5.4 Access Control Lists (ACLs)
Key Takeaways
- Standard ACLs (1-99, 1300-1999) filter based on source IP address only — place them close to the destination.
- Extended ACLs (100-199, 2000-2699) filter based on source/destination IP, protocol, and port — place them close to the source.
- ACLs are processed top-down; the first matching rule is applied and processing stops.
- Every ACL has an implicit 'deny any' at the end — if no rule matches, the packet is dropped.
- ACLs are applied to interfaces as inbound (in) or outbound (out) using 'ip access-group'.
Last updated: March 2026
Access Control Lists (ACLs)
ACLs are packet filters that permit or deny traffic based on criteria defined by the administrator. They are applied to router interfaces to control traffic flow.
ACL Types
Standard ACLs
| Feature | Detail |
|---|---|
| Numbers | 1-99, 1300-1999 |
| Filter criteria | Source IP address only |
| Placement | Close to the destination (to avoid blocking traffic to other destinations) |
| Granularity | Low (can't filter by destination, protocol, or port) |
Extended ACLs
| Feature | Detail |
|---|---|
| Numbers | 100-199, 2000-2699 |
| Filter criteria | Source IP, destination IP, protocol, port numbers |
| Placement | Close to the source (to stop unwanted traffic early) |
| Granularity | High (can match specific applications) |
ACL Processing Rules
- Top-down processing — rules are evaluated from top to bottom
- First match — the first matching rule is applied, and processing stops
- Implicit deny — if no rule matches, the packet is denied (invisible "deny any" at the end)
- One ACL per interface per direction — one inbound and one outbound ACL per interface
- Order matters — place most specific rules first, general rules last
Wildcard Masks
ACLs use wildcard masks (inverse of subnet masks) to match IP addresses:
| Subnet Mask | Wildcard Mask | Matches |
|---|---|---|
| 255.255.255.255 | 0.0.0.0 | Exact match (single host) |
| 255.255.255.0 | 0.0.0.255 | All hosts in /24 network |
| 255.255.0.0 | 0.0.255.255 | All hosts in /16 network |
| 0.0.0.0 | 255.255.255.255 | Matches ANY address |
Wildcard rule: 0 = must match exactly, 255 = any value (don't care)
Standard ACL Configuration
! Named standard ACL (preferred)
Router(config)# ip access-list standard BLOCK-HOST
Router(config-std-nacl)# deny host 192.168.10.50
Router(config-std-nacl)# permit 192.168.10.0 0.0.0.255
Router(config-std-nacl)# exit
! Apply to interface (outbound toward destination)
Router(config)# interface GigabitEthernet0/1
Router(config-if)# ip access-group BLOCK-HOST out
! Numbered standard ACL
Router(config)# access-list 10 deny host 192.168.10.50
Router(config)# access-list 10 permit 192.168.10.0 0.0.0.255
Router(config)# interface GigabitEthernet0/1
Router(config-if)# ip access-group 10 out
Extended ACL Configuration
! Named extended ACL
Router(config)# ip access-list extended WEB-FILTER
Router(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq 443 ! Allow HTTPS
Router(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq 80 ! Allow HTTP
Router(config-ext-nacl)# permit udp 192.168.10.0 0.0.0.255 any eq 53 ! Allow DNS
Router(config-ext-nacl)# deny ip 192.168.10.0 0.0.0.255 any ! Block all else
Router(config-ext-nacl)# permit ip any any ! Allow all other traffic
Router(config-ext-nacl)# exit
! Apply close to the source
Router(config)# interface GigabitEthernet0/0
Router(config-if)# ip access-group WEB-FILTER in
Extended ACL Syntax
permit/deny <protocol> <source> <wildcard> <destination> <wildcard> [operator port]
| Keyword | Meaning |
|---|---|
| host 10.1.1.1 | Exact match for 10.1.1.1 (same as 10.1.1.1 0.0.0.0) |
| any | Matches any IP (same as 0.0.0.0 255.255.255.255) |
| eq 443 | Equal to port 443 |
| gt 1023 | Greater than port 1023 |
| lt 1024 | Less than port 1024 |
| range 80 443 | Ports 80 through 443 |
ACL Placement Strategy
| ACL Type | Place Close To | Why |
|---|---|---|
| Standard | Destination | Standard ACLs only check source IP — placing near source would block that source from reaching ALL destinations |
| Extended | Source | Extended ACLs check source AND destination — placing near source stops unwanted traffic early, saving bandwidth |
Verification Commands
Router# show access-lists ! Show all ACLs and match counts
Router# show ip access-lists ! Show IPv4 ACLs
Router# show ip interface GigabitEthernet0/0 ! Shows which ACLs are applied
Router# show running-config | section access ! Show ACL config
Sample "show access-lists" Output
Extended IP access list WEB-FILTER
10 permit tcp 192.168.10.0 0.0.0.255 any eq 443 (1523 matches)
20 permit tcp 192.168.10.0 0.0.0.255 any eq www (892 matches)
30 permit udp 192.168.10.0 0.0.0.255 any eq domain (445 matches)
40 deny ip 192.168.10.0 0.0.0.255 any (78 matches)
50 permit ip any any (3201 matches)
On the Exam: ACLs are heavily tested. Be able to read an ACL and determine what traffic is permitted or denied. Remember the implicit deny at the end, and know the difference between standard (source only, place near destination) and extended (source + destination + protocol + port, place near source).
Test Your Knowledge
Where should you place a standard ACL?
A
B
C
D
Test Your Knowledge
What happens to a packet that does not match any rule in an ACL?
A
B
C
D
Test Your Knowledge
Which ACL type can filter based on destination IP address and port number?
A
B
C
D