Access Control Lists (ACLs) – Complete Guide with Packet

Tracer Lab
This detailed guide covers all aspects of Access Control Lists (ACLs) on Cisco devices. It
explains the different types of ACLs, syntax, configuration steps, and provides a complete
hands-on lab using Cisco Packet Tracer. This material is designed for networking students,
CCNA candidates, and anyone who wants to master ACLs.
Table of Contents
1. Introduction to ACLs
2. Why Use ACLs?
3. Types of ACLs
• Standard ACL
• Extended ACL
• Named ACL
4. Wildcard Masks
5. ACL Syntax and Commands
• Standard Numbered ACL
• Extended Numbered ACL
• Named ACL
• Applying ACLs to Interfaces
6. When to Use ACLs
7. Configuration Steps
• Creating a Standard ACL
• Creating an Extended ACL
• Creating a Named ACL
8. Complete Packet Tracer Lab
• Lab Topology
• IP Addressing Plan
• Lab Objectives
• Step-by-Step Configuration
• Verification and Testing
9. Best Practices
10. ACL Commands Cheat Sheet
Introduction to ACLs
An Access Control List (ACL) is a sequential set of rules (Access Control Entries – ACEs)
that determine whether network traffic is permitted or denied. ACLs are applied to router
interfaces and are processed in order; the first matching rule is executed, and the rest are
ignored. If no rule matches, the packet is implicitly denied.
Key Concepts:
• Implicit Deny – At the end of every ACL there is an invisible deny any any (for
extended) or deny any (for standard).
• First Match Wins – The router stops processing once a match is found.
• Direction – ACLs can be applied inbound (on traffic entering the interface)
or outbound (on traffic leaving the interface).
• Placement – Standard ACLs should be placed close to the destination; extended
ACLs should be placed close to the source.

Why Use ACLs?

ACLs are used for:
• Network Security – Filter unwanted traffic (e.g., block specific hosts or protocols).
• Traffic Control – Allow only certain services (e.g., permit HTTP but block Telnet).
• QoS – Classify traffic for bandwidth management.
• NAT – Define which internal addresses are translated.
• VPN – Control which traffic is encrypted.

Types of ACLs
Standard ACL
Filters traffic only by source IP address.
Number ranges: 1–99, 1300–1999.

Advantages Limitations

Simple to configure Cannot filter by destination, protocol, or port

Low processing overhead Must be placed near the destination to avoid over-filtering

Use case: Block all traffic from a specific subnet.

Extended ACL
Filters traffic by source IP, destination IP, protocol, and port numbers.
Number ranges: 100–199, 2000–2699.

Advantages Limitations

Granular control More complex syntax

Can filter specific services Higher processing overhead

Use case: Allow HTTP from one host to a web server while blocking other traffic.
Named ACL
Uses a descriptive name instead of a number. Can be standard or extended.
Advantages:
• Easier to read and manage.
• Allows adding/removing individual entries without deleting the whole ACL.
• Supports sequence numbers for reordering.
Use case: Large configurations where readability and maintainability are important.

Wildcard Masks
Wildcard masks tell the router which bits of an IP address must match. 0 bits must match
exactly, 1 bits are ignored.
Common Wildcard Masks

Network/Host Subnet Mask Wildcard Mask ACL Expression

Single host [Link] [Link] host [Link]

[Link]/24 [Link] [Link] [Link] [Link]

[Link]/16 [Link] [Link] [Link] [Link]

Any address [Link] [Link] any

Example:
text
access-list 1 permit [Link] [Link] # permit whole subnet
access-list 1 permit host [Link] # permit single host

ACL Syntax and Commands

Standard Numbered ACL
Global configuration:
text
Router(config)# access-list {1-99 | 1300-1999} {permit | deny} source [source-wildcard] [log]
• source – source IP address.
• source-wildcard – wildcard mask (defaults to [Link] if omitted).
• log – generates log messages when the ACE matches.
Example:
text
Router(config)# access-list 1 deny [Link] [Link]
Router(config)# access-list 1 permit any
Extended Numbered ACL
Global configuration:
text
Router(config)# access-list {100-199 | 2000-2699} {permit | deny} protocol source source-
wildcard [operator port] destination destination-wildcard [operator port] [established] [log]
• protocol – ip, tcp, udp, icmp, etc.
• operator – eq (equal), gt (greater than), lt (less than), neq (not equal), range.
• established – matches TCP packets with ACK or RST flag (used for return traffic).
• log – logs matches.
Example:
text
Router(config)# access-list 110 permit tcp host [Link] host [Link] eq 80
Router(config)# access-list 110 deny ip any host [Link]
Router(config)# access-list 110 permit ip any any
Named ACL
Standard named:
text
Router(config)# ip access-list standard NAME
Router(config-std-nacl)# {permit | deny} source [source-wildcard] [log]
Router(config-std-nacl)# exit
Extended named:
text
Router(config)# ip access-list extended NAME
Router(config-ext-nacl)# {permit | deny} protocol source source-wildcard [operator port]
destination destination-wildcard [operator port] [established] [log]
Router(config-ext-nacl)# exit
Example:
text
Router(config)# ip access-list extended WEB_FILTER
Router(config-ext-nacl)# permit tcp host [Link] host [Link] eq 80
Router(config-ext-nacl)# deny ip any any
Router(config-ext-nacl)# exit
Applying ACLs to Interfaces
text
Router(config-if)# ip access-group {access-list-number | name} {in | out}
• in – filters packets arriving on the interface.
• out – filters packets leaving the interface.
Example:
text
Router(config)# interface g0/0
Router(config-if)# ip access-group 110 in

