Access Control List Explained with Examples
There are eight types of ACLs. These types are standard-numbered, standard-named, standard-numbered with the sequence editing feature, standard-named with the sequence editing feature, extended-numbered, extended-named, extended-numbered with the sequence editing feature, and extended-named with the sequence editing feature.
To create and configure these access lists, you have two commands: 'access-list' and 'ip access-list'. The main difference between these commands is that the first command supports only standard-numbered and extended-numbered types, while the second command supports all eight types. This tutorial explains the arguments, options, and parameters of the 'access-list' command.
The 'access-list' command
It is a global configuration mode command. It uses the following syntax.
Router(config)# access-list ACL_# permit|deny conditions
ACL_#: - It is a numerical argument. The router uses this number for the following purposes.
- To identify the type of protocol
- To identify the type of ACL
- To group all the statements in the ACL
It assigns a range of numbers to each network layer protocol. It uses the number ranges 1-99, 100-199, 1300-1999, and 2000-2699 for the IP protocol. From these ranges, the ranges 1-99 and 1300-1999 are for standard access lists. The ranges 100-199 and 2000-2699 are for extended access lists.
To create an IP access list, you must specify a number from the predefined number ranges listed above. For example, to create a standard IP access list, you can choose any number between 1 and 99 or 1300 and 1999. Similarly, to create an extended IP access list, you can select any number between 100 and 199 or 2000 and 2699.
Key points:-
- To create a new ACL, use an unused number from the range. If you use an existing number, the router will append the ACL related to the specified number.
- To update an existing ACL, specify the ACL number. If you use a new number, the router will create a new ACL.
Permit|deny
It is an option with two values. If you use the permit option, the router will allow the packet that matches the condition defined next to it. If you use the deny option, the router will block the packet that matches the condition defined next to it.
Conditions
These are the conditions that the router uses to match the packet. A standard ACL and an extended ACL use different criteria to match a packet. The available options in this section depend on the value of the ACL_# argument.
Standard ACL conditions
If you have specified a number that belongs to the standard ACL, the command will use the following syntax.
Router(config)# access-list 1-99|1300-1999 permit|deny source_IP_address [wildcard_mask] [log]
source_IP_address
It is an argument. It accepts the source address. You can use a host or a network address. If you use a host address, the router will match that particular host. If you use a network address, the router will match all hosts of the specified network.
The any keyword
The any keyword represents all addresses. If you use it in the source address field, it matches all incoming packets regardless of their IP addresses. If you use it in the destination address field, it matches all outgoing packets irrespective of their IP addresses.
The host keyword
The host keyword represents a single address. You must use it with an IP address. If you use it in the source address field, it matches all packets coming from the specified IP address. If you use it in the destination address field, it matches all packets going to the given IP address.
wildcard_mask
It is also an argument. It allows you to define the type of source address. You can specify a particular IP address or a range of IP addresses.
log
It is an optional parameter. If you specify this parameter, the router will print any match of this statement on the console port. By default, the router does not print log messages on a non-console connection. For example, if you use a VTY connection, you will not see log messages on the console port. To view log messages on a non-console connection, use the following command.
Router# terminal monitor
This command only works in the current session. It means you must execute this command each time to view logging messages on your VTY or TTY session. For debugging and security purposes, you can also forward these messages to a Syslog server.
Extended ACL conditions
If you have specified a number that belongs to the extended ACL, the command will use the following syntax.
Router(config)# access-list 100-199|2000-2699 permit|deny IP_protocol source_address source_wildcard_mask [protocol_information] destination_address destination_wildcard_mask [protocol_information] [log]
Unlike a standard ACL, which supports only the source address, an extended ACL supports multiple options in the condition field. An extended ACL allows you to filter traffic based on supported IP protocols. The supported IP protocols are ICMP, TCP, GRE, UDP, IGRP, EIGRP, IGMP, IPINP, NOS, and OSPF. The options available in this syntax depend on the protocol you select. For example, if you choose the 'ip' protocol, you will see the options for the 'ip' protocol. If you select the 'tcp' protocol, you will see the options for the 'tcp' protocol.
