CCNP Enterprise Core (350-401) Cisco Security

Access Control Lists (ACL)

An access control list is an sequential list of access control entries that can perform or deny packets based on inputted matching statements.

The classification begins at the lowest sequence number, and works its way down through the larger sequence numbers until a matching pattern has been found for the packet being analysed.

When a match has been found, the appropriate action defined in the access control entry is carried out, permit or deny the packet.

If none of the manually inputted sequence entries are matched, there is an implicit deny at the end of the access control list when denies all packets that did not find a match.

Access control lists can provide packet classification in a variety of features on Cisco devices. It can be used to for quality of service, network address translation, or for identifying networks to be used for a feature in a routing protocol.

Access control lists use wildcard masks instead of subnet masks to match and classify packets being evaluated. To match all traffic in the subnet it would use a wildcard mask of

An access control list has no effect on a router until it is applied to an interface or function.

Once an access control list has been created the next step is usually to apply it to an interface to activate it.

An interface can only have one outbound and one inbound access list applied to it.

Access control lists are can be used for other features such as route maps, class maps, network address translation, simple network management protocol, virtual terminal lines, or even traffic classification.

There are many different types of access control list:

Numbered Standard ACL

The numbered standard ACL classifies packets purely on the source network. It uses the numbered entries 1 to 99 and 1300 to 1399

Numbered Extended ACL

The numbered extended ACL classifies packets based on source, destination, protocol, port and other attributes. It uses the numbered entries 100 to 199 and 2000 to 2699

Named ACL

The named ACL allows standard and extended ACLs to be given names instead of numbers. They are generally preferred as the name can give an indicator to their function.

Port ACL

Port ACLs can use standard, extended, named and named extended MAC access control lists to filter traffic on Layer 2 switch ports.


The VLAN ACL can use standard, extended, named and named extended MAC ACLs to filter traffic on VLANs

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.