When to Use ACLs

Scenario Recommended ACL Type Placement
Block a specific host from Standard Outbound on server’s interface
accessing a server or inbound on source interface
(if close)
 Allow only web traffic from Extended Inbound on the interface facing
a department to a web the department (close to
server source)
Restrict Telnet access to a Standard (using access- Apply to VTY lines
router class)
Filter traffic between two Standard or Extended Outbound on the interface
subnets depending on granularity connecting to the destination
subnet
Permit ICMP for Extended Inbound on the interface where
troubleshooting but block traffic originates
other traffic
General rule:
• Standard ACLs – use when you only need to filter by source address. Place them as
close to the destination as possible.
• Extended ACLs – use when you need to filter by protocol, ports, or destination. Place
them as close to the source as possible to save bandwidth.

Configuration Steps
Creating a Standard ACL
1. Define the ACL with access-list statements.
2. Apply it to an interface with ip access-group.
Example:
text
Router(config)# access-list 1 deny [Link]
Router(config)# access-list 1 permit any
Router(config)# interface g0/0
Router(config-if)# ip access-group 1 out
Creating an Extended ACL
1. Define the extended ACL with access-list statements.
2. Apply it to an interface.
Example:
text
Router(config)# access-list 110 permit tcp any any eq 80
Router(config)# access-list 110 deny ip any any
Router(config)# interface g0/0
Router(config-if)# ip access-group 110 in
Creating a Named ACL
1. Enter named ACL configuration with ip access-list.
2. Add ACEs.
3. Apply to interface.
Example:
text
Router(config)# ip access-list extended BLOCK_TELNET
Router(config-ext-nacl)# deny tcp any any eq 23
Router(config-ext-nacl)# permit ip any any
Router(config-ext-nacl)# exit
Router(config)# interface g0/0
Router(config-if)# ip access-group BLOCK_TELNET in

LAB: Configuring Access Control Lists (ACL) in Cisco Packet Tracer

Lab Objectives
At the end of this lab, students should be able to:
• Configure Standard ACL
• Configure Extended ACL
• Apply ACLs on router interfaces
• Verify and test ACL functionality

Network Topology
Devices Required:
• 2 Routers (R1, R2)
• 2 Switches (S1, S2)
• 4 PCs (PC1, PC2, PC3, PC4)
IP Addressing Table
Device Interface IP Address Subnet Mask

R1 Fa0/0 [Link] [Link]

R1 Fa0/1 [Link] [Link]

R2 Fa0/0 [Link] [Link]

R2 Fa0/1 [Link] [Link]

PC1 - [Link] [Link]

PC2 - [Link] [Link]

PC3 - [Link] [Link]

PC4 - [Link] [Link]

Default Gateway:
• PC1/PC2 → [Link]
• PC3/PC4 → [Link]

Step 1: Build the Network

• Connect PCs to switches
• Connect switches to routers
• Connect routers together (Fa0/1 ↔ Fa0/1)

Step 2: Basic Router Configuration

On R1:
enable
configure terminal
interface fa0/0
ip address [Link] [Link]
no shutdown

interface fa0/1
ip address [Link] [Link]
no shutdown

exit
ip route [Link] [Link] [Link]
On R2:
enable
configure terminal
interface fa0/0
ip address [Link] [Link]
no shutdown

interface fa0/1
ip address [Link] [Link]
no shutdown

exit
ip route [Link] [Link] [Link]

Step 3: Test Connectivity

• From PC1 → ping PC3
Should be successful
PART A: STANDARD ACL
Objective:
Block PC1 ([Link]) from accessing Network [Link]

Configuration on R2:
access-list 10 deny [Link] [Link]
access-list 10 permit any
Apply ACL:
interface fa0/0
ip access-group 10 out

Test:

• PC1 → ping PC3 (should fail)

• PC2 → ping PC3 (should work)

PART B: EXTENDED ACL

Objective:
Allow only HTTP traffic (port 80) from Network [Link] to [Link]
Configuration on R1:
access-list 100 permit tcp [Link] [Link] [Link] [Link] eq 80
access-list 100 deny ip any any

Apply ACL:
interface fa0/1
ip access-group 100 out

Test:

• Ping → blocked

• Web (HTTP) → allowed (if server configured)

Step 4: Verification Commands
show access-lists
show ip interface

Troubleshooting Tips
• Check interface status → no shutdown
• Verify IP addresses
• Ensure correct ACL direction (in/out)
• Confirm routing is working

Student Tasks
1. Cisco Modify ACL to block PC2 instead of PC1
2. Allow ICMP (ping) but block HTTP
3. Create a named ACL
• Apply ACL on different interface and observe behavior

Expected Learning Outcome

Students will:
• Understand ACL logic
 • Control traffic in a network
• Apply security policies using routers

BONUS CHALLENGE
Configure ACL to:
• Allow PC1 to access only PC3
• Block all other communications