ACL

An ACL (Access Control List) is a set of rules on a network device — switch, router, or firewall — that permits or denies traffic based on source, destination, port, and protocol. ACLs are how you enforce "VLAN 10 can't reach VLAN 20 except on port 443."

ACLs are the fundamental traffic control mechanism in networking. Every packet that hits an interface with an ACL applied gets evaluated against the rules in order. The first match wins. If no rule matches, the implicit default is usually "deny all."

A typical ACL rule: permit TCP from 10.10.10.0/24 to 10.20.0.0/24 port 443. This allows HTTPS traffic from the workstation subnet to the server subnet, nothing else.

ACLs operate at two levels:

Switch ACLs (Layer 2/3) — applied on VLAN interfaces or routed ports on a Layer 3 switch. Used to control inter-VLAN traffic at the distribution layer before it hits the firewall.

Router/Firewall ACLs (Layer 3/4) — applied on interfaces or security zones. The primary mechanism for defining what traffic is allowed between network segments.

Standard vs extended: standard ACLs filter on source IP only. Extended ACLs filter on source IP, destination IP, protocol, and port. Extended is almost always what you want.

Apply ACLs as close to the source as practical — this prevents unwanted traffic from traversing your network at all rather than just blocking it at the destination. On Cisco gear, the common guidance is inbound on the source interface.