Traffic filtering
There are two types of filtering: host-level filtering and application-level filtering. Host-level filtering filters all the traffic from the host. Application-level filtering filters specific traffic from the host.
For example, if you want to filter all traffic from the host 10.0.0.10/8, you would use host-level filtering. But if you want to filter only web traffic from the host 10.0.0.10/8, you would use application-level filtering. In other words, host-level filtering checks "whether host A is allowed to access host B", while application-level filtering checks "how much host A is allowed to access host B?".
Host-level filtering
To filter all traffic from a host, use the host's IP address. To use an IP address, specify the 'IP' keyword after the action argument. The 'IP' keyword instructs the command to filter traffic based on the host address.
Unlike a standard access list, which allows you to use only the source IP address, an extended access list lets you use both the source and destination IP addresses. Since you can use both addresses, you can filter the exact traffic. This feature makes extended access lists more flexible than standard access lists. To use host-level filtering, use the following syntax.
Router(config)#access-list 100-199|2000-2699 permit|deny ip source_address source_wildcard_mask destination_address destination_wildcard_mask [log]
After the 'ip' keyword, it has two fields to specify the source address and the destination address. You can select a single host address or a range of IP addresses in both fields. You can use wildcard masks with both addresses.
Application-level filtering
To filter a specific type of traffic coming from a host or going to a host, use the name of the protocol that transports the traffic. On an IP network, an application can send its traffic by using one of two protocols. These protocols are TCP and UDP. Both protocols can simultaneously transport data from many applications. Both protocols use a unique number for each application to keep its data separate from other applications. These numbers are known as port numbers.
Both protocols utilize different port numbers for their respective applications. The following table lists essential port numbers and their associated applications.
| TCP | UDP | ||||
| Port Number | Application | ACL Keyword | Port Number | Application | ACL Keyword |
| 20 | FTP (Data) | ftp-data | 53 | DNS | domain |
| 21 | FTP (Control) | ftp | 67,68 | DHCP | nameserver |
| 22 | SSH | 69 | TFTP | tftp | |
| 23 | Telnet | telnet | 123 | NTP | |
| 25 | SMTP | SMTP | 161 | SNMP | SNMP |
| 53 | DNS | domain | |||
| 80 | HTTP | www | |||
| 110 | POP3 | pop3 | |||
| 443 | SSL (HTTPS) | ||||
To filter traffic based on an application, use the following syntax.
Router(config)#access-list 100-199|2000-2699 permit|deny tcp|udp source_address source_wildcard_mask [operator source_port_#] destination_address destination_wildcard_mask [operator destination_port_#] [established] [log]
Operators
Operators allow you to match ports more specifically. You can use operators to define a range of ports or a particular port. Extended access lists support five operators. The following table lists them.
| Operator | Description |
| Lt | Less than |
| Gt | Greater than |
| Neq | Not equal to |
| Eq | equal to |
| Range | Range of port numbers |
Operators are optional. Only TCP/UDP uses operators. Other IP protocols do not use them.
Established
The Established keyword allows traffic to pass through only if the connection initiates from the inside. It is used only with TCP packets. With this keyword, you can control the direction of the data flow. If you use this keyword, the ACL will allow only those TCP packets that have the 'Established' flag bit set in their header. It matches only TCP packets having the ACK or the RST bit set. It allows you to configure a scenario in which internal users can access external resources while external users cannot access internal resources. For example, your network does not have a web server. However, your internal users access web servers available outside your network. In this situation, you can block incoming traffic on port 80 while allowing outgoing traffic on the same port using the established command. If you use it, the ACL will allow the response to enter your network. The response has the ACK bit set because the initial request originated from your network. It blocks the requests from the outside world because it does not have the ACK bit set.
Log
This keyword instructs the router to log a message every time it uses an ACL entry to process a packet.
ICMP
Sending a packet does not guarantee that the packet will be delivered. Sometimes packets are lost in their path. In such a case, the nearest device sends the error message back to the sender. From the message, the sender can learn about the undelivered packets and their possible reasons. Networking devices use the ICMP protocol to send error messages.
