📘 CCNA 200-301 v1.1
5.6 Configure and verify access control lists
What is an Access Control List (ACL)?
An Access Control List (ACL) is a set of rules that control which network traffic is allowed or denied on a router or switch interface.
Think of it as a traffic filter for packets entering or leaving a device.
It helps secure the network by controlling who can access what.
🔹 Why ACLs are used
ACLs are used in Cisco networks for several purposes:
- Traffic filtering – Allow or deny packets based on IP addresses, protocols, or ports.
- Security – Protect devices and networks from unauthorized access.
- Network performance – Limit unnecessary traffic and reduce congestion.
- Policy enforcement – Apply company rules (for example, only certain users can reach the admin network).
- Routing control – Influence route updates or traffic forwarding (in advanced configurations).
🔹 How ACLs work (Concept)
- ACLs are made of statements (rules) that check packet information.
- Each statement can permit (allow) or deny (block) traffic.
- ACLs are read from top to bottom, and the first match wins.
- If no rule matches, an implicit deny is applied at the end (this means all unmatched traffic is blocked).
So, every ACL automatically ends with:
deny any
even if you don’t write it.
🔹 Where ACLs can be applied
ACLs can be applied:
- Inbound (in) — Filters traffic coming into an interface.
- Outbound (out) — Filters traffic leaving an interface.
Example:
If applied inbound on an interface, the router checks the packet before routing it.
If applied outbound, the router checks the packet after routing it.
🔹 Types of ACLs
For CCNA, you need to know the following main types:
| Type | Description | Configuration Mode |
|---|---|---|
| Standard ACL | Filters traffic based only on source IP address | access-list 1-99 (or 1300-1999) |
| Extended ACL | Filters traffic based on source IP, destination IP, protocol, and port number | access-list 100-199 (or 2000-2699) |
| Named ACL | Uses names instead of numbers; easier to read and edit | ip access-list standard NAME or ip access-list extended NAME |
🔹 1. Standard ACLs
Standard ACLs only look at the source IP address.
You can:
- Permit or deny traffic from specific source hosts or networks.
- Apply them close to the destination (because it blocks all traffic from the source, not just to a specific target).
Syntax:
access-list [number] [permit | deny] [source] [wildcard-mask]
Example:
Router(config)# access-list 10 deny 192.168.1.10
Router(config)# access-list 10 permit any
Router(config)# interface GigabitEthernet0/0
Router(config-if)# ip access-group 10 in
This configuration denies traffic from 192.168.1.10 and permits everyone else.
🔹 2. Extended ACLs
Extended ACLs give more control.
They can filter based on:
- Source IP address
- Destination IP address
- Protocol (TCP, UDP, ICMP, etc.)
- Port numbers (like HTTP = 80, HTTPS = 443, SSH = 22)
You can apply them close to the source to reduce unnecessary traffic early.
Syntax:
access-list [number] [permit | deny] [protocol] [source] [wildcard] [destination] [wildcard] [operator port]
Example:
Router(config)# access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 80
Router(config)# access-list 101 deny ip any any
Router(config)# interface GigabitEthernet0/1
Router(config-if)# ip access-group 101 out
This allows only HTTP traffic (TCP port 80) from the 192.168.1.0/24 network to any destination and denies everything else.
🔹 3. Named ACLs
Named ACLs make configuration and editing easier because you use a name instead of a number.
Example (Named Standard ACL):
Router(config)# ip access-list standard STUDENT_NET
Router(config-std-nacl)# deny 192.168.1.50
Router(config-std-nacl)# permit any
Router(config)# interface GigabitEthernet0/0
Router(config-if)# ip access-group STUDENT_NET in
Example (Named Extended ACL):
Router(config)# ip access-list extended WEB_FILTER
Router(config-ext-nacl)# permit tcp any any eq 443
Router(config-ext-nacl)# deny ip any any
🔹 Wildcard Masks
Wildcard masks define which bits to match in an IP address.
0= match this bit exactly1= ignore this bit
Examples:
| Network | Wildcard Mask | Meaning |
|---|---|---|
192.168.1.0 0.0.0.255 | Match first 3 octets, ignore last one (means entire /24 network) | |
192.168.1.5 0.0.0.0 | Match exactly this single host | |
any | Same as 0.0.0.0 255.255.255.255 | |
host 192.168.1.10 | Shortcut for single host (192.168.1.10 0.0.0.0) |
🔹 Applying ACLs to Interfaces
You must apply the ACL to an interface and direction:
Router(config)# interface GigabitEthernet0/0
Router(config-if)# ip access-group [number | name] [in | out]
in→ applies to inbound packetsout→ applies to outbound packets
Only one ACL per direction per interface is allowed for IPv4.
🔹 Verifying ACLs
You can verify ACL configuration and application with these commands:
| Command | Description |
|---|---|
show access-lists | Displays all configured ACLs |
show ip access-lists | Shows ACL details with hit counts |
show running-config | Displays ACL configuration in running config |
show ip interface [int-name] | Shows which ACL is applied to an interface |
Example output:
Router# show access-lists
Standard IP access list 10
10 deny 192.168.1.10
20 permit any
“Hit counts” increase when packets match a rule — this helps verify ACL operation.
🔹 ACL Best Practices
- Plan before applying – Make sure the logic won’t block needed traffic.
- Apply standard ACLs close to the destination.
- Apply extended ACLs close to the source.
- Always include a permit statement if needed — remember the implicit
deny anyat the end. - Use remarks for documentation:
access-list 101 remark Allow web traffic only - Test ACLs in a lab before applying to production networks.
🔹 IPv6 ACLs (Basic Introduction for CCNA)
IPv6 uses a slightly different ACL configuration:
- Command:
ipv6 traffic-filter - Example:
Router(config)# ipv6 access-list BLOCK_TELNET Router(config-ipv6-acl)# deny tcp any any eq 23 Router(config-ipv6-acl)# permit ipv6 any any Router(config)# interface GigabitEthernet0/0 Router(config-if)# ipv6 traffic-filter BLOCK_TELNET in
IPv6 ACLs do not use wildcard masks (they use prefix notation instead).
🔹 Summary Table
| Type | Filters by | Number Range | Apply Close To | Example |
|---|---|---|---|---|
| Standard | Source IP | 1–99 / 1300–1999 | Destination | access-list 10 deny 192.168.1.10 |
| Extended | Source, Destination, Protocol, Port | 100–199 / 2000–2699 | Source | access-list 101 permit tcp any any eq 80 |
| Named | Uses name | N/A | Either | ip access-list extended NAME |
✅ Key Points to Remember for the Exam:
- ACLs filter traffic based on rules.
- Standard ACL = source IP only.
- Extended ACL = source + destination + protocol + port.
- One ACL per direction per interface.
- Implicit
deny anyat the end. - Use wildcard masks.
- Use
show access-liststo verify. - Apply extended ACLs close to the source, standard close to the destination.
