Standard and Extended ACLs – Detailed Explanation
1. What is an Access Control List (ACL)?
ACLs are sets of rules applied to router or switch interfaces, controlling whether packets are permitted or denied as they pass through the device.
- Purpose: Enhance security by filtering packets based on administrator-defined rules.
- Usage: Restrict access to sensitive resources, limit traffic, and enforce network policies.
2. How ACLs Filter Traffic
- Packets are checked sequentially against each rule.
- The first matching rule is applied; no further rules are checked for that packet.
- If no match is found, an implicit
deny allis applied at the end.
3. Standard ACLs
- Definition: Filter only on source IP address (simple, broad filtering).
- Cannot filter by destination, protocol, or port.
- Typical use: Block or allow entire subnets or host addresses.
Number Range: 1–99 and 1300–1999
Named format:
Named format:
ip access-list standard <name>
4. Extended ACLs
- Definition: Filter by source and destination IP, protocol (IP, TCP, UDP, ICMP), and ports.
- Much more granular than standard ACLs—can allow or block specific types of traffic.
- Use when: You need to allow/block specific traffic types or between specific hosts.
Number Range: 100–199 and 2000–2699
Named format:
Named format:
ip access-list extended <name>
5. ACL Numbering and Naming
| Type | Number Range | Example |
|---|---|---|
| Standard | 1–99, 1300–1999 | access-list 10 permit ... |
| Extended | 100–199, 2000–2699 | access-list 110 deny ... |
| Named | N/A | ip access-list standard|extended <name> |
6. Wildcard Masks in ACLs
Wildcard masks specify address ranges. A 0 bit = exact match; a 1 bit = "don't care" (ignore).
Example:
To match
To match
192.168.1.0/24:access-list 10 permit 192.168.1.0 0.0.0.255
7. ACL Placement and Order of Evaluation
- Inbound: Filters before entering an interface.
- Outbound: Filters before leaving an interface.
- Best Practices:
- Standard ACL: Place close to destination.
- Extended ACL: Place close to source (minimizes unwanted traffic).
- Implicit Deny: Unmatched packets are blocked by default.
8. ACL Configuration Basics
Standard ACL (Numbered)
access-list 10 deny 192.168.1.100 0.0.0.0
access-list 10 permit any
interface GigabitEthernet0/0
ip access-group 10 in
Blocks all traffic from 192.168.1.100; permits all others.
Extended ACL (Numbered)
access-list 110 permit tcp 192.168.1.0 0.0.0.255 any eq 80
access-list 110 deny ip any any
interface GigabitEthernet0/1
ip access-group 110 in
Permits only HTTP from 192.168.1.0/24 to anywhere; denies everything else.
Named ACL
ip access-list extended BLOCK_TELNET
deny tcp any any eq 23
permit ip any any
interface GigabitEthernet0/1
ip access-group BLOCK_TELNET in
Denies all Telnet traffic, permits all other IP traffic.
9. Using Protocols and Ports in Extended ACLs
| Protocol | Common Use/Example |
|---|---|
| tcp | Web (eq 80/443), SSH (eq 22), Telnet (eq 23) |
| udp | DNS (eq 53), DHCP (eq 67/68) |
| icmp | Ping, traceroute |
| ip | All IP traffic |
Allow SSH (22) from admin subnet to server:
access-list 120 permit tcp 10.0.0.0 0.0.0.255 host 192.168.2.100 eq 22
access-list 120 deny ip any any
10. Checking and Verifying ACLs
- show access-lists – List all ACLs with counters
- show running-config – View ACLs in device config
- show ip interface – See which ACLs are applied
- Test with
ping,telnet, ortraceroute
11. ACL Best Practices
- Remove unused/redundant entries to keep ACLs efficient.
- Order statements logically: more specific rules before general ones.
- Document each entry’s purpose.
- Test changes in a lab before production deployment.
- Review ACLs regularly as the network changes.
12. Common Use Cases
- Restricting access for specific users/devices
- Controlling access to servers/services (e.g., only allow web traffic)
- Implementing security zones between DMZ, internal, and external networks
13. Troubleshooting ACLs
- Check for order and mask errors; ensure correct interface direction.
- Use
logkeyword for denied packets monitoring. - Use show access-lists to see hit counts and rule activity.
14. Advanced ACL Concepts (Optional)
- Reflexive ACLs: Allow dynamic temporary entries for sessions initiated from inside.
- Time-based ACLs: Enforce rules only at certain times.
- Dynamic ACLs (Lock and Key): Permit traffic after authentication.
15. ACL Interaction with Other Security Features
- NAT: ACLs define which traffic is translated.
- VPNs: ACLs define which traffic is encrypted/tunneled.
- Firewalls: Advanced ACL logic underpins firewall policies.
Example Scenario:
Allow only HTTP/HTTPS from
Allow only HTTP/HTTPS from
10.10.10.0/24 to server 192.168.20.100; block everything else:
access-list 150 permit tcp 10.10.10.0 0.0.0.255 host 192.168.20.100 eq 80
access-list 150 permit tcp 10.10.10.0 0.0.0.255 host 192.168.20.100 eq 443
access-list 150 deny ip any any
interface GigabitEthernet0/2
ip access-group 150 in
Summary Table: Key Points and Exam Tips
| Aspect | Standard ACL | Extended ACL | Named ACL |
|---|---|---|---|
| Filter Criteria | Source IP only | Source/destination IP, protocol, port | Either type, easier management |
| Number Range | 1–99, 1300–1999 | 100–199, 2000–2699 | N/A |
| Placement | Close to destination | Close to source | Depends on logic |
| Common Use | Block subnet/device | Precise control | Large/frequently edited lists |
| Wildcard Mask | Inverted subnet mask | Inverted subnet mask | Inverted subnet mask |
| Implicit Deny | All unmatched traffic is blocked | ||
| Verification | show access-lists, show running-config | ||
When and Where to Use Each ACL Type:
- Standard ACL: For basic restrictions, placed near destination.
- Extended ACL: For detailed filtering, placed near source.
- Named ACL: For easier management of complex or large access lists.