An adversary may use the ICMP protocol to reveal information about the network. Extended access lists let you control the error messages that devices can send. To filter ICMP error messages, the command uses the following syntax.
Router(config)# access-list 100-199|2000-2699 permit|deny ICMP source_address source_wildcard_mask destination_address destination_wildcard_mask [icmp_message] [log]
If you do not specify a particular message type, ACL will match all message types. The following table lists essential ICMP messages.
| Message (Keyword) | Description |
| Echo | Used to check the status of the destination (up/down) |
| echo-reply | Reply from the destination on the echo request |
| host-unreachable | The network is reachable, but the particular host is not responding |
| net-unreachable | The network is not reachable |
| Traceroute | Filter traceroute information |
| Administratively prohibited | packet filtered by ACL |
Enabling an access list
An ACL does nothing until you apply it to an interface. To apply an ACL to an interface, use the following commands.
Router(config)#interface interface_number Router(config-if)#ip access-group ACL_# in|Out
The first command enters the interface mode. The second command activates the ACL on the interface. The second command accepts the following arguments and options.
ACL #: It is the ACL that you want to activate on the interface. Specify the ACL number as the argument.
in|out:- It is the direction in which you want to activate the ACL. If you wish to filter incoming traffic, specify the keyword 'in'. To filter outgoing traffic, use the keyword 'out'.
Deleting access lists
To delete an access list, use the following global configuration command.
Router(config)#no access-list ACL_#
Replace the ACL_# with the number of the ACL that you want to delete.
Standard ACL Example
The following code block creates and applies a standard ACL that blocks all incoming traffic from the host with an IP address 10.0.0.1 on interface GigabitEthernet0/1. It blocks all traffic from the specified IP address, regardless of protocol or port number.
Router>enable Router#configure terminal Router(config)#access-list 10 deny 10.0.0.1 Router(config)#access-list 10 permit any Router(config)#interface gigabitethernet 0/1 Router(config-if)#ip access-group 10 in Router(config-if)#exit Router(config)#
Extended ACL Example
The following code block creates and applies an extended ACL that blocks all traffic from any host to the SSH and HTTP services running on server 10.0.0.1 on interface GigabitEthernet0/1. It blocks traffic based on destination port (HTTP and SSH) rather than source IP address. To filter by specific ranges of source or destination addresses, you can use wildcard masks with other criteria such as protocol type and ports.
Router>enable Router#configure terminal Router(config)#access-list 101 deny tcp any 10.0.0.1 0.0.0.0 eq 80 Router(config)#access-list 101 deny tcp any 10.0.0.1 0.0.0.0 eq 22 Router(config)#access-list 101 permit ip any any Router(config)#interface gigabitethernet 0/1 Router(config-if)#ip access-group 101 in Router(config-if)#exit Router(config)#
This tutorial is part of the tutorial "Cisco Access List Commands, Concepts, and Configurations". Other parts of this tutorial are as follows:
Chapter 01 Definition, purposes, benefits, and functions of ACL
Chapter 02 Basic concepts and fundamentals of ACLs
Chapter 03 How Access Lists work on Cisco routers
Chapter 04 Types of access control lists explained
Chapter 05 Wildcard Masks in ACLs Explained
Chapter 06 Rules and configuration guidelines for Cisco ACLs
Chapter 07 Access Control List Explained with Examples
Chapter 08 The ip access-list command options and arguments
Chapter 09 Standard ACL Configuration Commands Explained
Chapter 10 Configure Standard Access Control List Step-by-Step Guide
Chapter 11 How to secure VTY access to the Router
Chapter 12 Extended ACL Configuration Commands Explained
Chapter 13 Configure Extended Access Control List Step-by-Step Guide
Chapter 14 How to block ICMP Ping on Cisco Routers
Conclusion
Configuring ACLs is a vital aspect of network security and management. This tutorial explained the options and arguments of the access-list command. By understanding these, you can configure and implement ACLs more effectively.
By ComputerNetworkingNotes Updated on 2025-11-08