Useful Tech Tips, Tutorials and guides

Cisco ACL Revision

Access Control Lists (ACL)

Access Control Lists are used to:

  • Prioritise traffic
  • Restrict or reduce updates
  • Provide basic security
  • Block types of traffic

Access control list placement

  • Standard ACLs – Place as close to destination as possible.
  • Extended ACLs – Place as close to source of traffic as possible.
  • Only one ACL per port per direction is allowed.
  • ACL are more efficient on outbound port.
  • If a packet does not match the ACL statement then it will be implicitly denied.
  • Once a packet matches an ACL statement no other checks are made, it is permitted.


ACL IOS commands

Standard ACLs – Used to permit or deny an entire protocol suite.

The following two statements have the same effect:

Router(config)# access-list 1 permit Router(config)# access-list 1 permit any

The following two statements also have the same effect:

Router(config)# access-list 1 permit Router(config)# access-list 1 permit host

Extended ACLs – Used to permit or deny specific protocols

Protocol ranges are used in ACL statements to deny specific protocols. Below are the ones you will need for your CCNA.

Protocol Range
IP 1-99
Extended IP 100-199
Appletalk 600-699
IPX 800-899
Extended IPX 900-999
IPX SAP 1000-1099

Use the following table to permit or deny specific protocols, ports or ranges of port numbers, an example ACL follows.

lt Less than
gt Greater than
neq Not equal to
eq Equal to

Router(config)# access-list 101 deny tcp any eq 23 Router(config)# access-list 101 permit ip any any established – Established keyword used to connect with a TCP established connection.

Named ACLs

Named access control lists are another way of creating ACLs, any example follows.

Router(config)# ip access-list standard Nik Router(config std-nacl)# deny any log – used to deny log packets.

Viewing ACLs

Router(config)# show access-lists – shows all access lists. Router(config)# show access-list 101 – shows access list 101. Router(config)# show ip interface – used to find out which access lists are on which interfaces.

Configuring ACLs on an interface

Router(config)# interface s1 Router(config-if)# ip access-group 1 out /in – out bound is the default.

Removal of ACLs

Router(config)# no access-list 1