ACLs, AAA, and 802.1X — the L3/L2 access toolkit
12 min
Three security primitives that combine to control "who can reach what" inside a network.
ACLs — filtering by header fields
An ACL (Access Control List) is an ordered list of permit/deny rules applied to traffic at an interface. Each rule matches on packet header fields; the first match wins. Implicit deny any at the end of every ACL.
Standard vs extended
| ACL type | Matches on | |---|---| | Standard | Source IP only | | Extended | Source + destination IP, protocol, source/dest ports, TCP flags, etc. | | Named | Either of the above, with a name instead of a number |
Cisco numbering (legacy but you'll see it): standard 1–99 + 1300–1999, extended 100–199 + 2000–2699.
[object Object]ACLs apply in (before routing) or out (after routing) on an interface. Direction matters — same rule has different effect depending on which way you apply it.
Wildcard masks (the inverse weirdness)
ACLs use wildcard masks, the bitwise inverse of subnet masks. 0.0.0.255 = "match the first 3 octets, ignore the last." 0.0.0.0 = "match exactly this IP." 255.255.255.255 = "ignore everything, match anything." Visually confusing; mechanically simple.
| Common pattern | Wildcard | |---|---| | Single host | 0.0.0.0 | | /24 subnet | 0.0.0.255 | | /16 subnet | 0.0.255.255 | | /30 subnet | 0.0.0.3 | | Any | 255.255.255.255 |
Modern syntax also lets you write host x.x.x.x and any and skip the wildcard.
AAA — Authentication, Authorization, Accounting
You don't want each network engineer logging into a router with a shared local password. AAA centralizes user authentication against a server, authorizes specific commands per user/role, and logs everything they did.
| Pillar | What | |---|---| | Authentication | "Who are you?" — verify credentials | | Authorization | "What can you do?" — per-command or per-shell permissions | | Accounting | "What did you do?" — log all commands + sessions |
Two protocols implement it:
| Protocol | Port | Best at | |---|---|---| | TACACS+ | TCP/49 | Per-command authorization, encrypted payload — Cisco's preference for device login | | RADIUS | UDP/1812 (auth), 1813 (acct) | Network access (Wi-Fi 802.1X, VPN), open standard, only password encrypted |
For switch/router CLI login: TACACS+. For 802.1X / VPN auth: RADIUS.
[object Object]The local fallback at the end is critical — if TACACS+ is unreachable, you can still log in with a locally-configured account. Otherwise you brick yourself.
802.1X — per-port authentication
A user plugs in an Ethernet cable. By default the switch lets all their traffic through. 802.1X says no: the switch port stays blocked until the host authenticates against a RADIUS server. Common in corporate networks and educational campuses.
Three roles:
- Supplicant — the device (laptop, phone, IP phone).
- Authenticator — the switch.
- Authentication Server — RADIUS (talking to AD, LDAP, certs).
EAP (Extensible Authentication Protocol) carries the auth conversation. Variants: EAP-TLS (certificates), PEAP (username/password inside TLS tunnel), EAP-TTLS, EAP-FAST.
[object Object],[object Object]What to remember
- ACLs: ordered rules, first match wins, implicit
deny anyat the end. Applyinorouton an interface. - Wildcard masks are the inverse of subnet masks (
0.0.0.255= /24 worth of host bits). - TACACS+ for device login (per-command authz, encrypted). RADIUS for network access (802.1X, VPN).
- 802.1X authenticates the host before allowing traffic on the access port; pair with MAB for legacy devices.
- Always configure a local fallback account before deploying AAA — otherwise an outage in your auth server locks everyone out.