AAA centralizes user authentication against a server, authorizes specific commands per user/role, and logs everything they did.

| Pillar | What | |---|---| | Authentication | "Who are you?" — verify credentials | | Authorization | "What can you do?" — per-command or per-shell permissions | | Accounting | "What did you do?" — log all commands + sessions |

Two protocols implement it:

| Protocol | Port | Best at | |---|---|---| | TACACS+ | TCP/49 | Per-command authorization, encrypted payload — Cisco's preference for device login | | RADIUS | UDP/1812 (auth), 1813 (acct) | Network access (Wi-Fi 802.1X, VPN), open standard, only password encrypted |

For switch/router CLI login: TACACS+. For 802.1X / VPN auth: RADIUS.

Cisco IOSAAA via TACACS+ for device login
[object Object]

The local fallback at the end is critical — if TACACS+ is unreachable, you can still log in with a locally-configured account. Otherwise you brick yourself.

802.1X — per-port authentication

A user plugs in an Ethernet cable. By default the switch lets all their traffic through. 802.1X says no: the switch port stays blocked until the host authenticates against a RADIUS server. Common in corporate networks and educational campuses.

Three roles:

  • Supplicant — the device (laptop, phone, IP phone).
  • Authenticator — the switch.
  • Authentication Server — RADIUS (talking to AD, LDAP, certs).

EAP (Extensible Authentication Protocol) carries the auth conversation. Variants: EAP-TLS (certificates), PEAP (username/password inside TLS tunnel), EAP-TTLS, EAP-FAST.

Cisco IOS802.1X on access ports
[object Object],[object Object]

What to remember

  • ACLs: ordered rules, first match wins, implicit deny any at the end. Apply in or out on an interface.
  • Wildcard masks are the inverse of subnet masks (0.0.0.255 = /24 worth of host bits).
  • TACACS+ for device login (per-command authz, encrypted). RADIUS for network access (802.1X, VPN).
  • 802.1X authenticates the host before allowing traffic on the access port; pair with MAB for legacy devices.
  • Always configure a local fallback account before deploying AAA — otherwise an outage in your auth server locks everyone out.