Secure Router with IP access control lists (ACLs)

In this article we will look at very basic security feature of routers and L3 switches – Access Lists
At the most basic level, an access list is a list of conditions that categorize packets and because of this, they can be really helpful when you need to exercise control over network traffic. One of the most common and easiest-to-understand uses of access lists is filtering unwanted packets when implementing security policies. There are a few important rules that a packet follows when it’s being compared with an access list:

  • It’s always compared with each line of the ACL in sequential order and progress in that way, beginning with the first line of the ACL, moving to line 2, then line 3, and so on.
  • Packets are compared with lines of the ACL only until a match is made. Once the packet matches the specified condition delimited on a line of the ACL, the packet is acted upon and no further comparisons take place.
  • There is an implicit “deny” at the end of each ACL, which means that if a packet doesn’t match the condition on any of the lines in it, the packet will be discarded.


Access Lists


Standard Access List

These use only the source IP address in an IP packet as the condition test. All decisions are made based on the source IP address. This means that standard access lists basically permit or deny an entire suite of protocols. They don’t distinguish between any

of the many types of IP traffic such as Web, Telnet, UDP, and so on. Standard ACLs are old and not used any longer in production networks.

Extended Access List

Extended access lists can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP packet. They can evaluate source and destination IP addresses, the Protocol field in the Network layer header, and the port number at the Transport layer header. This gives extended access lists the ability to make much more granular decisions when con- trolling traffic.


Example Named Access List

nexus7k(config)# ip access-list Deny_FTP

nexus7k(config-acl)# deny tcp any host eq ftp

nexus7k(config-acl)# permit ip any any

nexus7k(config-acl)# int e3/2

nexus7k(config-if)# ip access-group Deny_FTP out

To use an access list as a packet filter, you must apply it to an interface on the router where you want the traffic filtered. And you’ve got to specify which direction of traffic you want the access list applied to.

Inbound access lists

When an ACL is applied to inbound packets on an interface, those pack-ets are processed through it before being routed to the outbound interface. Any packets that are denied won’t be routed because they’re discarded before the routing process is invoked.



Outbound access lists

When an ACL is applied to outbound packets on an interface, packets are routed to the outbound interface and then processed through the access list before being queued.


When configuring ACLs from the Internet


  • Deny any source addresses from your internal networks.
  • Deny any local host addresses (
  • Deny any reserved private addresses (RFC 1918).
  • Deny any addresses in the IP multicast address range (


Wildcard Masking

Wildcards are used with access lists to specify an individual host, a network, or a certain range of a network or networks. to specify a host, the address would look like this:

to specify a subnet



Standard Accecss List 1-99

Corp(config)#access-list 10 deny

Example Extended Access-list 100-199

Corp(config)#access-list 110 deny tcp any host eq 23 log

Example of how to deny access to Telnet and FTP from host

Lab_A#config t

Lab_A(config)#access-list 110 deny tcp any host eq 21

Lab_A(config)#access-list 110 deny tcp any host eq 23

Lab_A(config)#access-list 110 permit ip any any

Lab_A(config)#int e3/1

Lab_A(config-if)#ip access-group 110 out