F Network Infrastructure Security - The Network DNA: Networking, Cloud, and Security Technology Blog
Home / cybersecurity / networking / Security / Network Infrastructure Security

Network Infrastructure Security

March 04, 2026 , ,

Securing the network infrastructure itself is paramount to protect against various threats. This chapter delves into key security features implemented at different layers of the network, focusing on how to configure and verify them to safeguard network devices and user traffic.

Network Infrastructure Security

3.1 Access Control Lists (ACLs): Standard, Extended, and Named

Access Control Lists (ACLs) are a fundamental security feature used to filter network traffic based on a set of rules. They can control which users or devices can access specific network resources, providing a crucial layer of defense. ACLs are configured on routers and switches to permit or deny packets based on criteria such as source IP address, destination IP address, port numbers, and protocols.

Standard ACLs

Standard ACLs filter traffic based solely on the source IP address. They are numbered 1-99 and 1300-1999. It is best practice to place standard ACLs as close to the destination as possible to avoid filtering legitimate traffic unnecessarily.

Router(config)# access-list 10 deny host 192.168.1.10
Router(config)# access-list 10 permit any
Router(config)# interface GigabitEthernet0/0
Router(config-if)# ip access-group 10 out

  • access-list 10 deny host 192.168.1.10: Denies traffic from a specific host.
  • access-list 10 permit any: Explicitly permits all other traffic (implicit deny at the end of every ACL).
  • ip access-group 10 out: Applies the ACL to the interface in the outbound direction.

Extended ACLs

Extended ACLs offer more granular control by filtering traffic based on source IP address, destination IP address, protocol (TCP, UDP, ICMP), and port numbers. They are numbered 100-199 and 2000-2699. Extended ACLs should be placed as close to the source of the traffic as possible to prevent unwanted traffic from traversing the network.

Router(config)# access-list 101 deny tcp any host 192.168.2.5 eq 80
Router(config)# access-list 101 permit ip any any
Router(config)# interface GigabitEthernet0/1
Router(config-if)# ip access-group 101 in

  • access-list 101 deny tcp any host 192.168.2.5 eq 80: Denies any source from accessing port 80 (HTTP) on host 192.168.2.5.
  • access-list 101 permit ip any any: Permits all other IP traffic.
  • ip access-group 101 in: Applies the ACL to the interface in the inbound direction.

Named ACLs

Named ACLs provide the same functionality as numbered ACLs but use a descriptive name instead of a number, making them easier to manage and understand, especially in complex configurations. They can be either standard or extended.

Router(config)# ip access-list extended WEB_ACCESS
Router(config-ext-nacl)# deny tcp any host 192.168.2.5 eq 80
Router(config-ext-nacl)# permit ip any any
Router(config-ext-nacl)# exit
Router(config)# interface GigabitEthernet0/1
Router(config-if)# ip access-group WEB_ACCESS in