How to Configure ACLs on Cisco IOS (Standard and Extended)
Master ACLs on Cisco IOS with real CLI commands for CCNA success.
Access Control Lists (ACLs) are a fundamental security and traffic filtering mechanism on Cisco IOS devices. Standard ACLs filter based on source IP only, while extended ACLs allow filtering by source/destination IP, protocol, and port. This guide walks through configuring both types on a Cisco router, applying them to interfaces, and verifying operation. These skills are essential for the CCNA exam and real-world network administration. All commands are tested on Cisco IOS 15.x.
Enter Global Configuration Mode and Create a Standard ACL
Begin by accessing the router via console or SSH and entering privileged EXEC mode, then global configuration mode. A standard ACL uses numbers 1-99 or 1300-1999. This ACL permits traffic from a specific source network while denying all other traffic. Standard ACLs should be placed as close to the destination as possible because they only check source IP.
Router> enable
Router# configure terminal
Router(config)# access-list 10 permit 192.168.1.0 0.0.0.255
Router(config)# access-list 10 deny anyUse the wildcard mask 0.0.0.255 to match the entire /24 subnet. Remember: 0 means 'match exactly', 255 means 'ignore'.
Standard ACLs cannot filter by destination or port. For granular control, use extended ACLs.
Apply the Standard ACL to an Interface
After creating the ACL, apply it to an interface in the inbound or outbound direction. For standard ACLs, apply them close to the destination to avoid unintended blocking. Use the 'ip access-group' command under interface configuration mode. Verify the direction carefully — inbound filters traffic entering the interface, outbound filters traffic leaving.
Router(config)# interface GigabitEthernet0/1
Router(config-if)# ip access-group 10 out
Router(config-if)# end
Router# show running-config | section interface GigabitEthernet0/1Always apply ACLs in the direction that requires the least processing. Outbound ACLs can reduce CPU load on the router.
Create an Extended ACL to Filter by Protocol and Port
Extended ACLs (numbers 100-199 or 2000-2699) allow filtering based on source/destination IP, protocol (TCP/UDP/ICMP), and port numbers. This example permits HTTP (TCP port 80) traffic from the internal network to a web server, while denying all other traffic. Extended ACLs should be placed as close to the source as possible to save bandwidth.
Router(config)# access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 10.0.0.10 eq 80
Router(config)# access-list 100 deny ip any anyUse 'host' keyword instead of a wildcard mask for a single IP (e.g., 'host 10.0.0.10' equals '10.0.0.10 0.0.0.0').
Order matters! The router processes ACLs top-down. Place more specific entries before general ones.
Apply the Extended ACL to an Interface and Verify
Apply the extended ACL to the interface closest to the source traffic. For internal users accessing an external web server, apply it inbound on the internal interface. After application, use 'show access-lists' to see match counts and verify traffic is being filtered correctly. This is critical for troubleshooting.
Router(config)# interface GigabitEthernet0/0
Router(config-if)# ip access-group 100 in
Router(config-if)# end
Router# show access-lists 100
Extended IP access list 100
10 permit tcp 192.168.1.0 0.0.0.255 host 10.0.0.10 eq www (12 matches)
20 deny ip any any (5 matches)Use 'clear access-list counters' to reset match counts before testing. This helps isolate new traffic patterns.
Configure a Named ACL for Better Readability
Named ACLs allow descriptive names instead of numbers, making configuration easier to manage. Use 'ip access-list standard' or 'extended' followed by a name. Named ACLs support editing individual entries with sequence numbers. This is the preferred method for complex environments.
Router(config)# ip access-list extended BLOCK_SSH
Router(config-ext-nacl)# deny tcp any any eq 22
Router(config-ext-nacl)# permit ip any any
Router(config-ext-nacl)# exit
Router(config)# interface GigabitEthernet0/2
Router(config-if)# ip access-group BLOCK_SSH inUse sequence numbers (e.g., '10 permit...') to insert or delete specific lines without rewriting the entire ACL. Default sequence numbers increment by 10.
Verify ACL Operation with Show Commands and Logging
Enable logging on ACL entries to capture denied traffic for security monitoring. Use the 'log' keyword at the end of an ACL entry. Then check logs with 'show logging' or monitor in real-time with 'debug ip packet'. This helps identify attacks or misconfigurations. Always disable debugging after use to avoid CPU overload.
