Home > Access List Tutorial

Access List Tutorial

February 13th, 2011 Go to comments

In this tutorial we will learn about access list.

Access control lists (ACLs) provide a means to filter packets by allowing a user to permit or deny IP packets from crossing specified interfaces. Just imagine you come to a fair and see the guardian checking tickets. He only allows people with suitable tickets to enter. Well, an access list’s function is same as that guardian.

Access lists filter network traffic by controlling whether packets are forwarded or blocked at the router’s interfaces based on the criteria you specified within the access list.

To use ACLs, the system administrator must first configure ACLs and then apply them to specific interfaces. There are 3 popular types of ACL: Standard, Extended and Named ACLs.

Standard IP Access List

Standard IP lists (1-99) only check source addresses of all IP packets.

Configuration Syntax

access-list access-list-number {permit | deny} source {source-mask}

Apply ACL to an interface

ip access-group access-list-number {in | out}

Example of Standard IP Access List



In this example we will define a standard access list that will only allow network to access the server (located on the Fa0/1 interface)

Define which source is allowed to pass:

Router(config)#access-list 1 permit

(there is always an implicit deny all other traffic at the end of each ACL so we don’t need to define forbidden traffic)

Apply this ACL to an interface:

Router(config)#interface Fa0/1
Router(config-if)#ip access-group 1 out

The ACL 1 is applied to permit only packets from to go out of Fa0/1 interface while deny all other traffic. So can we apply this ACL to other interface, Fa0/2 for example? Well we can but shouldn’t do it because users can access to the server from other interface (s0 interface, for example). So we can understand why an standard access list should be applied close to the destination.

Note: The “” is the wildcard mask part of network “”. We will learn how to use wildcard mask later.

Extended IP Access List

Extended IP lists (100-199) check both source and destination addresses, specific UDP/TCP/IP protocols, and destination ports.

Configuration Syntax

access-list access-list-number {permit | deny} protocol source {source-mask} destination {destination-mask} [eq destination-port]

Example of Extended IP Access List


In this example we will create an extended ACL that will deny FTP traffic from network but allow other traffic to go through.

Note: FTP uses TCP on port 20 & 21.

Define which protocol, source, destination and port are denied:

Router(config)#access-list 101 deny tcp eq 21

Router(config)#access-list 101 deny tcp eq 20

Router(config)#access-list 101 permit ip any any

Apply this ACL to an interface:

Router(config)#interface Fa0/1
Router(config-if)#ip access-group 101 out

Notice that we have to explicit allow other traffic (access-list 101 permit ip any any) as there is an “deny all” command at the end of each ACL.

As we can see, the destination of above access list is “” which specifies a host. We can use “host” instead. We will discuss wildcard mask later.

In summary, below is the range of standard and extended access list

Access list type Range
Standard 1-99, 1300-1999
Extended 100-199, 2000-2699

Comments (29) Comments
Comment pages
1 7 8 9 458
  1. cisco
    August 4th, 2016

    Can you please explain wild card mask in detail?

  2. rick
    August 12th, 2016

    Wild card masks are basically the inverse regular mask. so becomes becomes but if you need other values, the inverse mask (wild card mask) becomes the block size MINUS 1 so (block size 16) becomes wild card mask …224 (block size 32) becomes …31 etc etc.

    Hope that helps.

  3. cherry
    August 13th, 2016

    why v dont see questions in lab sim?
    we see only answers. please hw to see relevant questions.

  4. Anonymous
    October 1st, 2016


  5. Anonymous
    December 7th, 2016

    cheery same here too i cant see the question and i just only see the answer .Its awkward :(

  6. Anonymous
    December 28th, 2016

    i have one question ,that the system ping at one said but ping the other said
    example: ping but can not ping

  7. Anonymous
    December 30th, 2016

    Very well router security ACL….but this security only use to router and acl good manage to traffic signal and this security bast security in router

  8. Titus
    February 7th, 2017

    awesome information you guys have here what everybody’s first impressions on our site concerning real driving 3d online hack

  9. titties
    March 17th, 2017

    subtract 255 from each octet to find the wildcard mask

  10. $$$$$forquestion!
    April 2nd, 2017

    You wana see question! you pay!!!!!!!!!!!!! lol

  11. vietnamking
    April 4th, 2017

    Thank you 9tut!
    I will have CCNA Exam this late April , If anyone have the latest dumps , please send me to email zungvy @ Gmail.com
    Thanks @ Regards!!!

  12. Just Me
    April 4th, 2017

    Wouldn’t it be better to apply the Extended ACL (deny FTP-traffic) to Fa0/0?

    April 4th, 2017

    Thank you 9tut everything is crystal clear.
    My question is how can I get previous LAB questions? anyone knows please?
    Thank kindly.

  14. Anonymous
    April 6th, 2017

    i hope this is another way how the question could be set, because in all the dumps , the question about the same issue are all different from this illustrated in the tutorial
    thanks and regards.

  15. iruhigwajr
    April 6th, 2017

    kind request on the detailed info on ACLs
    thanks n regards

  16. kuma
    April 11th, 2017

    hai everybody
    whoever want to see the question , please download it from 9tut feb pdf.

  17. Morex
    June 14th, 2017

    If you want to see the Qs you have to go to the FAQ section on the right and then look for the link to download which s in one of the answers for the questions.

  18. Fox1
    August 1st, 2017

    Does anyone have the latest dumps? carsz1976 at Yahoo please mail me

  19. Md Al-Momin
    August 14th, 2017

    Thanks a lot

  20. stwam
    September 30th, 2017

    wildcard – your mask.
    example 1
    so wildmask: –
    wildcard mask:

    example 2
    so wildcard: –
    wildcard mask:

  21. N Khan
    February 18th, 2018

    Its ok, but please give another example with multiple router and their command.

  22. tester
    February 27th, 2018

    what happened to premium?

  23. test
    March 30th, 2018

    Thank you, This tutorial is fantastic. Keep doing the good work!!!

  24. testing
    June 6th, 2019

    Apply the access control list to an interface:

    Router(config)#interface fastEthernet0/0

    Router(config-if)#ip access-group 101 in

    ————–should the access-group be out since this is a standard ACL?

  25. ivan
    November 11th, 2019

    Apply extended this ACL to an interface:

    Router(config)#interface Fa0/0
    Router(config-if)#ip access-group 101 in

  26. Lonny Wormald
    January 21st, 2020

    Marvelous, what a weblog it is! This website provides helpful information to
    us, keep it up.

  27. Shad Pinkham
    January 21st, 2020

    Thanks for sharing your thoughts. I really appreciate your efforts and I am waiting
    for your next write ups thanks once again.

  28. Leilani Creamer
    January 22nd, 2020

    Hi, after reading this amazing paragraph i am as well glad to share my familiarity here
    with friends.

  29. Hipiri
    January 23rd, 2020

    Hello, the rule of thumb is.

    first deny then anything else is permitted right?

Comment pages
1 7 8 9 458
Add a Comment