Access Control Lists

Access Control Lists (ACLs) are used to permit or deny traffic between VLANs on the core switch. ACLs do not affect traffic within a VLAN. When an ACL applied to a VLAN, only traffic permitted in the ACL will be allowed to go in or out of that VLAN. ACLs have an implicit deny rule.

Two types of ACLs can be created, extended and standard. Extended ACLs support more complex rules than do standard ACLs.

ACL rules are known as ACEs, and the terms “ACL rule” and “ACE” are used interchangeably in this document.

The basic format for our ACEs is: <seq #> <permit|deny> <ip|tcp|udp> <source IP> <source mask> [eq <port #>] <destination IP> <destination mask> [eq <port #>] [log]

  • <seq #> is an integer that tells the ACL in which order to process ACEs, with lower numbers coming before larger numbers.
  • <permit|deny> either permit or deny the corresponding traffic.
  • <ip|tcp|udp> is the type of traffic to match. If the ACE is specifying a specific port, the type will need to be either tcp or udp, otherwise ip will generally work fine.
  • <source IP> the IP address of the source device (an NVR, a camera, etc.).
  • <source mask> is the wildcard mask (opposite of subnet mask) of the source (eg. =, a single host =
  • <destination IP> the IP address of the destination host (a user's computer, etc.).
  • <destination mask> is the wildcard mask of the destination (see above).
  • [eq <port #>] specifies which port will be either permitted or denied by the ACE. This can be applied to either the source (as is the case when allowing computers to view the camera feeds), the destination (as is the case when allowing NTP), or both. The port number is optional. If being specified, the ACE will need to match either type tcp or udp traffic.

I recommend having all ACLs listed in spreadsheets (I like Google Sheets for this) and making all changes in an ACL's corresponding spreadsheet before making the change on the switch.

To permit another computer to communicate with this VLAN, create an ACL rule allowing the desired IP address to the IP address of the NVR or camera being given access to.

:!: The computer will need to either have a static IP or a DHCP reservation.

Run the following commands:

5412 Server(config)# ip access-list extended "acl-110-in"
5412 Server(config-std-nacl)# <int> permit tcp <IP of NVR or camera> eq 80 <IP of computer> log
5412 Server(config-std-nacl)# <int remark "Permit <name of staff member> to <NVR or camera name>"
5412 Server(config-std-nacl)# exit

Where “<int>” is an appropriate sequence number assigned to the ACE (in line with existing ACEs for the same type of rule). If allowing access to both NVRs, rules will need to be created for both of the NVR's IPs. Enter a remark that describes which devices the rule is permitting traffic to and from.

To remove a permitted IP address, run:

5412 Server(config)# ip access-list standard acl-110-110
5412 Server(config-std-nacl)# no <int>
5412 Server(config-std-nacl)# exit

Again, where “<int>” is the sequence number of the desired ACE. This will remove the ACL rule and the rule's remark entry.

  • switches/acl.txt
  • Last modified: 2019/03/15 18:19
  • by ericclaus