How Access Lists work on Cisco Routers
When routers receive IP packets on their interfaces, they check the destination address of each packet and forward that packet from the interface connected to the destination address or the path leading to the destination address. If they have no interface connected to the destination address, they discard the packet. This process is called routing.
An access list is a set of additional commands or instructions that you can instruct a router to perform before forwarding IP packets. In an access list, each line represents a separate entry and contains a pattern and an action. A pattern defines the condition that triggers the action.
How access lists work (example)
Building an ACL is similar in concept to writing if-then statements, where conditions are evaluated against packet characteristics, allowing specific actions (deny or permit) to be taken based on whether the condition matches a defined rule in these lists, which function like filters for network traffic.
The following image shows a network.
This network consists of four LAN segments connected through a router. These segments are Students, Teachers, Staff, and Administrators. The following table lists the IP configurations of all segments.
| LAN | Network Address | Default gateway | Gateway interface |
| Students | 10.0.0.0/8 | 10.0.0.1 | Router'F0/0 |
| Teachers | 20.0.0.0/8 | 20.0.0.1 | Router'F0/1 |
| Staff | 30.0.0.0/8 | 30.0.0.1 | Router'F1/0 |
| Administrators | 40.0.0.0/8 | 40.0.0.1 | Router'F1/1 |
As far as connectivity is concerned, this network is fine. All LAN segments can access each other without any issues. The primary concern with this network is its security. This network has no security policy. Anyone can access any resource available on the network. A student can access the teacher's computer. A teacher can access the principal's computer. This free flow of access makes this network ineffective. This network is valuable only when it allows only authorized users to access permitted resources.
To block unauthorized access, Cisco routers have a built-in feature. This feature is known as access lists. An access list allows you to define what is allowed and what is blocked. Once the criteria for permitted packets are specified, the router will forward only packets that meet the specified criteria. Access lists define criteria for allowed packets. They use lines to separate entries. Each line in the access list represents an entry. Each entry consists of two elements: a condition and an action. When processing the entry, the router matches the condition. If the condition matches, the router executes the action. A condition can include a single or multiple criteria. Location, direction, and order of statements are the essential considerations while implementing ACLs.
Location
In this example network, all LAN segments can access all LAN segments. To block students from accessing resources available outside the Students segment, you created an access list and applied it to the F0/0 interface of the router. The ACL has the following entry.
If a packet has the source address from the network address 10.0.0.0/8, then discard the packet.
The following image shows how this ACL is applied.
Since all packets generated from the Students segment have source addresses from the 10.0.0.0/8 network, the router will block them as soon as they enter the F0/0 interface. After this ACL, users from the Students segment will no longer be able to access outside resources.
Now, suppose you applied the above ACL to the F0/1 interface. The following image shows this change.
Now, this ACL is useless. This ACL instructs the router to block packets arriving from the 10.0.0.0/8 network. A packet from the 10.0.0.0/8 will never enter from the F0/1 interface. The F0/1 interface serves as the default gateway for the Teachers segment. Since the network address of the Teachers segment is 20.0.0.0/8, all packets entering F0/1 will have a source address from the network 20.0.0.0/8.
This example shows how the correct location of the ACL is essential. An ACL must be implemented on the interface that interacts with the targeted traffic.
Direction
Now, suppose you mistakenly use the destination address instead of the source address in the ACL entry. The modified ACL entry is given below.
If the destination address of a packet is from the network 10.0.0.0/8, discard the packet.
You applied this ACL to the F0/0 interface of the router. The following image shows the new ACL.
Will this ACL work?
This ACL will not work. This ACL instructs the router to block packets destined for the network 10.0.0.0/8, not packets originating from the network 10.0.0.0/8. If you apply this ACL to the F0/0 interface, the Students segment will be able to access all three segments, but they will not be able to access the Students segment.
Order
For each packet, the router checks ACL entries from top to bottom until a match is found. Once a match is found, it does not check the remaining entries for that packet. Let's understand this factor.
Suppose you want to allow a user from the Teachers segment to access the server available in the Administrators segment. The IP address of the permitted user is 20.0.0.3/8. Apart from the allowed user, all remaining users must not be able to access the Administrators segment. For this, you created the following ACL and applied it to the F0/1 interface of the router.
Drop the packet if its source address belongs to the network 20.0.0.0/8 Allow the packet if its source address is 20.0.0.3/8
The following image shows this ACL.
Will this ACL work?
No, this ACL will block all outgoing traffic from the Teachers segment. When a packet originating from the host 20.0.0.3/8 reaches the router, the router checks the entries of the applied ACL until a match is found.
The first line of the ACL says "drop the packet if its source address belongs to the network 20.0.0.3/8". Since the IP address 20.0.0.3/8 belongs to the network 20.0.0.0/8, the statement becomes true. The router executes the action that is associated with this statement. Since the action of this statement is the drop, the router drops the packet.
Even the second line of the ACL allows the host 20.0.0.3/8, but it will never be read and executed by the router. The correct order to allow the host 20.0.0.3/8 is as follows.
Allow the packet if its source address is 20.0.0.3/8 Drop the packet if its source address belongs to the network 20.0.0.0/8
The following image shows the above ACL.
Now, this ACL will allow all packets that originate from the host 20.0.0.3/8, but it will block all packets that originate from other hosts of the network 20.0.0.0/8.
This tutorial is part of the tutorial "Cisco Access List Commands, Concepts, and Configurations". Other parts of this tutorial are as follows:
Chapter 01 Definition, purposes, benefits, and functions of ACL
Chapter 02 Basic concepts and fundamentals of ACLs
Chapter 03 How Access Lists work on Cisco routers
Chapter 04 Types of access control lists explained
Chapter 05 Wildcard Masks in ACLs Explained
Chapter 06 Rules and configuration guidelines for Cisco ACLs
Chapter 07 Access Control List Explained with Examples
Chapter 08 The ip access-list command options and arguments
Chapter 09 Standard ACL Configuration Commands Explained
Chapter 10 Configure Standard Access Control List Step-by-Step Guide
Chapter 11 How to secure VTY access to the Router
Chapter 12 Extended ACL Configuration Commands Explained
Chapter 13 Configure Extended Access Control List Step-by-Step Guide
Chapter 14 How to block ICMP Ping on Cisco Routers
Conclusion
This tutorial explained how ACLs work and the factors that affect the ACL implementation. Learning these factors helps you understand and manage ACLs more effectively.
By ComputerNetworkingNotes Updated on 2025-11-08