Courseiva
ACLGlobal Config

access-list [100-199] permit|deny [proto] [src] [dst]

Configures an extended access list (100-199) to permit or deny traffic based on protocol, source, and destination, used for granular traffic filtering on Cisco routers.

Syntax·Global Config
access-list [100-199] permit|deny [proto] [src] [dst]

When to Use This Command

  • Block all HTTP traffic from a specific subnet to a web server while allowing other services.
  • Permit only ICMP echo requests from a management station to core routers for monitoring.
  • Deny Telnet traffic from external networks to internal servers to enforce secure management.
  • Allow specific application traffic (e.g., HTTPS) between two VLANs while blocking others.

Command Examples

Block HTTP from 192.168.1.0/24 to 10.0.0.1

access-list 101 deny tcp 192.168.1.0 0.0.0.255 host 10.0.0.1 eq 80

No output is generated by this command; it is verified with 'show access-lists'.

Permit ICMP from management station to any

access-list 110 permit icmp host 10.1.1.100 any echo

No output; use 'show access-lists' to confirm the entry.

Understanding the Output

The 'show access-lists' command displays the configured extended ACL entries. Each line shows the sequence number, permit/deny action, protocol, source (with wildcard mask), destination (with wildcard mask), and optional operator/port. For example, '10 deny tcp 192.168.1.0 0.0.0.255 host 10.0.0.1 eq 80' means sequence 10 denies TCP traffic from subnet 192.168.1.0/24 to host 10.0.0.1 on port 80. The 'matches' counter increments each time a packet matches the entry, helping identify which rules are hit. A high match count on a deny rule may indicate blocked traffic that should be permitted. Watch for implicit deny at the end; if no match occurs, traffic is denied.

CCNA Exam Tips

1.

Extended ACLs must be applied close to the source to filter traffic early, per CCNA best practices.

2.

Remember the order: protocol, source, destination, then operator/port (if TCP/UDP).

3.

Wildcard masks are inverse of subnet masks; e.g., 0.0.0.255 matches a /24 subnet.

4.

The 'established' keyword can be used to permit return traffic for TCP sessions.

Common Mistakes

Forgetting to apply the ACL to an interface with 'ip access-group' — the ACL has no effect until applied.

Misordering entries: Cisco processes ACLs top-down; a broad permit before a specific deny may bypass intended blocks.

Using wrong wildcard mask (e.g., 255.255.255.0 instead of 0.0.0.255) — this matches a single host instead of a subnet.

Related Commands

access-list [1-99] permit|deny [source]

Creates a standard numbered access list (1-99) to permit or deny traffic based on source IP address, used to filter packets entering or leaving a router interface.

ip access-group [acl] [in|out]

Applies an access control list (ACL) to an interface to filter inbound or outbound traffic based on the ACL rules.

show access-lists

Displays all configured access control lists (ACLs) on the device, including their entries and match counters, used to verify ACL configuration and traffic filtering.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions