The Lazy Networker

An ACL is an ordered list of rules (statements) that a router checks top to bottom to decide whether to permit or deny traffic.

👉 Implicit deny exists at the end of every ACL (anything not matched is denied).

🧩 Types of Cisco ACLs

1️⃣ Standard ACL

• Filters only by source IP address
• Numbered: 1–99, 1300–1999
• Usually placed near the destination

Example

access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 deny any

Apply to interface

interface g0/0
 ip access-group 10 in

2️⃣ Extended ACL

• Filters by:
  • Source IP
  • Destination IP
  • Protocol (TCP/UDP/ICMP)
  • Port numbers
• Numbered: 100–199, 2000–2699
• Placed near the source

Example

access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 80
access-list 101 deny ip any any

Apply

interface g0/1
 ip access-group 101 out

3️⃣ Named ACL

• More readable and editable
• Can be standard or extended

Extended Named ACL Example

ip access-list extended WEB-FILTER
 permit tcp 192.168.10.0 0.0.0.255 any eq 443
 deny ip any any

Apply

interface g0/0
 ip access-group WEB-FILTER in

🎯 Wildcard Mask Basics

Wildcard mask is the inverse of subnet mask:

Examples

• host 192.168.1.10 → same as 192.168.1.10 0.0.0.0
• any → same as 0.0.0.0 255.255.255.255

🔁 Inbound vs Outbound

• Inbound (in): Traffic checked before routing
• Outbound (out): Traffic checked after routing

ip access-group 101 in
ip access-group 101 out

⚠️ Important Rules to Remember

✔ ACLs are processed top-down
✔ First match wins
✔ One ACL per interface, per direction, per protocol
✔ Always add explicit permit if needed (else implicit deny blocks traffic)

🛠 Useful Show Commands

show access-lists
show ip access-lists
show run | section access-list
show ip interface g0/0

🔍 Common Use Cases

• Block specific IPs or subnets
• Allow only HTTP/HTTPS traffic
• Restrict management access (SSH/Telnet)
• Basic firewalling on routers