Securing Networks Access List Implementation on Cisco Routers

- select the contributor at the end of the page -
This article is the second part in a series centered in IT Security and focused on access control lists or ACLs. In my previous article on ACL Concepts, we looked at the definition of an ACL, why we use them, when to use them, general types and structure, and general router interface placement. In this article, we will investigate the actual configuration of standard and extended IP ACLs and their placement on Cisco router interfaces. ACL configuration and deployment are an important part of Cisco and other router certifications.

ACLs and Protocols

Internet Protocol version 4 (IPv4) ACLs are the most common types of ACLs in use in the networking world today, but there are several different protocols supported on Cisco routers for ACLs. In addition, each ACL utilizes a name specified by a numeric range as shown in Table 1.

Protocols with Access Lists Specified by Numbers
Protocol Range
IP1 to 99
Extended IP100 to 199
Ethernet type code200 to 299
Ethernet address700 to 799
Transparent bridging (protocol type)200 to 299
Transparent bridging (vendor code)700 to 799
Extended transparent bridging1100 to 1199
DECnet and extended DECnet300 to 399
XNS400 to 499
Extended XNS500 to 599
AppleTalk600 to 699
Source-route bridging (protocol type)200 to 299
Source-route bridging (vendor code)700 to 799
IPX800 to 899
Extended IPX900 to 999
IPX SAP1000 to 1099
Standard VINES1 to 100
Extended VINES101 to 200
Simple VINES201 to 300

In addition, IPv6 ACLs are not restricted to numerical ranges and can include alpha-numerical characters as well for the name of the list. It may be important to note that other routers like Juniper and Force10 allow for alpha-numeric names in most if not all ACLs, and that the ACL name convention is not a standard applied to all network routers.

Configuration Commands for Creating ACLs

Basing ACL names on the range of numbers may be confusing, but it is best to consider the way that the ACLs are created at the router configure prompt. ACLs are configured based on their protocol first. Some, but not all, ask for standard or extended qualifiers in their statements and then the numeric name is assigned. Here are some examples:

IP access-lists

  • Router (config)# ip access-list standard 6
  • Router (config)# ip access-list extended 185

IPX access-lists

  • Router (config)# ipx access-list standard 810
  • Router (config)# ipx access-list extended 915

VINES access-lists

  • Router (config)# vines access-list 65 ---this is a standard vines list
  • Router (config)# vines access-list 140 ---this is an extended vines list

Configuring IP Standard ACLs on Cisco routers

Cisco IP Standard ACLs are used to filter traffic based on a single or range of source IP addresses in the IP packet header. Destination addresses are not considered in a standard ACL.

Let's look at the format of an IP Standard ACL:

access-list [access-list-number] [deny/permit] [source ip address] [ wildcard mask]

Looking at the format, you can see the configuration statement begins with access-list command and the ACL number. In this case, the range for IP Standard ACLs is 1 to 99. You must then declare if this ACL statement will deny or permit the IP addresses that follow. The final two parts of the statement are associated with the source IP address and a wild card mask that determine if the address is a single host or a range of IP addresses. The following an example of a valid IP Standard ACL:

access-list 6 deny

access-list 6 deny

access-list 6 permit

access-list 6 deny any

In the first statement of this ACL, IP traffic from a single host of is denied. The second statement denies a range of IP addresses in the network. The range covers 256 IP addresses, 0 to 255 for that subnet. A shorter range is shown in the third statement, which permits 128 IP addresses from the subnet (0-127). The final statement in the ACL gives an implicit deny to all IP addresses.

