What is an Access Control List?

An Access Control List (ACL) is a set of rules that a router uses to filter network traffic. Think of it as a security guard standing at the door, checking each packet against a list of approved or denied criteria.

Think of ACLs like a nightclub bouncer with a guest list. Each person (packet) trying to enter is checked against the list. If they match an entry, the bouncer either lets them in (PERMIT) or turns them away (DENY). If they're not on the list at all? Denied by default!

The Problem: Open Networks

Without ACLs, all traffic flows freely through your network. Any device can talk to any other device. This creates serious security risks:

  • Hackers can access internal servers
  • Malware can spread across the network
  • Sensitive data can be exfiltrated
  • No segmentation between departments

The Solution: ACLs as Traffic Filters

ACLs let you control WHO can talk to WHOM, using WHAT protocols, on WHICH ports.

Source 192.168.1.0/24 Router ACL 100 Gi0/0 Inbound Server 10.0.0.100 HTTP Telnet Permitted (HTTP:80) Denied (Telnet:23)

How ACLs Process Traffic

ACLs evaluate packets top-to-bottom, rule by rule. The FIRST match wins!

1
Packet arrives at router interface
2
Router checks packet against first ACL rule
3
If match: PERMIT or DENY action is taken. Stop processing.
4
If no match: Move to next rule and repeat
!
Implicit Deny: If NO rules match, packet is DENIED by default

Key ACL Concepts

Inbound vs Outbound

ACLs can filter traffic entering (in) or leaving (out) an interface

One ACL Per Direction

Each interface can have ONE inbound and ONE outbound ACL

Order Matters

Most specific rules first, general rules last

Implicit Deny All

Every ACL ends with an invisible "deny any" rule

Where to Apply ACLs

Standard ACLs: Apply close to the destination (they only check source IP, so you want to block as late as possible to avoid accidentally blocking legitimate traffic)

Extended ACLs: Apply close to the source (they check source, destination, protocol, and ports - block unwanted traffic as early as possible)

Standard vs Extended ACLs

Standard ACLs

Numbered: 1-99, 1300-1999

Filters traffic based on source IP address only. Simple but limited.

Syntax:

access-list 10 permit 192.168.1.0 0.0.0.255
  • Checks source IP only
  • Less router CPU usage
  • Apply close to destination
  • Cannot filter by protocol
  • Cannot filter by port
  • Cannot filter by destination

Example Use Case:

Block all traffic from a specific subnet (e.g., guest network can't reach server VLAN)

Extended ACLs

Numbered: 100-199, 2000-2699

Filters traffic based on source, destination, protocol, and ports. Precise and flexible.

Syntax:

access-list 100 permit tcp 192.168.1.0 0.0.0.255 10.0.0.100 0.0.0.0 eq 80
  • Checks source AND destination
  • Filters by protocol (TCP, UDP, ICMP)
  • Filters by port number
  • Apply close to source
  • Supports operators (eq, gt, lt, range)
  • More CPU intensive

Example Use Case:

Allow HTTP/HTTPS to web server, deny Telnet, permit SSH from admin subnet only

Named ACLs (Modern Best Practice)

Instead of numbers, use descriptive names. Named ACLs are easier to manage and edit.

ip access-list extended BLOCK-TELNET
  deny tcp any any eq 23
  permit ip any any

Editable

Insert/delete rules by sequence number

Self-Documenting

Names describe the ACL's purpose

No Number Limits

Not restricted to number ranges

Interactive ACL Builder

Build an ACL statement and see the command generated in real-time.

access-list 100 permit tcp 192.168.1.0 0.0.0.255 10.0.0.100 0.0.0.0 eq 80

Quick Comparison

Feature Standard Extended
Number Range 1-99, 1300-1999 100-199, 2000-2699
Source IP
Destination IP
Protocol (TCP/UDP/ICMP)
Port Numbers
CPU Usage Low Higher
Placement Near Destination Near Source

Understanding Wildcard Masks

A wildcard mask tells the router which bits of an IP address must match (0) and which bits can be ignored (1). It's the inverse of a subnet mask!

Think of a wildcard mask like a template: 0 = "must match exactly", 1 = "don't care, any value OK"

Subnet to Wildcard Converter

Subnet Mask:
255.255.255.0
Wildcard Mask:
0.0.0.255

Common Wildcard Masks (Quick Reference)

Click any mask to see its binary representation

0.0.0.0
/32 - Single Host
0.0.0.255
/24 - 256 Hosts
0.0.0.127
/25 - 128 Hosts
0.0.0.63
/26 - 64 Hosts
0.0.0.31
/27 - 32 Hosts
0.0.0.15
/28 - 16 Hosts
0.0.255.255
/16 - 65,536 Hosts
0.255.255.255
/8 - 16M+ Hosts

IP Range Calculator

Enter an IP and wildcard to see the range of addresses matched

Special Wildcards

host 192.168.1.1

Shortcut for 192.168.1.1 0.0.0.0
Matches exactly ONE host

any

Shortcut for 0.0.0.0 255.255.255.255
Matches ALL addresses

ACL Packet Simulator

Watch how packets are evaluated against ACL rules in real-time

ACL Rules

Select ACL Scenario

Packet Configuration

Source
192.168.1.x
Router ACL 100
Dest
10.0.0.x
PKT
Configure a packet and click "Simulate" to see the result
The packet will be evaluated against each ACL rule in order

Quick Test Packets