How to Implement a Basic Access Control List

- select the contributor at the end of the page -
One of the first things that many network engineers learn about is the access control list (ACL). The ACL started as a very basic traffic control mechanism that provided engineers with the ability to control which traffic was allowed to enter or exit their devices; another way to think of it was as a basic firewall mechanism.

Since its original implementation, the use of the ACL has extended considerably, this article will take a look at the basic functionality of the ACL and how it can be used to perform basic access control. We'll cover advanced access control lists later, including the more advanced ways that the ACL can be configured and how it can be used outside of traffic filtering.

The Basics of the ACL

As stated above, the original intention of the access control lists was to provide a mechanism to enable the filtering of specific traffic into and out of a device. This section will take a look at how an ACL can be configured on a Cisco device to offer basic filtering services.

The most basic form of an ACL that is typically taught is the standard IP ACL, with this type of ACL only the source IP address is matched; the syntax of this form of ACL is shown below:

router(config)#access-list access-list-number {permit | deny} {any |
host host-ip-address | ip-address wildcard-mask}

For a standard ACL, the access-list-number is set from 1-99 or 1300-1999. The part of this type of ACL (and most other ACL's types) that throws people off is the wildcard-mask. The wildcard-mask is used to determine which specific addresses are being matched with the ACL statement. Why it is so confusing for new network engineers is because it is formatted in a way that is not “normally” seen. The wildcard-mask is the inverse of the common subnet mask; for example, if the network matched addresses from through then the wildcard mask that would match these same hosts would be

The easiest way to look at this is in binary form (

11111111   11111111   11111111   00000000

Now the wildcard mask (

00000000   00000000   00000000   11111111

While the example shown here may not be that hard to follow, it can get a little interesting when matching different subnets. For example, let's take a look at matching the network


11111111   11111111   11111111   11000000


00000000   00000000   00000000   00111111

Hopefully these examples can help a little in understanding how to determine the correct wildcard mask to use when implementing an access control list.

Configuring for complete coverage

To provide complete coverage it is necessary to point out that on modern equipment, the implementation of the standard ACL can be configured in a different way that does not use access list numbers, and replaces them with access list names. To be comprehensive let's take a look at how these can be used to configured a named standard ACL.

router(config)#ip access-list standard access-list-name

router(config-std-nacl)#{permit | deny} {any | host host-ip-address | ip-address wildcard-mask}

Now once the ACL has been created it must be applied to a specific interface and in a specific direction. Generally speaking, it is recommended to place standard ACL's as close to the traffic destination as possible and extended ACL's (next article) as close to the source as possible. To apply an ACL use the syntax shown here:

router(config-if)#ip access-group {access-list-number | access-list-name} {in | out}

Implementation on modern networks

While the standard ACL is a very simple tool and may not be implemented widely (for traffic filtering) in modern networks, it does provide a starting point in learning about ACL's. Hopefully this article gives you a base understanding of how an ACL can be used.

The next article will take a look at the extended IP access list and how both the standard and extended ACL's can be used for both traffic filtering and for other Cisco IOS features. Until then, any questions?

Refine your network security knowledge by watching CCNA Security Training made by a bonafide CCIE.

Get our content first. In your inbox.

Loading form...

If this message remains, it may be due to cookies being disabled or to an ad blocker.


Sean Wilkins

Sean Wilkins is an accomplished networking consultant who has been in the IT field for more than 20 years, working with several large enterprises. He is a writer for infoDispersion and his educational accomplishments include: a Master’s of Science in Information Technology with a focus in Network Architecture and Design, and a Master’s of Science in Organizational Management. Sean holds certifications with Cisco (CCNP/CCDP), Microsoft (MCSE) and CompTIA (A+ and Network+).