CCNA: Access Control Lists

The Cisco Access Control List (ACL) is are used for filtering traffic based on a given filtering criteria on a router or switch interface. Based on the conditions supplied by the ACL, a packet is allowed or blocked from further movement.

Cisco ACLs are available for several types of routed protocols including IP, IPX, AppleTalk, XNS, DECnet, and others. However, we will be discussing ACLs pertaining to TCP/IP protocol only.

ACLs for TCP/IP traffic filtering are primarily divided into two types:

  • Standard Access Lists, and
  • Extended Access Lists

Standard Access Control Lists: Standard IP ACLs range from 1 to 99. A Standard Access List allows you to permit or deny traffic FROM specific IP addresses. The destination of the packet and the ports involved can be anything.

This is the command syntax format of a standard ACL.

access-list access-list-number {permit|deny}
{host|source source-wildcard|any}

Standard ACL example:

access-list 10 permit

This list allows traffic from all addresses in the range to

Note that when configuring access lists on a router, you must identify each access list uniquely by assigning either a name or a number to the protocol's access list.

There is an implicit deny added to every access list. If you entered the command:

show access-list 10

The output looks like:

access-list 10 permit
access-list 10 deny any

Extended Access Control Lists: Extended IP ACLs allow you to permit or deny traffic from specific IP addresses to a specific destination IP address and port. It also allows you to have granular control by specifying controls for different types of protocols such as ICMP, TCP, UDP, etc within the ACL statements. Extended IP ACLs range from 100 to 199. In Cisco IOS Software Release 12.0.1, extended ACLs began to use additional numbers (2000 to 2699).

The syntax for IP Extended ACL is given below:

access-list access-list-number {deny | permit} protocol source source-wildcard
destination destination-wildcard [precedence precedence]

Note that the above syntax is simplified, and given for general understanding only.

Extended ACL example:

access-list 110 - Applied to traffic leaving the office (outgoing)

access-list 110 permit tcp any eq 80

ACL 110 permits traffic originating from any address on the network. The 'any' statement means that the traffic is allowed to have any destination address with the limitation of going to port 80. The value of can be specified as 'any'.

Applying an ACL to a router interface:

After the ACL is defined, it must be applied to the interface (inbound or outbound). The syntax for applying an ACL to a router interface is given below:

interface <interface>
ip access-group {number|name} {in|out}

An Access List may be specified by a name or a number. "in" applies the ACL to the inbound traffic, and "out" applies the ACL on the outbound traffic.

Example: To apply the standard ACL created in the previous example, use the following commands:

Rouer(config)#interface serial 0
Rouer(config-if)#ip access-group 10 out

Example Question:

Which command sequence will allow only traffic from network to enter interface s0?

A. access-list 25 permit
int s0 ; ip access-list 25 out

B. access-list 25 permit
int s0 ; ip access-group 25 out

C. access-list 25 permit
int s0 ; ip access-list 25 in

D. access-list 25 permit
int s0 ; ip access-group 25 in

Correct answer: D


The correct sequence of commands are:
1. access-list 25 permit
2. int s0
3. ip access-group 25 in

CONTENTS     Next    

Disclaimer: is not affiliated with any certification vendor, and Sim-Ex™ Practice Exams are written independently by and not affiliated or authorized by respective certification providers. Sim-Ex™ is a trade mark of or entity representing™ is a trademark of Cisco® systems