Skip to content
  • There are no suggestions because the search field is empty.

Methods for Creating ACLs

When creating ACLs, either standard or extended, two options can be used to identify them: numbers or names. For numbered ACLs, there is a predefined range of numbers for each type, and they are:

  • Standard ACL: 1-99 and 1300-1999
  • Extended ACL: 100-199 and 2000-2699

Based on the number used, the Cisco IOS allows only the corresponding conditions to be configured for that specific type of ACL.

Conversely, when using a name for identifying an ACL, the type of the ACL must also be included in the configuration because the name does not provide information about the type. Note that using named ACLs instead of numbered ACLs is recommended as it allows for easier management.

Commands for Configuring the Standard ACL 

The configuration of ACLs on Cisco devices is performed in the global configuration mode. The format of a standard numbered ACL on Cisco devices is as follows:

access-list ACL-number permit|deny source [wildcard-mask]

The ACL number is a number between 1-99 and 1300-1999 that identifies the ACL. The permit or deny options specify the action; whether to permit or deny traffic that matches the condition (source) in the ACL. The source identifies the source IP address, which can represent a network or host. The last parameter is the wildcard mask, which defines the range of IP addresses to which the ACL applies.

The wildcard mask is an optional parameter needed only when identifying a network as a source (not needed for hosts). When configuring ACLs on a Cisco router or a switch, you need to define a wildcard mask instead of a subnet mask.

The wildcard mask is the inverse of the subnet mask, specifying which bits of the IP address should be matched and which should be ignored. While a subnet mask uses 1s to indicate the network portion and 0s to indicate the host portion, a wildcard mask uses 0s to indicate the network portion and 1s to indicate the host portion.

For example, if you want to allow access to only the first 16 IP addresses in the range 192.168.1.0 to 192.168.1.255, you would use a wildcard mask of 0.0.0.15 (opposite of the subnet mask of 255.255.255.240). This would allow access to the IP addresses 192.168.1.0 through 192.168.1.15.

To configure a standard named ACL, you need to enter the mode of the ACL first, which can be done using the ip access-list standard acl-name command. Once inside the ACL mode, you can create the ACL entries using the [sequence-number] permit/deny source [wildcard-mask] command. 

The meaning of the parameters is the same as with the numbered ACL. However, you can define the sequence number here, determining where the new entry will be placed in the ACL. By default, each new entry is placed as the last in the ACL, and the sequence numbers are incremented by 10, starting with 10 for the first ACL entry.

Commands for Configuring the Extended ACL 

The format of an extended numbered ACL on a Cisco router is as follows:

access-list access-list-number permit|deny protocol source [source-wildcard-mask] [source port] destination [destination-wildcard-mask] [destination port]

The only difference with the standard ACL is that you also need to specify the protocol being matched, as well as the destination matching criteria. Additionally, you can also define the source and destination port numbers.

To configure an extended named ACL, you need to enter the mode of the ACL first, which can be done using the ip access-list extended acl-name command. Once inside the ACL mode, you can create the ACL entries using the [sequence-number] permit|deny protocol source [source-wildcard-mask] [source port] destination [destination-wildcard-mask] [destination port] commands.