NOTE: ACL Statement flow

It is crucial that you understand how ACLs are parsed for matches when compared with an IP packet. All comparisons start at the top of the list and work down. Once a match is made, the traffic is either permitted or denied and then comparison stops. You must be careful in the placement of your ACLs

Configuring IP Extended ACLs on Cisco Routers

Cisco IP Extended ACLs are more complex than the Standard versions. The IP Extended ACL adds the ability to filter on destination IP address and includes some additional layer 3 and layer 4 protocol support, in particular TCP, UDP, and ICMP. This additional functionality makes IP Extended ACLs very powerful tools for IT security and network professionals. Let's take a look at the format of the IP Extended ACL:

access-list [access-list-number] [deny/permit] [protocol] [source ip address] [ wildcard mask] [source port] [destination ip address] [wildcard mask] [destination port] [statement flag]

As you can see from this format, IP Extended ACL statements can become rather long, but are very effective in filtering specific types of traffic based on address and ports. Below are a few examples of IP Extended ACL statements:

access-list 165 deny ip log

access-list 165 deny ip host log

access-list 165 permit tcp eq 80 any log

access-list 165 deny udp eq 53 log

access-list 165 permit icmp any any host-unreachable

access-list 165 deny ip any any

What do we see happening in this IP Extended ACL? The first statement denies IP traffic from the subnet to the entire destination subnet and logs any matches in the router log. The second statement is similar, but denies traffic from the subnet to a single host It is important to note the difference that IP Extended ACLs use for identifying a single host compared to an IP Standard ACL. Single hosts in the Extended version utilize the host identifier before the IP address and no wildcard mask is required.

The next statements in the ACL show how TCP, UDP, and ICMP can be utilized in these ACLs. The third statement permits TCP traffic from the subnet with a source port of 80 to any destination IP and then logs the traffic matches. Continuing down the list, the next statement denies the UDP traffic from the first 128 IP addresses in the subnet to the 32 IP addresses in the subnet with a destination port of 53, and then logs any matches.

These two statements utilize ports for both TCP and UDP as part of their match criteria. Cisco and other routers can associate well known ports for these protocols to acronyms for familiarity. In the TCP statement, port 80 is associated with HTTP traffic. A Cisco ACL would accept 80 or http in the ACL as a valid port. The UDP statement uses port 53, which is for DNS. Most routers will automatically translate the port number to these acronyms for you and you can see them in the ACL list when you perform a show ip access-list or show running config command.

The next statement is slightly different. This statement permits icmp traffic, which is associated with network ping. The statement allows ICMP traffic from any source and to any destination, but uses the flag host-unreachable. This flag identifies ICMP traffic that is replied from a ping request, that the target host cannot be contacted. The final statement in the list is an implicit deny of all traffic that was not matched in previous ACL statements.

Implementation of ACLs on a router interface

Now that we have seen the structure of these ACLs, we need to be able configure them to a router interface. To configure the ACL to the interface, you must enter that interface's configuration mode on the router. The command to associate an IP ACL to an interface is in the following format:

ip access-group [access-list-number] [in/out]

Note the difference in the statement as the command is ip access-group not access-list as in the ACL configuration. Let's look at a quick example of assigning an ACL to interface FastEthernet 0/0 on a Cisco router.

Router#config t

Router (config)#interface Fast Ethernet0/0

Router (config-if)#ip access-group 165 in

This example configures the IP Extended ACL 165 to the interface and places it in on the ingress side of the interface. To place the ACL on the egress side, the final flag at the end would be changed to out.

What Have We Learned?

In this article, we covered the configuration of both IP Standard and Extended ACLs and how to assign them to a Cisco router interface. These topics are extremely important to understand for network security and for the Cisco network certification exams. This brief introduction to IP ACLs can start you on the journey to better understanding of this topic, but in-depth Cisco networking training can provide you with the tools you need to grasp these concepts and master them.

In future articles, we will look at ACL tips and best practices that will provide real world examples and valuable information for achieving your certification.

Get our content first. In your inbox.

Loading form...

If this message remains, it may be due to cookies being disabled or to an ad blocker.


Tracey Wilson

Tracey Wilson has a B.S. in Electrical Engineering and experience in network administration, network architecture and disaster recovery solutions. He’s also an active participant in SCinet, the organization responsible for planning and implementing the “World’s faster Network” as well as IEEE Computer Society and Association for Computing Machinery (ACM). Tracey currently serves as the technical lead and program manager for DICE - Data Intensive Computing Environment, evaluating new and emerging technologies to solve HPC and data management issues. (CCNA, JNCIS, SNIA, MCSE)