Table of Contents

Cisco ACL Configuration Examples


Table of Contents


Show ACL

Operation Command
Check access list Router#show ip access-lists
Router#show ip access-lists xxxxxx
Router#show access-lists
Check if the interface has an ACL Router#show ip interface
Router#show ip interface GigabitEthernet0/0


ACL Image

Cisco ACL to Physical Interface 

access-list 10 permit 10.10.10.2  0.0.0.0   ! source ip is  10.10.10.2

int fa0/0
  ip access-group 10 in



Cisco ACL to VLAN

Set in and out in the direction seen from the internal routing, not the direction seen from the interface VLAN. 

ip access-list standard vlan20-list
 deny 10.10.10.0 0.0.0.255                 ! source ip is  10.10.10.0/24
 permit any

Interface Vlan10
 ip address 10.10.10.1 255.255.255.0

Interface Vlan20
 ip address 10.20.20.1 255.255.255.0
 ip access-group vlan20-list out


How to confgire ACL with new way, Sequence Numbering

Standard ACL can only specify source IP

Standard ACL (Name,1-99)

Create Standard ACL (Name,1-99)

1.Create Standard ACL (Name,1-99)
Router# conf t
Router(config)# ip access-list standard acl-test
Router(config-std-nacl)# permit 172.16.1.2
Router(config-std-nacl)# permit 172.16.1.3
Router(config-std-nacl)# exit
2.Apply to Interface
Router(config)# int Gi0/1
Router(config-if)# ip access-group acl-test in


Add Standard ACL (Name,1-99)

Router(config)#show ip access-list

Router(config)#ip access-list standard acl-test
Router(config-std-nac)#31 permit 192.168.20.0 0.0.0.255


Delete Standard ACL (Name,1-99)

Router(config)#show ip access-list

Router(config)#ip access-list standard acl-test
Router(config-std-nac)#no 30


Examples of Standard ACL (Name,1-99)

deny 192.168.1.0 0.0.0.255     <- deny from 192.168.1.0/24
deny 192.168.1.0 0.0.255.255   <- deny from 192.168.0.0/16
permit any                     <- permit from any




Extended ACL(Name,100-199)

Extended ACL can specify source IP and destination IP

Create Extended ACL(Name,100-199)

1. Create Extended ACL(Name,100-199)
Router# conf t
Router(config)# ip access-list extended acl-test
Router(config-ext-nacl)# deny tcp host 172.16.1.2  172.16.2.0 0.0.0.255 eq telnet
                                               <- Deny From 172.16.1.2 To 172.16.2.0/24
Router(config-ext-nacl)# permit ip any any
Router(config-ext-nacl)# exit
2.Apply ACL to Interface
Router(config)#int Gi0/1
Router(config-if)#ip access-group acl-test in


Add Extended ACL(Name,100-199)

Router(config)#show ip access-list

Router(config)#ip access-list extended acl-test
Router(config-ext-nacl)#101 permit ip 192.168.20.0 0.0.0.255 any


Delete Extended ACL(Name,100-199)

Router(config)#show ip access-list

Router(config)#ip access-list extended acl-test
Router(config-ext-nacl)#no 101


Examples of Extended ACL(Name,100-199)

deny tcp any host 192.168.2.2 eq 23   <- Deny telnet to F0/0
deny tcp any host 192.168.3.2 eq 23   <- Deny telnet to F0/1
permit ip any any         <- Permit from any to any

# from any to 192.168.0.0/16
deny tcp any  192.168.0.0   0.0.255.255 eq 23
permit ip any any         <- Permit from any to any

permit tcp host 192.168.1.1 host 192.168.2.2 eq 23   <- Permit telnet to F0/0
permit tcp host 192.168.1.1 host 192.168.3.2 eq 23   <- Permit telnet to F0/1
deny tcp any  192.168.0.0   0.0.255.255 eq 23
permit ip any any         <- Permit from any to any

deny tcp any   host 172.16.1.1 eq www     <- Deny from any to 172.16.1.1
permit ip any any         <- Permit from any to any

permit tcp host 192.168.1.1  host 10.50.1.1 eq www    <- Permit From 192.168.1.1 To 10.50.1.1
permit ip 192.168.10.0 0.0.0.255  any       <- Permit from 192.168.10.0/24 to any

permit tcp host 192.168.1.1 host 192.168.2.2 eq 23   <- Permit telnet to F0/0
permit tcp host 192.168.1.1 host 192.168.3.2 eq 23   <- Permit telnet to F0/1


Resequence

Command Example
Router(config)# ip access-list resequence NAME START UP
Router(config)# ip access-list resequence NO START UP 		Router(config)# ip access-list resequence acl-test 10 10
Router(config)# ip access-list resequence 150 1 5




How to confgire ACL with legacy way

Standard Access List (1-99)

Create Standard ACL

1.Create ACL
Router# conf t
Router(config)# access-list 1 deny 192.168.1.0  0.0.0.255
Router(config)# access-list 1 permit any
2.Apply to Interface
Router(config)# int Gi0/1
Router(config-if)# ip access-group 1 in


Delete ACL

Router(config)#no access-list 10


Examples of Standard ACL (1-99)

access-list 1 deny 192.168.1.0 0.0.0.255     <- deny from 192.168.1.0/24
access-list 1 deny 192.168.1.0 0.0.255.255   <- deny from 192.168.0.0/16
access-list 1 permit any                     <- permit from any




Extended Access List (100-199)

Create Extended ACL

1.Create ACL
Router# conf t
Router(config)#access-list 100 deny tcp 192.168.1.0 0.0.0.255 host 192.168.2.2 eq www   <- from 192.168.1.0/24
Router(config)#access-list 100 permit ip any any
2.Apply ACL to Interface
Router(config)#int Gi0/1
Router(config-if)#ip access-group 100 in


Examples of Extended ACL(100-199)

access-list 100 deny tcp any host 192.168.2.2 eq 23   <- Deny telnet to F0/0
access-list 100 deny tcp any host 192.168.3.2 eq 23   <- Deny telnet to F0/1
access-list 100 permit ip any any         <- Permit from any to any

access-list 100 permit tcp host 192.168.1.1 host 192.168.2.2 eq 23   <- Permit telnet to F0/0
access-list 100 permit tcp host 192.168.1.1 host 192.168.3.2 eq 23   <- Permit telnet to F0/1
access-list 100 deny tcp any host 192.168.2.2 eq 23   <- Deny telnet to F0/0
access-list 100 deny tcp any host 192.168.3.2 eq 23   <- Deny telnet to F0/1
access-list 100 permit ip any any

access-list 100 permit ip any any         <- Permit from any to any
access-list 100 permit ip 192.168.10.0 0.0.0.255  any       <- Permit from 192.168.10.0/24 to any
access-list 100 permit tcp host 192.168.1.1  host 10.50.1.1 eq www    <- Permit From 192.168.1.1 To 10.50.1.1

access-list 100 deny tcp any   host 172.16.1.1 eq www     <- Deny from any to 172.16.1.1






Cisco IOS, NX-OS CLI Commands