Types of Access Control Lists Explained

This tutorial explains Standard ACLs, Extended ACLs, Numbered ACLs, Named ACLs, and Advanced sequence editing ACLs. Learn the differences between different types of access control lists.

There are mainly two types of access control lists: standard access lists and extended access lists. These types can be further classified into two subtypes: numbered and named. A standard access list can be either a numbered standard list or a named standard access list. Similarly, you can have a numbered extended access list or a named extended list.

Let us discuss the properties, characteristics, and functions of these types and understand how each type differs from the others.

For this tutorial, I assume that you are familiar with ACLs. To learn the basic concepts of ACLs, you can check the previous parts of this tutorial.

Standard access lists

Standard access lists are easy to configure. But they support limited options in entries. In a standard access list entry, you can use only the source address to define the criteria. Apart from the source address, you can't use any other option.

Standard access lists work on an 'all or none' formula. They will either allow or block all traffic from the source host. You cannot allow or deny only certain types of traffic from the source host.

Since standard access lists work with all traffic originating from a host, they are applied closer to the destination.

standard access list location

Extended access lists

Extended access lists are complex. But they support many options in entries. In an extended access list entry, you can use a source address, a destination address, protocol, traffic type, application, and port to define the criteria.

Extended access lists allow you to target a specific type of traffic. You can allow a certain type of traffic while blocking the remaining traffic, or you can block a specific type of traffic while allowing the remaining traffic.

Since extended access lists work with a specific type of traffic, they are applied closer to the source.

extended access list

Numbered and named ACLs

Routers support multiple ACLs. You can create as many ACLs as you want. To differentiate between ACLs, routers use a unique number and name for each ACL. You may consider these numbers or names as identification numbers or names.

When creating an ACL, you must specify an identification number or name for the ACL. Since the router uses this number to identify the ACL, you cannot choose a random number for the ACL. You have to choose a number from a pre-defined range.

Routers reserve the following number ranges for standard access lists and extended access lists.

Standard access lists 1 - 99 and 1300 - 1999
Extended access lists 100 - 199 and 2000 - 2699

To create a standard access list, you can use any number from the range 1 - 99 and 1300 - 1999. For example, you can use the number 10 or 1400, but you cannot use the number 150 or 2100.

Similarly, to create an extended list, you can use any number from the range 100 - 199 and 2000 - 2699. For example, you can use the number 120 or 2450, but you cannot use the number 50 or 1500.

Numbers are a bit difficult to remember. They also do not provide any descriptive meaning. If you have multiple ACLs, it becomes very difficult to remember which ACL is doing what. To make ACLs management easier, routers also support names for ACLs. It means you can also use descriptive names for ACLs instead of pre-defined numbers.

No matter whether you use a name or a number for the ACL, the ACL functions the same way. As far as functionality is concerned, named ACLs and numbered ACLs are the same. The main advantage of a named ACL over a numbered ACL is that a named ACL is easier to manage and remember than a numbered ACL.

advantage of acl

Let's take an example. You check the configuration of a router and find the following ACLs.

Interface ACL Direction
F0/0 25 Inbound
S0/0/0 145 Outbound
S0/0/1 39 Inbound

To figure out what these ACLs are doing, you have to check the entries of each ACL. Now, suppose, you read the configuration of another router and find the following ACLs.

Interface ACL Direction
F0/0 BlockingStudents Inbound
S0/0/0 AllowingAdmin Outbound
S0/0/1 BlockingExternalUsers Inbound

By looking at these ACLs you can get an idea of what each ACL is doing. For example, by looking at the name BlockingStudents, you can guess that this ACL would be blocking traffic from the Students segment.

By using a descriptive name (such as block-external-users), a network administrator can easily determine the purpose of the ACL. This feature is especially helpful in large networks, where a router may have multiple ACLs with hundreds of statements.

Advanced sequence editing ACLs

Advanced sequence editing is a new feature. Before this feature, editing or updating ACL entries was not possible. To edit an ACL entry, you had to recreate the entire ACL. This feature allows an administrator to change, update, or delete a single entry from an ACL. This feature was added later to Cisco IOS. All new IOS versions include this feature. If the IOS includes this feature, you can use this feature to edit both types of ACL.

The following image shows all types of Cisco access lists.

types of acl

That's all for this part. In the next part of this tutorial, we will discuss wildcard masks. We will learn what wildcard masks are and how they are used in Cisco access lists.

ComputerNetworkingNotes CCNA Study Guide Types of Access Control Lists Explained