ip access-list extended [name]
Creates or enters an extended named access list to filter traffic based on source/destination IP, protocol, and port numbers, used for granular traffic control.
ip access-list extended [name]When to Use This Command
- Restricting inbound traffic to a web server to only allow HTTP and HTTPS from specific subnets.
- Blocking all traffic from a known malicious IP range while allowing legitimate traffic.
- Permitting only specific protocols (e.g., OSPF, EIGRP) between routers for routing updates.
- Controlling outbound traffic from a guest VLAN to the internet, allowing only DNS and web traffic.
Command Examples
Permit HTTP and HTTPS from specific subnet to a web server
ip access-list extended WEB-ACCESSRouter(config-ext-nacl)#
Enters extended ACL configuration mode for the named ACL 'WEB-ACCESS'. Subsequent permit/deny statements define the rules.
Block traffic from a specific host and permit all other traffic
ip access-list extended BLOCK-HOSTRouter(config-ext-nacl)#
Creates a new extended ACL named 'BLOCK-HOST'. After entering, you add deny and permit statements to filter traffic.
Understanding the Output
The command itself does not produce output; it enters a configuration submode. The real output is seen when you use 'show access-lists' or 'show ip access-list'. In that output, each line shows a sequence number, permit/deny action, protocol, source IP/wildcard, destination IP/wildcard, and optional port info. The 'hit count' indicates how many packets matched that line. A high hit count on a deny entry may indicate blocked traffic that should be investigated. Good values show expected permit matches; bad values are unexpected denies or high denies on critical traffic.
CCNA Exam Tips
Remember that extended ACLs are processed top-down; the first match is applied, so order matters.
CCNA 200-301 often tests the implicit deny all at the end of every ACL; you must include a permit statement if you want any traffic to pass.
Know that extended ACLs should be applied as close to the source as possible to conserve bandwidth.
Be able to identify correct wildcard mask usage (e.g., 0.0.0.255 for /24 subnet).
Common Mistakes
Forgetting the implicit deny all at the end, causing all traffic to be blocked unintentionally.
Misordering ACL entries: placing a broad permit before a specific deny, causing the deny to never be evaluated.
Using incorrect wildcard masks (e.g., using subnet mask instead of wildcard mask).
Related Commands
ip access-list standard [name]
Creates or enters a standard named IP access list to filter traffic based on source IP address, used to permit or deny packets in a Cisco IOS network.
show access-lists
Displays all configured access control lists (ACLs) on the device, including their entries and match counters, used to verify ACL configuration and traffic filtering.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions