• Filtering traffic entering and exiting an interface
  • Controlling access to VTY lines
  • Route update filtering
  • As a traffic classification tool when used with QoS
  • Dial-on-demand routing (DDR) with ISDN
  • Restricting output of debug commands

This tutorial however, concentrates only the packet filtering using ACLs.

What is an ACL?

An ACL is a sequence of command(s) called the Access Control Entry (ACE) that are entered in a specific sequence. The specifics of the sequence determine how ACL will behave, so it recommended to include the most relevant ACE in the beginning of the ACL.

When an ACL is used as a packet filter, these ACEs are called packet filtering rules or conditions. Condition look for matches on the content of the packet including:

  • Source and destination address
  • Layer-2 protocol information such as Ethernet frame type
  • Layer-3 protocol including IP, IPX, etc….
  • Layer-3 protocol information such as ICMP, OSPF, EIGRP
  • Layer-4 protocol and information such as TCP or UDP and port numbers

Direction of ACL

An access list can be applied in one direction per interface. For example: you have created an internet filtering ACL to drop ICMP traffic. This ACL can only be applied on internet-facing interface in inbound direction, not both. If bi-directional filtering is required, a separate ACL in reverse direction can be configured.


At the end of every ACL, there exists an IMPLICIT DENY. It means that for any traffic not permitted explicitly, it will be denied. We will look at an example later when configuring an example of standard ACL.

The Wildcard Mask

Also known as the reverse mask. The logic is based on logical AND operation. If there is binary zero, check the corresponding bit and it must match. If a binary one, ignore the corresponding bit value, they don’t need to match. Example: We have a network with with a subnet mask of (or simply The wild card mask is created by subtracting from mask: In this case: – =

Decimal 192 168 1 0
Binary 11000000 10101000 00000001 0000000
Wildcard 00000000 00000000 00000000 1111111

It means that for the ACE condition to be true or false, the three octets must be 192, 168 and 1. Consider Table-1 for more examples.

TABLE-1: Wildcard Mask

Address Wildcard Mask Match Results All addresses will match the access list conditions. Network Only host matches Only subnet matches Only subnet matches Only subnet matches (noncontiguous bits in mask) Matches any even-numbered network in the range of to


Types of ACLs

There are two types of ACLS.

  1. Standard Access List

Standard Access Lists allow filtering based on the source address of an entity. Since the standard access list tests the source addresses, they are efficient at blocking traffic close to the destination. There are two expectations to when an address in a standard access list is not the source:

  1. One outbound VTY, access list, the address is the destination address rather than source address.
  2. When route filtering, the network being advertised to you rather than the source address.


The standard access list can either named or numbered. Numbered ACL ranges from: 01-to-99 and 1300-to-1999. Named ACLs allows to ACL to be created using (meaning full) names rather than number. Also humans are good at remembering names rather than numbers.


Numbered Standard ACL:

Step-1: configure terminal

Step-2: access-list


Step-3: interface

Step-4 ip access-group


Named Standard ACL:

Step-1: configure terminal

Step-2: ip access-list standard

Step-3: [permit|deny]

Step-4: interface

Step-5 ip access-group [in|out]

Verification: show access-list or show ip access-list

Warning: In case of numbered ACLs (Standard or Extended), if reconfiguration is required, the entire ACL must be removed and re-entered. If “no access-list ” is issued, the whole ACL is lost. Therefore, it is advisable to backup the configuration before removing an ACE from standard ACL.

NOTE: This document explains only basic options for creating and using ACLs. Refer to Configuration Guide and Command Reference for complete syntax detail.

Example-1: Let us assume that traffic from ISP-1 and host must be dropped. ISP-1 uses the address range: A host address uses a subnet mask

Step-1: configure terminal

Step-2: access-list 1 deny

Step-3: access-list 1 deny

Step-4: access-list 1 permit ß note: to avoid the implicit deny condition every other host expect for or ISP-1 address is allowed.

Step-5: interface fa0/0

Step-6: ip access-group 1 in


Example-2: the above example using named ACL

Step-1: configure terminal

Step-2: ip access-list ISP1-Traffic

Step-3: deny

Step-4: deny host

Step-5: permit any

Step-6 interface fa0/0

Step-7: ip access-group ISP1-Traffic in


  1. Extended Access List

Extended ACLs are good for filtering traffic anywhere. Moreover, it allows you to filter using enhanced filtering capabilities that standard ACLs don’t support including: filtering IP options, filtering on TCP flags, source and destination IP addresses, upper-layer protocols (TCP/UDP) and source and destination port numbers and type of service (ToS) bits.

Extended ACLs can be either numbered, ranges from 100-to-199 and 2000-to-2699 or named.



Step-1: configure terminal

Step-2: access-list [permit|deny]

Step-3: interface

Step-4 ip access-group



Step-1: configure terminal

Step-2: ip access-list extended

Step-3: [permit|deny]

Step-4: interface

Step-5: ip access-group


Example-1: Let us consider the example from the standard access list section. This time only ICMP traffic should be blocked form ISP-1. ICMP traffic should be logged. The host now hosts a secure web application. Local LAN users are only allowed access either using http or https when accessing


Step-1: configure terminal

Step-2: access-list 101 deny icmp any log

Step-3: access-list 101 permit tcp 80 any gt 1024

Step-4: access-list 101 permit tcp 443 any gt 1024

Step-5: access-list 101 permit ip any any

Step-6: interface fa0/0

Step-7: ip access-group 101 in