Courseiva
ACLACL Config

permit|deny [proto] [src] [dest] [eq port]

Configures an access control list (ACL) entry to permit or deny traffic based on protocol, source, destination, and optional port number.

Syntax·ACL Config
permit|deny [proto] [src] [dest] [eq port]

When to Use This Command

  • Restrict inbound HTTP traffic to a web server from a specific subnet.
  • Block all Telnet access from external networks to internal devices.
  • Allow only ICMP echo requests from a monitoring server to network devices.
  • Deny FTP traffic from a specific host to a file server.

Command Examples

Permit HTTP traffic from a specific subnet to a web server

permit tcp 192.168.1.0 0.0.0.255 host 10.0.0.1 eq 80

This command permits TCP traffic from any host in the 192.168.1.0/24 network to the destination host 10.0.0.1 on port 80 (HTTP). The wildcard mask 0.0.0.255 matches the subnet.

Deny Telnet traffic from any source to a specific server

deny tcp any host 10.0.0.2 eq 23

This command denies TCP traffic from any source to the destination host 10.0.0.2 on port 23 (Telnet). The keyword 'any' matches all source IP addresses.

Understanding the Output

This command does not produce output when entered; it simply adds an entry to the ACL. To view the ACL, use 'show access-lists'. The output of 'show access-lists' displays each entry with sequence number, permit/deny action, protocol, source, destination, and port if specified. Each entry is evaluated in order until a match is found. An implicit 'deny any' exists at the end of every ACL, so traffic not explicitly permitted is denied.

CCNA Exam Tips

1.

Remember the implicit deny any at the end of every ACL; you must explicitly permit desired traffic.

2.

ACL entries are processed top-down; order matters. Place more specific entries before general ones.

3.

For extended ACLs, the protocol (e.g., tcp, udp, icmp) must be specified before source and destination.

4.

The 'eq' operator matches only the exact port number; use 'gt', 'lt', 'range' for other comparisons.

Common Mistakes

Forgetting to apply the ACL to an interface with 'ip access-group' command, resulting in no effect.

Using the wrong wildcard mask (e.g., 255.255.255.0 instead of 0.0.0.255) which inverts the matching logic.

Placing a deny entry before a permit entry for the same traffic, causing unintended blocking.

Related Commands

ip access-group [acl] [in|out]

Applies an access control list (ACL) to an interface to filter inbound or outbound traffic based on the ACL rules.

show access-lists

Displays all configured access control lists (ACLs) on the device, including their entries and match counters, used to verify ACL configuration and traffic filtering.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions