Managing Traffic with Access Control Lists

ACL’s can filter inbound and outbound router traffic

The 2 Functions ACL’s are used for:

  • Classification: After the router identifies and classifies traffic the router can decide how to handle that traffic.
  • Filtering: Permitting or denying specific traffic

Packet filtering helps control packet movement through the network.

ACL’s permit or deny the following:

  • Packets to or from specific interfaces and packets traversing the router
  • Inbound or outbound remote administration traffic


In IP ALL discard returns “Destination Unreachable”

ACL’s can classify traffic, for example:

Identify traffic to be encrypted across VPN

  • Identify routes to be redistributed
  • Use with route filtering to identify which routes to send in an update
  • Used with policy based routing to identify routes
  • Identify traffic to be natted
  • Used with QoS

ACL’s specify how a router handles traffic

ACL’s do NOT apply to traffic originating from the router.

ACL statements operate in a sequential, logical order.

Evaluation is top down one statement at a time, once a match is found the rest of the statement are skipped.

Implicit deny any statement is last, dropping all packets that do not meet the criteria of an ACL.


Standard ACL’s – Check only the source address (1-99 or 1300-1999)

Extended ACL’s – Are 100-199 or 2000-2699 and check:

  • Source address
  • Destination Address
  • Protocols
  • Port Numbers

Named or numbered ACL’s (to identify them)

Specific references to a subnet should appear before more general ones.

Create the ACL before applying it to an interface

Place ACL’s as close as possible to the source of the traffic being filtered.

Dynamic ACL’s – Require authentication before passing traffic

Reflexive ACL’s – Denys inbound connections unless the request comes from an address inside the network.  Entries are temporary.  Can only be defined with extended Named ACL’s, they cannot be used with standard or numbered ACL’s.

Time based ACL’s – Access control based on time

Summary of ACL Operations

  • Used for IP packet filtering and identification
  • Top down processing for inbound and outbound
  • Named or Numbered, Standard or extended these determine what can be filtered.

Standard ACL’s – Deploy as close to the destination as possible.

Configuring ACL’s

access-list – Creates a Standard ACL

ip access-group – assigns an ACL to and interface

Remove an ACL from an interface before deleting it

access-class – assigns an ACL to a vty line

remark – Allows the use of comments in the config

Troubleshooting ACL’s

show access-list – displays the contents of all ACL’s

show ip access-list – shows the contents of IP access lists

show ip interface – shows the ACL (if any) applied to an interface

Leave a Reply