Access Control Lists on Cisco IOS: Standard, Extended, and Named ACLs
Access Control Lists (ACLs) are a fundamental tool for filtering traffic on Cisco routers and switches. For the CCNA 200-301 exam, you must understand how to write, apply, and troubleshoot standard, extended, and named ACLs. This post covers the mechanics, the implicit deny rule, wildcard masks, and common exam traps.
Types of ACLs
Cisco IOS supports three types of ACLs relevant to CCNA:
- Standard ACLs: Filter based on source IP address only. Numbered 1–99 and 1300–1999.
- Extended ACLs: Filter based on source/destination IP, protocol, and port numbers. Numbered 100–199 and 2000–2699.
- Named ACLs: Can be standard or extended, but identified by a name instead of a number. Allow easier editing.
The Implicit Deny Rule
Every ACL ends with an implicit deny any statement. This means if a packet does not match any permit entry, it is dropped. The implicit deny is invisible in the configuration but always present. A common mistake is to forget that after a permit statement, all other traffic is denied. To allow other traffic, you must add an explicit permit any at the end.
Wildcard Masks
ACLs use wildcard masks to match IP addresses. A wildcard mask is the inverse of a subnet mask: 0 means match exactly, 1 means ignore.
0.0.0.0matches all bits (equivalent tohost).255.255.255.255matches any address (equivalent toany).- Example: To match the subnet 192.168.1.0/24, use
192.168.1.0 0.0.0.255.
Common shortcuts:
host 10.0.0.1=10.0.0.1 0.0.0.0any=0.0.0.0 255.255.255.255
Standard ACLs
Standard ACLs are applied closest to the destination because they only check source IP. They are numbered 1–99 or 1300–1999.
Example: Permit traffic from network 192.168.1.0/24, deny all others.
access-list 10 permit 192.168.1.0 0.0.0.255
Apply inbound on an interface:
interface GigabitEthernet0/0
ip access-group 10 in
Extended ACLs
Extended ACLs provide granular control. They are numbered 100–199 or 2000–2699. Syntax:
access-list [number] [permit|deny] [protocol] [source] [source-wildcard] [destination] [destination-wildcard] [eq port]
Example: Permit HTTP traffic (TCP port 80) from host 10.0.0.1 to server 192.168.1.100, deny all other traffic.
access-list 100 permit tcp host 10.0.0.1 host 192.168.1.100 eq 80
Apply outbound on the server-facing interface:
interface GigabitEthernet0/1
ip access-group 100 out
Extended ACLs should be placed as close to the source as possible to save bandwidth.
Named ACLs
Named ACLs allow easier management. Use ip access-list standard NAME or ip access-list extended NAME.
Example: Create a named extended ACL to block Telnet (TCP port 23) from subnet 10.0.0.0/24 to subnet 192.168.1.0/24.
ip access-list extended BLOCK_TELNET
deny tcp 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 23
permit ip any any
Apply inbound on interface facing 10.0.0.0/24:
interface GigabitEthernet0/0
ip access-group BLOCK_TELNET in
Named ACLs allow deleting or inserting individual entries using sequence numbers.
Applying ACLs
ACLs are applied to interfaces with ip access-group in a specific direction:
- Inbound: Packets arriving on the interface are checked before routing.
- Outbound: Packets leaving the interface are checked after routing.
One ACL per interface per direction is allowed.
Troubleshooting ACLs
Common issues:
- Missing implicit deny: Traffic not explicitly permitted is dropped.
- Wrong order: ACLs are processed top-down. Place more specific entries first.
- Wrong direction: Ensure ACL is applied on the correct interface and direction.
- Typos in wildcard masks: Verify with
show access-lists.
Commands:
show access-lists– displays all ACLs and hit counts.show ip interface [interface]– shows applied ACLs.debug ip packet [acl-number]– use with caution in production.
Exam Tips: What to Watch For
- Implicit deny: Always remember it exists. If an ACL only has permit statements, all other traffic is denied.
- Standard ACL placement: Place standard ACLs near the destination; extended near the source.
- Wildcard mask tricks: The exam may ask for a wildcard that matches an odd/even subnet or specific hosts.
- Protocol keywords:
tcp,udp,icmp,ip(matches all IP protocols). - Port keywords:
eq,gt,lt,neq,range. - Named ACL editing: You can delete a single entry with
no sequence-number. - VTY access: To restrict Telnet/SSH, apply a standard ACL with
access-classin line configuration.
Conclusion
Mastering ACLs is essential for CCNA. Practice writing standard, extended, and named ACLs, and always verify with show access-lists. Remember the implicit deny and place ACLs correctly.
Test your knowledge with practice questions on platforms like Boson ExSim or Cisco's official study materials. Focus on scenarios involving wildcard masks, port numbers, and ACL placement to solidify your understanding.