Access Control Lists

What is Access Control Lists?

Access Control List (ACL) are filters that enable you to control which routing updates or packets are permitted or denied in or out of a network.

They are specifically used by network administrators to filter traffic and to provide extra security for the network. This can be applied to routers (Cisco).

ACLs provide a powerful way to control traffic into and out of your network; this control can be as simple as permitting or denying network hosts or addresses.  You can configure ACLs for all routed network protocols.

The most important reason to configure ACLs is to provide security for your network. However, ACLs can also be configured to control network traffic based on the TCP port being used.

 How ACLs works.

A router acts as a packet filter when it forwards or denies packets according to filtering rules. As a Layer 3 device, a packet-filtering router uses rules to determine whether to permit or deny traffic based on source and destination IP addresses, source port and destination port, and the protocol of the packet.

These rules are defined using access control lists or ACLs.

 To simplify how ACL or a router uses packet filtering work:

Imagine a guard stationed at a locked door. The guard’s instruction is to allow only people whose names appear on a guest list to pass through the door. The guard is filtering people based on the condition of having their names on the authorized list.

access control list

When a packet arrives at the router, the router extracts certain information from the packet header and makes decisions according to the filter rules as to whether the packet can pass through or be dropped.

Packet filtering process works at the Network layer of the Open Systems Interconnection (OSI) model or the Internet layer of TCP/IP.


Why use ACLs

*   Limits network traffic to increase network performance.

*   ACLs provides traffic flow control by restricting the delivery of routing updates.

*   It can be used as additional security.

*   Controls which type of traffic are forwarded or blocked by the router.

*   Ability to control which areas a client access.

Types of Access Control Lists

Standard access-list

Standard access lists create filters based on source addresses and are used for server-based filtering. Address-based access lists distinguish routes on a network you want to control by using network address number (IP).

Address-based access lists consist of a list of addresses or address ranges and a statement as to whether access to or from that address is permitted or denied.

Example of the command syntax for configuring a standard numbered IP ACL:

R1(config)# access-list {1-99} {permit | deny} source-addr [source-wildcard]

i.         The first value {1-99} specifies the standard ACL number range.

ii.       The second value specifies whether to permit or deny the configured source IP address traffic.

iii.      The third value is the source IP address that must be matched.

iv.     The fourth value is the wildcard mask to be applied to the previously configured IP address to indicate the range.

Extended access lists

Extended access lists create filters based on source addresses, destination addresses, protocol, port number and other features and are used for packet-based filtering for packets that traverse the network.

Example of the command syntax for configuring an extended numbered IP ACL:

 Router(config)# access-list {100-199} {permit | deny} protocol source-addr [source-wildcard] [operator operand] destination-addr [destination-wildcard] [operator operand] [established]

i.   Like the standard ACLs, the first value {100-199 or 2000 – 2699} specifies the ACL number range.

ii.  The next value specifies whether to permit or deny according to the criteria that follow.

iii. The third value specifies protocol type ( IP, TCP, UDP, or other specific IP sub-protocols).

The source IP address and wildcard mask determine traffic source. The destination IP address and its wildcard mask are used to indicate the final destination of the network traffic. When the destination IP address and mask are configured, the port number must be specified to match, either by number or by a well-known port name, otherwise, all traffic to that destination will be dropped.

Standard and Extended access lists can be applied base on the use of ip access-list command.

Access lists use the deny or permit statement to define which packet is allowed or denied entry into a server or network.


Masks are used with IP addresses in IP ACLs to specify what should be permitted and denied.

 In order to configure IP addresses on interfaces, start with 255 and have the large values on the left side.

for example,

IP address with a mask. Masks for IP ACLs are the reverse, for example, mask

This is sometimes called an inverse mask or a wildcard mask.

When the value of the mask is broken down into binary (0s and 1s), the results determine which address bits are to be considered in processing the traffic. A 0 indicates that the address bits must be considered (exact match); a 1 in the mask is a “no”.

Note these ACL equivalents.

· The source/source-wildcard of means “any”.

· The source/wildcard of is the same as “host”.

If you subtract (normal mask) from, it yields

Read about Wildcards

The command below defines an ACL that permits this network

access-list acl_permit permit ip

Inbound traffic to the router is compared to access lists entries based on the order that the entries occur in the router. The router looks through the entries until it has a match. If the router found no match when it reaches the end of the list, the traffic is denied.

For this reason, you should have the frequently hit entries at the top of the list.

There is an implied deny for traffic that is not permitted. Single-entry access lists with only one deny entry has the effect of denying all traffic. You must have at least one permit statement in an ACL or all traffic is blocked.

Access lists implicitly deny all access that is not expressly permitted. The following line is auto-appended to all access-lists:

deny ip any any

If it is desirable to over-ride this implicit denial statement, enter a permit ip any any statement as the last entry in the access-list.

Summary of ACL Operations
The following summarizes the key points that were discussed in this section:
■ ACLs can be used for IP packet filtering or to identify traffic to assign it special handling.
■ ACLs perform top-down processing and can be configured for incoming or outgoing traffic.
■ You can create an ACL using a named or numbered ACL. Named or numbered ACLs can be
configured as standard or extended ACLs, which determines what they can filter.
■ Reflexive, dynamic, and time-based ACLs add more functionality to standard and extended

■ Standard IPv4 ACLs allow filtering based on source address.
Extended IPv4 ACLs allow filtering based on source and destination addresses, as well as
protocol and port number.
■ IP access list entry sequence numbering allows you to delete individual statements from an
ACL to add statements anywhere in the ACL.
■ The show access-lists and show ip interface commands are useful for troubleshooting
common ACL configuration errors.
■ In a wildcard bit mask, a 0 bit means to match the corresponding address bit, and a 1 bit means to ignore the corresponding address bit.

Standard and extended Cisco IOS access control lists (ACL) are used to classify IP packets. The many features of ACLs include security, encryption, policy-based routing, and quality of service (QoS). These features are applied on router and switch interfaces for specific directions (inbound versus outbound).
Numbered ACLs identify the type of ACL that is being created: standard or extended. They also
allow administrators more flexibility when they are modifying the ACL entries.

Complex ACLs Explained

Reflexive ACLs Explained

Time-based ACLs Explained

IPv6 ACLs Explained

Numbering and Naming ACLs Explained

 Creating a Standard Access Control List

Creating Extended Access Control List

How To Configure Switch Port ACLs

Troubleshooting ACL Errors

How you to secure your network with Cisco routers

How To Control VTY (Telnet) with ACLs