Access List Basics

Access List Basics

Access lists are a stack of one-line filters that are processed sequentially to determine whether data packets are allowed to continue on through the router or as a part of a router process. Each statement in the stack tests for one set of criteria and, if the criterion matches, the packet is either permitted or denied, as defined in the same statement.

A simple analogy would be this: while grocery shopping, if the grapes are ripe, I will add them to my basket. The single criterion is whether the grapes are ripe and, based on their being ripe, they’re either permitted in my basket or denied. A more complex criterion could be if the grapes need to be ripe and from a domestic vineyard.

Two-Step Process

With all access lists, you have two separate and distinct steps in using them: the creation and the implementation. First, the ACL is always created using the access-list statement in Global Configuration mode. Second, the ACL is referenced by a process command or applied to an interface with commands unique to the application. If either part isn’t done, the ACL typically has no impact, as if it didn’t exist at all. The following output is an example of a simple standard access list and applying it to a Fast Ethernet interface.

 interface Fastethernet 0/0
 ip address
 ip access-group 50 out
access-list 50 deny
access-list 50 deny
access-list 50 permit any

Access lists, when applied to an interface, called traffic filtering, only filter traffic traveling in the direction specified in the access-group statement. In the previous code output, only the outbound IP traffic is being filtered. While applying two ACLs for the same protocol for traffic going in one direction is impossible, you can have one for each direction for each protocol configured on the interface. The following code shows an example of an interface with multiple ACLs applied:

interface Fastethernet 0/0
 ip address
 ip access-group 171 in
 ip access-group 15 out
 appletalk cable-range 10-19 15.11
 appletalk access-group 615 out
 appletalk access-group 601 in
 ipx access-group 805 in
 ipx access-group 809 out
 ipx network 127

In determining whether to apply the ACL in- or outbound, visualize yourself at the center of the router. Is the data coming at you in the interface or is it traveling out through the interface? The perspective for determining in or out is always the center of the router, never the center of the network segment. A common mistake is to use an inbound filter to block traffic from entering a LAN. While the bad traffic is coming into the LAN, it’s passing out of the router. Figure A-1 shows graphically inbound and outbound traffic flows on a basic router.

Figure A-1: Inbound and outbound traffic flows on router interfaces

Numbered ACL Common Characteristics

Before looking at the details of standard and extended ACLs, consider the following characteristics of all numbered access lists:

  • An ACL is made up of one or more permit or deny statements

  • If an ACL doesn’t have at least one permit statement, it will deny everything

  • All ACL statements with the same number are part of the same ACL

  • ACL statements must be entered sequentially in order to be processed

  • An ACL can be added to (appended), but not edited. Any attempt to edit an item will delete the entire ACL


    By default, router interfaces configured for a protocol “allow” all traffic in both directions without restriction. Once an ACL is applied to an interface, the default flips to “blocking” all traffic for that protocol in the specified direction, except what is explicitly allowed by the ACL.

The Numbers Matter

With numbered ACLs, the number is a list identifier that indicates the protocol used and whether the list is part of a standard or an extended ACL. Each statement in the ACL will have the same number. The following table is a recent listing of the ACL number ranges.




IP standard access list


IP standard access list (expanded range IOS v12.1)


IP extended access list


IP extended access list (expanded range IOS v12.1)


Protocol type-code access list


DECnet access list


XNS standard access list


XNS extended access list


Appletalk access list


48-bit MAC address access list


IPX standard access list


IPX extended access list


IPX SAP access list


IPX summary address access list


Extended 48-bit MAC address access list

While this text and the exam focus only on IP ACLs, it’s important to remember that similar features exist for IPX, Appletalk, and other even older protocols.

Part III: Virtual Private Networks (VPNs)