Tutorial: Standard ACL (Access Control List) Basics

This is a BASIC explanation of Standard ACL’s that SHOULD be fairly easy to understand and span the spectrum of most Cisco routers.


The first thing to remember about ACL’s is they read from top to bottom. When a packet comes to a router interface, it is matched against the first line in the ACL, if it doesn’t meet the criteria, then it drops to the next line and so on until it reaches a permit or deny that fits it. The second thing to remember is THERE IS A IMPLICIT DENY underneath the last (bottom) line! Don’t apply an access-list to an interface without at least one permit statement. (Especially an inside interface!) Standard access lists can be numbered 1 – 99 or 1300 – 1999

The basic makeup of a line (statement) is:

permit / deny source_ip

access-list 1 permit 192.168.1.3 0.0.0.0

Depending on the interface and direction the list is applied, will determine its relevance. For example, if this access-list is placed on the inside interface with an “ip access-group 1 in” then the only traffic permitted into that interface will come from 192.168.1.3.

Whew! If I haven’t completely confused you yet, then get ready.

Wildcard masks are an inverse of normal subnet masks, so 0.0.0.0 is equivalent to the 255.255.255.255 of route advertisement, for example.

So if I want to deny the network 10.0.1.0 255.255.255.248 then I would type

access-list 1 deny 10.0.1.0 0.0.0.7.

if I want to permit a single host, I type

access-list 1 permit 192.168.1.1 0.0.0.0

Ridiculous, I know. I’m not going to get into the functionality behind this, we would be reading for an hour.

Finally, when you apply the access-list to an interface, don’t call it a “list” call it a “group”.

i.e.
router(config)# interface fastethernet 0/0
router(config-int)# ip access-group 1 in

P.S. Oh, yeah, and only one ACL per interface, per direction, per protocol.

This is the complete tip-top of the iceberg of ACL’s, several chapters in several large books cover this topic. I keep shaking my head as I write this because I’m leaving out sooooooo much stuff, but hopefully it gives you a base for researching / understanding this topic. Good luck!

The Conversation

Follow the reactions below and share your own thoughts.

14 Responses to “Tutorial: Standard ACL (Access Control List) Basics”

  1. January 11, 2009 at 2:45 pm, Atanu Ray said:

    Good.

    Reply

  2. February 16, 2009 at 8:27 pm, VENCIO said:

    a litle bit funny but i understood!!

    thank you!!

    Reply

  3. May 20, 2009 at 3:10 am, Erika said:

    that was awsome

    Reply

  4. August 10, 2009 at 3:45 am, Anonymous said:

    nice job buddy

    Reply

  5. January 02, 2010 at 6:51 pm, Anonymous said:

    YEA A GOOD JOB DONE HERE I THINK IM REALLY CERTIFIED WITH EVERY THING BECAUSE ITS SIMPLE AND EASY TO UNDERSTAND
    THANKS.

    Reply

  6. November 13, 2010 at 8:32 am, Anirban said:

    awsome….i really like ur article

    Reply

    • June 09, 2012 at 4:06 pm, Angela said:

      No because the Linksys has 2 IP adeessdrs. A WAN IP which is given to it by the CMTS using DHCP and the LAN IP which by default is 192.168.1.1. The LAN and WAN are two completely different network segments so there is no conflict.

      Reply

  7. February 02, 2011 at 10:14 am, mahavir said:

    Really funny! Off-course a useful one.

    Reply

  8. April 06, 2011 at 6:23 pm, Baishakhi307 said:

    thnx for it..it really funny and great!!

    Reply

  9. July 12, 2011 at 4:46 am, Gitesh said:

    Very helpful in understanding the ACL… Good one

    Reply

  10. August 22, 2011 at 6:09 am, varshini said:

    Covers the basic idea of ACL.Pls suggest me some links where i can read in detail

    Reply

  11. June 15, 2012 at 10:48 am, Vishal P. Bulbule said:

    Really helpful.

    Reply

  12. May 11, 2013 at 3:52 am, Eshetu said:

    I can not access internet though 1921 ROUTER please can you help me as soon as possible

    Reply

  13. December 18, 2013 at 6:11 am, shaz said:

    Well done

    Reply

Leave a Reply