Tutorial: Standard ACL (Access Control List) Basics

Posted June 18, 2007 by aaronm in Cisco router

This is a BASIC explanation of Standard ACL’s that SHOULD be fairly easy to understand and span the spectrum of most Cisco routers.

The first thing to remember about ACL’s is they read from top to bottom. When a packet comes to a router interface, it is matched against the first line in the ACL, if it doesn’t meet the criteria, then it drops to the next line and so on until it reaches a permit or deny that fits it. The second thing to remember is THERE IS A IMPLICIT DENY underneath the last (bottom) line! Don’t apply an access-list to an interface without at least one permit statement. (Especially an inside interface!) Standard access lists can be numbered 1 – 99 or 1300 – 1999

The basic makeup of a line (statement) is:

permit / deny source_ip

access-list 1 permit

Depending on the interface and direction the list is applied, will determine its relevance. For example, if this access-list is placed on the inside interface with an “ip access-group 1 in” then the only traffic permitted into that interface will come from

Whew! If I haven’t completely confused you yet, then get ready.

Wildcard masks are an inverse of normal subnet masks, so is equivalent to the of route advertisement, for example.

So if I want to deny the network then I would type

access-list 1 deny

if I want to permit a single host, I type

access-list 1 permit

Ridiculous, I know. I’m not going to get into the functionality behind this, we would be reading for an hour.

Finally, when you apply the access-list to an interface, don’t call it a “list” call it a “group”.

router(config)# interface fastethernet 0/0
router(config-int)# ip access-group 1 in

P.S. Oh, yeah, and only one ACL per interface, per direction, per protocol.

This is the complete tip-top of the iceberg of ACL’s, several chapters in several large books cover this topic. I keep shaking my head as I write this because I’m leaving out sooooooo much stuff, but hopefully it gives you a base for researching / understanding this topic. Good luck!

The Conversation

Follow the reactions below and share your own thoughts.

  • Atanu Ray



    a litle bit funny but i understood!!

    thank you!!

  • Erika

    that was awsome

  • Anonymous

    nice job buddy

  • Anonymous


  • Anirban

    awsome….i really like ur article

    • Angela

      No because the Linksys has 2 IP adeessdrs. A WAN IP which is given to it by the CMTS using DHCP and the LAN IP which by default is The LAN and WAN are two completely different network segments so there is no conflict.

  • mahavir

    Really funny! Off-course a useful one.

  • Baishakhi307

    thnx for it..it really funny and great!!

  • Gitesh

    Very helpful in understanding the ACL… Good one

  • varshini

    Covers the basic idea of ACL.Pls suggest me some links where i can read in detail

  • Vishal P. Bulbule

    Really helpful.

  • Eshetu

    I can not access internet though 1921 ROUTER please can you help me as soon as possible

  • shaz

    Well done