How to Configure an Access Control List (ACL)
To configure an ACL: write the permit/deny rules, remember the implicit deny at the end, then apply the ACL to an interface in a direction. Standard ACLs filter by source; extended by source, destination and port.
ACLs filter traffic by rules. See the standard ACL lab and extended ACL lab.
Step 1: Write a standard ACL (filters by source)
access-list 10 deny 192.168.2.0 0.0.0.255access-list 10 permit any | Deny one subnet, permit the rest (beat the implicit deny!) |
Step 2: Or write an extended ACL (precise)
ip access-list extended BLOCK-WEBdeny tcp any host 10.0.0.5 eq 80permit ip any any | Block HTTP to one server, allow everything else |
Step 3: Apply the ACL to an interface
interface gi0/1ip access-group 10 out | Standard near destination; extended near source (in) |
Verification
show access-lists shows each rule with hit counters — generate test traffic and watch the right line increment. show ip interface gi0/1 confirms which ACL is applied and in which direction.
Frequently asked questions
How do I configure an ACL on a Cisco router?
Write permit/deny statements (numbered or named), include a final permit for allowed traffic, then apply with ip access-group [acl] [in|out] on an interface.
What is the implicit deny in an ACL?
An invisible deny any at the end of every ACL — any traffic not explicitly permitted is dropped, so always include the permits you need.
Where should I apply standard vs extended ACLs?
Standard ACLs near the destination (they match source only); extended ACLs near the source (they match precisely, saving bandwidth).
How do I verify an ACL is working?
show access-lists shows per-line hit counters; show ip interface confirms the ACL is applied to the right interface and direction.
Related articles
Want hands-on training?
Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.