Router(config)# ip access-list extended LOG_DENIES
Router(config-ext-nacl)# deny ip any any log
Router(config-ext-nacl)# exit
Router# show logging | include ACL
%SEC-6-IPACCESSLOGP: list LOG_DENIES denied tcp 192.168.2.100(54321) -> 10.0.0.10(22), 1 packetUse 'access-list <number> permit/deny <protocol> <source> <destination> log' to log only specific traffic. Avoid logging all traffic in production.
Excessive logging can overwhelm the router CPU. Use sparingly and only during troubleshooting.
Save Configuration and Test End-to-End Connectivity
Always save the running configuration to startup configuration to persist ACLs after a reboot. Then test connectivity from a host in the permitted network to verify access, and from a denied network to confirm blocking. Use ping, telnet, or curl from the hosts to validate.
Router# copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
Router# show access-lists
Standard IP access list 10
10 permit 192.168.1.0 0.0.0.255 (8 matches)
20 deny any (3 matches)
Extended IP access list 100
10 permit tcp 192.168.1.0 0.0.0.255 host 10.0.0.10 eq www (15 matches)
20 deny ip any any (2 matches)Use 'write memory' as a shortcut for 'copy running-config startup-config'. Both commands do the same thing.
Key tips
Always place extended ACLs as close to the source as possible to filter traffic early and conserve bandwidth.
Use named ACLs with sequence numbers for easier editing — you can insert or delete individual lines without rewriting the entire list.
Remember the implicit 'deny any' at the end of every ACL. If you don't include a permit statement, all traffic will be blocked.
Test ACLs in a lab environment first using GNS3 or Packet Tracer before deploying to production networks.
Use the 'log' keyword on deny entries to capture intrusion attempts, but avoid logging on permit entries to reduce log noise.
For CCNA exam, remember that standard ACLs (1-99) filter only source IP and should be placed near the destination; extended ACLs (100-199) filter source/destination/port and go near the source.
Frequently asked questions
What is the difference between standard and extended ACLs on Cisco IOS?
Standard ACLs (numbers 1-99, 1300-1999) filter traffic based only on the source IP address. Extended ACLs (100-199, 2000-2699) can filter based on source/destination IP, protocol (TCP/UDP/ICMP), and port numbers. Extended ACLs provide granular control and are placed closer to the source, while standard ACLs are placed near the destination.
How do I edit an existing ACL without deleting it?
For numbered ACLs, you must delete the entire ACL and recreate it. For named ACLs, you can use sequence numbers to insert or delete individual entries. For example, 'ip access-list extended MY_ACL' then 'no 10' to remove entry 10, or '15 permit tcp any any eq 443' to insert between entries 10 and 20.
Why is my ACL not blocking traffic as expected?
Common issues include: applying the ACL to the wrong interface or direction, forgetting the implicit 'deny any' at the end, incorrect wildcard mask, or ACL order (more specific entries must come before general ones). Use 'show access-lists' to check match counts and 'show ip interface' to verify ACL application.
Can I apply multiple ACLs to the same interface?
No, you can only apply one ACL per direction (inbound and outbound) per interface. However, you can use one ACL with multiple entries to achieve the same effect. If you need more complex filtering, consider using zone-based firewalls or advanced features like object-group ACLs.
What is the purpose of the wildcard mask in ACLs?
The wildcard mask (inverse mask) specifies which bits of the IP address to match. A '0' means the corresponding bit must match exactly, while '1' means ignore that bit. For example, 0.0.0.255 matches all hosts in a /24 subnet, and 0.0.0.0 matches a single host (use 'host' keyword instead).
Related glossary terms
Dynamic route
A route that is automatically learned and updated by a router using a routing protocol, rather than being manually configured.
Bash script
A Bash script is a text file containing a sequence of commands for the Unix shell Bash, allowing users to automate repetitive tasks and streamline system administration on Linux and macOS.
File Transfer Protocol
File Transfer Protocol (FTP) is a standard network protocol used to transfer files between a client and a server over a TCP/IP network.
Public IP address
A globally unique IP address assigned to a device that allows it to communicate directly over the internet.
Persistent Disk
Persistent Disk is a durable, high-performance block storage service for Google Cloud virtual machines that retains data even after the VM is shut down or deleted.
Extensible Authentication Protocol
Extensible Authentication Protocol (EAP) is a flexible authentication framework used in network access control, particularly in wireless and point-to-point connections, that supports multiple authentication methods without requiring changes to the underlying protocol.
Practice with real exam questions
Apply what you just learned with exam-style practice questions.