ACLs can consist of multiple access list statements. Packets are compared to each statement in sequence until a match is found. The permit and deny keywords are used to indicate whether matching packets should be forwarded or dropped, respectively. If the packet does not match any of the access list statements, the packet is dropped. This is called the implicit deny rule; all traffic is dropped unless it matches one of the access list statements that is configured with the permit keyword.

It is a best practice to configure standard ACLs as close as possible to the destination that you want to prevent traffic from reaching
And Extended ACLs should be placed as close as possible to the source of the traffic you wish to restrict

The process of configuring ACLs consist of two steps:

  1. Configuring the ACL statements in the global configuration mode.
  2. Applying the ACLs on the interfaces to inbound or outbound traffic.

Standard access-list are from 0 to 99 .IP standard ACLs check the source IP only.

The configuration can be done in global configuration mode :
(config)#access-list (# 0-99) (permit or deny) ( host , network address or any )
Don’t forget the implicit deny rule in any access-list configuration , if you don’t specify anything the last line as a deny all by default .
(config)#access-list (# 0-99) permit any

Then u need to apply it to the interface :
(config-if)#ip access-group (access-list #) (in or out)

Extended access-list are from 100-199 .Extended ACLs and can identify traffic based on source and destination IP addresses as well as traffic type .


The syntax ip access-list {standard | extended} access-list-name is used to create a named access list. This command is followed by commands that use the syntax {permit | deny} protocol {any | host source | source source-wildcard} {any | host destination | destination destination-wildcard} [log] to create access list statements that define the interesting traffic

Leave a Comment