Types of Access Control Lists Explained
There are two main types of access control lists: standard and extended. These types have two subtypes: numbered and named. A standard access list can be either a numbered standard list or a named standard access list. Similarly, you can have a numbered extended access list or a named extended list. This tutorial explains the properties, characteristics, and functions of each type, and describes how each differs from the others.
Standard access lists
Standard access lists are easy to configure. But they support limited options in entries. In a standard access list entry, you can use only the source address to define the criteria. Apart from the source address, you cannot use any other option.
Standard access lists work on an 'all or none' formula. They will either allow or block all traffic from the source host. You cannot use them to allow or deny only certain types of traffic from the source host. Since they work with all traffic originating from a host, they are applied closer to the destination.

Key Characteristics
- Filters based on source IP addresses only.
- Does not differentiate between different protocols or ports (e.g., TCP vs UDP).
- Applies universally across all traffic types passing through the interface
- If misconfigured, it can lead to unintended consequences.
When to Use
Standard ACLs are ideal for simple security requirements that require filtering based solely on source IP addresses, with no specific protocol or port to consider. For example, blocking a single host from accessing your network could be efficiently achieved using a standard ACL without overcomplicating the configuration.
Extended access lists
Extended access lists are complex. But they support many options in entries. In an extended access list entry, you can use a source address, destination address, protocol, traffic type, application, and port to define the criteria.
Extended access lists allow you to target a specific type of traffic. You can enable a particular kind of traffic while blocking the rest, or block a specific type while allowing the rest. Since extended access lists can filter certain types of traffic, they are applied closer to the source.

Key Characteristics
- It filters traffic using a combination of the following fields in an incoming packet header: Source IP address, Destination IP address, Protocol type (TCP/UDP), and TCP or UDP port number(s).
- It provides more granular control over network access.
- You can apply it to specific interfaces for targeted filtering without affecting other traffic types on those interfaces.
When to Use
Extended ACLs are best suited for scenarios that require detailed packet inspection and selective blocking or permitting of traffic based on multiple criteria, such as preventing a range of IP addresses from accessing specific services (e.g., HTTP/HTTPS ports) while allowing other traffic to pass unaffected.
Numbered and named ACLs
Routers support multiple ACLs. You can create as many ACLs as you want. To differentiate between ACLs, routers use unique numbers and names for each ACL. When creating an ACL, you must specify an identification number or name for the ACL. Since the router uses this number to identify the ACL, you cannot choose a random one. You have to select a number from a pre-defined range.
Routers reserve the following address ranges for standard and extended access lists.
Standard access lists 1 - 99 and 1300 - 1999 Extended access lists 100 - 199 and 2000 - 2699
Key points:-
- To create a standard access list, you can use any number from the ranges 1-99 and 1300-1999. For example, you can use 10 or 1400, but not 150 or 2100.
- Similarly, to create an extended list, you can use any number from the range 100 - 199 and 2000 - 2699. For example, you can use 120 or 2450, but not 50 or 1500.
- Numbers are hard to remember. They also do not provide any descriptive meaning. If you have multiple ACLs, it becomes tough to remember which ACL is doing what. To make ACL management easier, routers support names for ACLs. You can use descriptive names for ACLs instead of pre-defined numbers.
- No matter whether you use a name or a number for the ACL, the ACL functions the same way. As far as functionality is concerned, named ACLs and numbered ACLs are the same. The main advantage of a named ACL over a numbered ACL is that a named ACL is easier to manage and remember than a numbered ACL.

Let's take an example. You check the router's configuration and find the following ACLs.
| Interface | ACL | Direction |
| F0/0 | 25 | Inbound |
| S0/0/0 | 145 | Outbound |
| S0/0/1 | 39 | Inbound |
To figure out what these ACLs are doing, you must check the entries of each ACL. Now, suppose you view the configuration of another router and find the following ACLs.
| Interface | ACL | Direction |
| F0/0 | Blocking Students | Inbound |
| S0/0/0 | AllowingAdmin | Outbound |
| S0/0/1 | BlockingExternalUsers | Inbound |
By looking at these ACLs, you can easily guess what each one does. For example, from the name "BlockingStudents," you can assume this ACL blocks traffic from the Students segment. Using a descriptive name (such as block-external-users) makes it easy to denote the purpose of the ACL. This feature is beneficial in large networks, where a router may have multiple ACLs with hundreds of statements.
Advanced sequence editing ACLs
Advanced sequence editing is a new feature. Before this feature, editing or updating ACL entries was not possible. To edit an ACL entry, you had to recreate the entire ACL. This feature allows you to update or delete a single entry in an ACL. Cisco added this feature later to IOS. All new IOS versions include this feature. If the IOS supports this feature, you can use it to edit both types of ACL.

This tutorial is part of the tutorial "Cisco Access List Commands, Concepts, and Configurations". Other parts of this tutorial are as follows:
Chapter 01 Definition, purposes, benefits, and functions of ACL
Chapter 02 Basic concepts and fundamentals of ACLs
Chapter 03 How Access Lists work on Cisco routers
Chapter 04 Types of access control lists explained
Chapter 05 Wildcard Masks in ACLs Explained
Chapter 06 Rules and configuration guidelines for Cisco ACLs
Chapter 07 Access Control List Explained with Examples
Chapter 08 The ip access-list command options and arguments
Chapter 09 Standard ACL Configuration Commands Explained
Chapter 10 Configure Standard Access Control List Step-by-Step Guide
Chapter 11 How to secure VTY access to the Router
Chapter 12 Extended ACL Configuration Commands Explained
Chapter 13 Configure Extended Access Control List Step-by-Step Guide
Chapter 14 How to block ICMP Ping on Cisco Routers
Conclusion
Access Control Lists (ACLs) play a crucial role in managing and controlling network traffic. Understanding the distinctions between the various types of ACLs (standard, extended, numbered, named, and advanced sequence-editing) is essential for network security and performance. Standard ACLs are simpler to configure but offer limited control over traffic types, while extended ACLs provide a more granular approach by allowing specific traffic filtering based on multiple criteria. Additionally, the introduction of advanced sequence-editing capabilities offers significant improvements. It allows you to efficiently update ACL entries without recreating entire lists. Overall, selecting the appropriate ACL type and managing them effectively can enhance network security and performance.
Author Laxmi Goswami Updated on 2025-11-08