This tutorial explains Standard ACLs, Extended ACLs, Numbered ACLs, Named ACLs, and Advanced sequence editing ACLs. Learn the differences between different types of access control lists.
There are mainly two types of access control lists: standard access lists and extended access lists. These types can be further classified into two subtypes: numbered and named. A standard access list can be either a numbered standard list or a named standard access list. Similarly, you can have a numbered extended access list or a named extended list.
Let us discuss the properties, characteristics, and functions of these types and understand how each type differs from the others.
For this tutorial, I assume that you are familiar with ACLs. To learn the basic concepts of ACLs, you can check the previous parts of this tutorial.
This tutorial is the fourth part of the article 'Cisco Access Lists Explained with Examples.'. Other parts of this tutorial are the following.
Definition, purposes, benefits, and functions of ACL
Basic concepts and fundamentals of ACLs
How Access Lists work on Cisco routers
Wildcard masks in ACLs Explained
Rules and configuration guidelines for Cisco ACLs
Access Control List Explained with Examples
The ip access-list command options and arguments
Standard ACL Configuration Commands Explained
Configure Standard Access Control List Step by Step Guide
How to secure VTY access to the Router
Extended ACL Configuration Commands Explained
Configure Extended Access Control List Step by Step Guide
How to block ICMP Ping on Cisco Routers
Standard access lists
Standard access lists are easy to configure. But they support limited options in entries. In a standard access list entry, you can use only the source address to define the criteria. Apart from the source address, you can't use any other option.
Standard access lists work on an 'all or none' formula. They will either allow or block all traffic from the source host. You cannot allow or deny only certain types of traffic from the source host.
Since standard access lists work with all traffic originating from a host, they are applied closer to the destination.
Extended access lists
Extended access lists are complex. But they support many options in entries. In an extended access list entry, you can use a source address, a destination address, protocol, traffic type, application, and port to define the criteria.
Extended access lists allow you to target a specific type of traffic. You can allow a certain type of traffic while blocking the remaining traffic, or you can block a specific type of traffic while allowing the remaining traffic.
Since extended access lists work with a specific type of traffic, they are applied closer to the source.
Numbered and named ACLs
Routers support multiple ACLs. You can create as many ACLs as you want. To differentiate between ACLs, routers use a unique number and name for each ACL. You may consider these numbers or names as identification numbers or names.
When creating an ACL, you must specify an identification number or name for the ACL. Since the router uses this number to identify the ACL, you cannot choose a random number for the ACL. You have to choose a number from a pre-defined range.
Routers reserve the following number ranges for standard access lists and extended access lists.
Standard access lists 1 - 99 and 1300 - 1999 Extended access lists 100 - 199 and 2000 - 2699
To create a standard access list, you can use any number from the range 1 - 99 and 1300 - 1999. For example, you can use the number 10 or 1400, but you cannot use the number 150 or 2100.
Similarly, to create an extended list, you can use any number from the range 100 - 199 and 2000 - 2699. For example, you can use the number 120 or 2450, but you cannot use the number 50 or 1500.
Numbers are a bit difficult to remember. They also do not provide any descriptive meaning. If you have multiple ACLs, it becomes very difficult to remember which ACL is doing what. To make ACLs management easier, routers also support names for ACLs. It means you can also use descriptive names for ACLs instead of pre-defined numbers.
No matter whether you use a name or a number for the ACL, the ACL functions the same way. As far as functionality is concerned, named ACLs and numbered ACLs are the same. The main advantage of a named ACL over a numbered ACL is that a named ACL is easier to manage and remember than a numbered ACL.
Let's take an example. You check the configuration of a router and find the following ACLs.
| Interface | ACL | Direction |
| F0/0 | 25 | Inbound |
| S0/0/0 | 145 | Outbound |
| S0/0/1 | 39 | Inbound |
To figure out what these ACLs are doing, you have to check the entries of each ACL. Now, suppose, you read the configuration of another router and find the following ACLs.
| Interface | ACL | Direction |
| F0/0 | BlockingStudents | Inbound |
| S0/0/0 | AllowingAdmin | Outbound |
| S0/0/1 | BlockingExternalUsers | Inbound |
By looking at these ACLs you can get an idea of what each ACL is doing. For example, by looking at the name BlockingStudents, you can guess that this ACL would be blocking traffic from the Students segment.
By using a descriptive name (such as block-external-users), a network administrator can easily determine the purpose of the ACL. This feature is especially helpful in large networks, where a router may have multiple ACLs with hundreds of statements.
Advanced sequence editing ACLs
Advanced sequence editing is a new feature. Before this feature, editing or updating ACL entries was not possible. To edit an ACL entry, you had to recreate the entire ACL. This feature allows an administrator to change, update, or delete a single entry from an ACL. This feature was added later to Cisco IOS. All new IOS versions include this feature. If the IOS includes this feature, you can use this feature to edit both types of ACL.
The following image shows all types of Cisco access lists.
Watch Video Edition of this Tutorial
That's all for this part. In the next part of this tutorial, we will discuss wildcard masks. We will learn what wildcard masks are and how they are used in Cisco access lists.