Cisco IOS cheat sheet for ACL (Access Control Lists) — standard, extended, named, VACL, and Port ACL. Used for traffic filtering, route filtering, NAT pool selection, and more.
Key Placement Rules
- IN direction: packet arrives on the interface from the directly connected device → ACL is checked immediately.
- OUT direction: packet arrives on the router from another interface → ACL is checked before forwarding out.
- Standard ACL — filter by source IP only; place close to the destination.
- Extended ACL — filter by source, destination, protocol, port; place close to the source.
Standard ACL
Standard Numbered ACL
| Command | Description |
|---|---|
| access-list 1 deny 192.168.10.5 | Deny host 192.168.10.5 |
| access-list 1 permit 192.168.10.0 0.0.0.255 | Permit the rest of the subnet |
| interface fa0/1 | Enter interface |
| ip access-group 1 out | Apply ACL 1 in outbound direction |
Extended ACL
Extended Numbered ACL
| Command | Description |
|---|---|
| access-list 110 deny tcp host 192.168.10.1 any eq 80 | Deny host 192.168.10.1 on TCP port 80 |
| access-list 110 permit ip 192.168.10.0 0.0.0.255 any | Permit all other traffic from the subnet |
| interface fa0/1 | Enter interface |
| ip access-group 110 out | Apply ACL 110 outbound |
Block VLAN 2 → VLAN 3 traffic (on the router doing routing):
Inter-VLAN Filtering
| Command | Description |
|---|---|
| access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 | Block VLAN2 → VLAN3 traffic |
| access-list 101 permit ip any any | Permit everything else |
| ip access-group 101 out | Apply outbound on VLAN3 interface |
| ip access-group 101 in | Or apply inbound on VLAN2 interface |
On L3 switch with SVIs:
int vlan 2
ip access-group 101 in
Named ACL
Named ACL (Standard or Extended)
| Command | Description |
|---|---|
| ip access-list extended MY_LIST | Create named extended ACL and enter edit mode |
| permit ip host 192.168.0.2 host 172.20.20.2 | Permit specific host-to-host traffic |
| ip access-list resequence MY_LIST 10 20 | Renumber ACL entries: start at 10, step 20 |
VACL — VLAN Access Maps
Applied directly to a VLAN — inspects traffic within the VLAN (no routing required).
VACL Configuration
| Command | Description |
|---|---|
| mac access-list extended MY_MAC_LIST | Create MAC ACL (optional) |
| permit host 0000.3131.0110 any | Allow specific MAC address |
| ip access-list extended MY_IP_LIST | Create IP ACL |
| permit ip host 192.168.0.1 any | Allow specific IP |
| vlan access-map MY_VLAN_MAP | Create VLAN access-map |
| match mac address MY_MAC_LIST | Match MAC ACL |
| match ip address MY_IP_LIST | Match IP ACL |
| action forward | Forward matching traffic |
| vlan filter MY_VLAN_MAP vlan-list 150-170 | Apply VLAN access-map to VLANs 150–170 |
PACL — Port ACL
Applied to switch ports for servers with static IPs (DHCP servers, default gateways).
Port ACL on Access Port
| Command | Description |
|---|---|
| ip access-list standard SERVER1 | Create named standard ACL |
| permit 192.168.1.1 | Allow specific IP |
| deny any log | Deny all others, log violations |
| int fa0/3 | Enter the port facing the server |
| ip access-group SERVER1 in | Apply ACL inbound |
Diagnostics
show / verify
| Command | Description |
|---|---|
| show access-lists | All ACLs and their hit counters |
| show ip interface fa0/1 | include access | Check if an ACL is applied to an interface |
| show run | include access-list | Show ACL section from running-config |
Cisco IOS Command Reference | ACL