How Access Lists work on Cisco routers

This tutorial explains how Cisco access lists work through examples. Learn how Cisco routers process access control lists.

When routers receive IP packets on their interfaces, they check the destination address of each packet and forward that packet from the interface that is directly connected to the destination address or the path leading to the destination address. If none of the router's interfaces are connected to the destination address, the router discards the packet.

An access list is a set of additional commands or instructions that you can instruct a router to perform before forwarding IP packets. In the access list, each command or instruction is written on a separate line. Each line of the access list is treated as a separate entry.

An access list can contain many entries. Each entry must include a criterion and an action. A criterion defines the condition that triggers the action. An entry may include multiple criteria or actions.

Let's take an example to understand how access lists work.

The following image shows a sample school network.

ACL example network

In this network, four LAN segments are connected through a router. These segments are Students, Teachers, Staff, and Administrators. These segments respectively belong to students, teachers, office staff, and management team.

The following table lists the IP configurations of all segments.

LAN Network Address Default gateway Gateway interface
Students Router'F0/0
Teachers Router'F0/1
Staff Router'F1/0
Administrators Router'F1/1

As far as connectivity is concerned, this network is fine. All LAN segments can access each other without any issues. The main issue of this network is security. This network has no security policy. Anyone can access any resource of the network. A student can access the teacher's computer. A teacher can access the principal's computer. This free flow of access makes this network useless. This network will be useful only if it allows only authorized users to access permitted resources.

To block unauthorized access, Cisco routers have a built-in feature. This feature is known as access-lists. An access list allows the administrator to define what is allowed and what is blocked.

Once the criteria for allowed packets are defined, the router will only allow packets that meet the defined criteria. Access lists are used to define criteria for allowed packets. Access lists use lines to separate entries. Each line in the access list represents an entry. Each entry contains two things a condition and an action. When processing the entry, the router matches the condition, if the condition is matched, the router executes the action. A condition may include a single criterion or multiple criteria.

When creating an access list entry, you should keep three important factors in mind. These factors are location, direction, and order. We have already discussed these factors in the previous part of this tutorial. In this part, we will take an example to understand how an access list works and how these factors can affect an access list.


In our example network, all LAN segments can access all LAN segments. To block students from accessing resources available outside the Students segment, the administrator created an access list and applied it to the F0/0 interface of the router. The ACL has the following entry.

If a packet has the source address from the network address, then discard the packet.

The following image shows how this ACL is applied.

 ACL correct location

Since all packets generated from the Students segment have source addresses from the network, they will be blocked as soon as they enter the F0/0. After this ACL, users from the Students segment will not be able to access outside resources.

To understand how the location affects the ACL, let's suppose the administrator applied the above ACL on the F0/1 interface.

The following image shows this change.

ACL incorrect location

Now, this ACL is useless. This ACL instructs the router to block a packet if it arrives from the network. A packet from the will never enter from the F0/1 interface. The F0/1 interface is the default gateway of the Teachers segment. Since the network address of the Teachers segment is, all packets entering F0/1 will have a source address from the network

This example shows how the correct location of the ACL is important. An ACL must be implemented on the interface that interacts with targeted traffic.


Now suppose, instead of using the source address in the ACL entry, the administrator mistakenly used the destination address. The modified ACL is given below.

If the destination address of a packet is from the network, discard the packet.

The administrator applied this ACL to the F0/0 interface of the router.

Will this ACL work?

The following image shows the new ACL.

ACL wrong direction

This ACL will not work. This ACL instructs the router to block the packets that are going to the network, not to the packets that are coming from the network If you apply this ACL on the F0/0, the Students segment will be able to access all three segments but they will not be able to access the Students segment.


As mentioned earlier, for each packet, the router checks ACL entries from top to bottom until a match is found. Once a match is found, it does not check the remaining entries for that packet. Let's understand this factor through the example.

The administrator wants to allow a user from the Teachers segment to access the server available in the Administrators segment. The IP address of the allowed user is Apart from the allowed user, all remaining users must not be able to access the Administrators segment. For this, the administrator created the following ACL and applied it to the F0/1 interface of the router.

Drop the packet if its source address belongs to the network
Allow the packet if its source address is

The following image shows this ACL.

ACL wrong orders

Will this ACL work?

No, this ACL will block all outgoing traffic from the Teachers segment. When a packet originated from the host reaches the router, the router checks the entries of the applied ACL until a match is found.

The first line of the ACL says "drop the packet if its source address belongs to the network". Since the IP address belongs to the network, the statement becomes true. The router executes the action that is associated with this statement. Since the action of this statement is the drop, the router drops the packet.

Even the second line of the ACL allows the host, but it will never be read and executed by the router.

The correct order to allow the host will be the following.

Allow the packet if its source address is
Drop the packet if its source address belongs to the network

The following image shows the above ACL.

ACL correct direction and order

Now, this ACL will allow all packets that are originated from the host but it will block all packets that are originated from other hosts of the network

That's all for this tutorial. In this tutorial, we discussed how ACLs work. In the next tutorial, we will discuss the types of ACLs.

ComputerNetworkingNotes CCNA Study Guide How Access Lists work on Cisco routers