Access Control List (ACL) Cheat Sheet
Quick reference for building, applying, and verifying IPv4 access control lists on Cisco IOS/IOS-XE. Covers standard, extended, and named ACLs with placement rules for CCNA/CCNP practice. Every ACL ends with an implicit deny — add an explicit permit if you filter by deny.
Part of the Access Control Lists (ACLs) learning hub
Standard Numbered ACL (1-99, 1300-1999)
Matches SOURCE address only, so place it near the DESTINATION. Wildcard is an inverse mask (0=match, 1=ignore): /24=0.0.0.255, /26=0.0.0.63, /30=0.0.0.3. 'host <ip>'=0.0.0.0; 'any'=0.0.0.0 255.255.255.255.
| Command | What it does |
|---|---|
access-list <1-99> permit <source> <wildcard> | Permit a source network/host range. |
access-list <1-99> deny <source> <wildcard> | Deny a matching source. |
access-list <1-99> permit host <source-ip> | Match one host ('host' = wildcard 0.0.0.0). |
access-list <1-99> permit any | Match every source address. |
access-list <1-99> deny <source> <wildcard> log | Deny and log matches to console/syslog. |
access-list <1-99> remark <text> | Add a descriptive comment line. |
no access-list <1-99> | Delete the entire numbered ACL. |
Extended Numbered ACL (100-199, 2000-2699)
Matches source, destination, protocol, and port — filter granularly and place it near the SOURCE to drop unwanted traffic early. Port keywords: eq 22 (SSH), eq 23 (telnet), eq 80 (HTTP), eq 443 (HTTPS), eq 53 (DNS).
| Command | What it does |
|---|---|
access-list <100-199> permit <protocol> <source> <src-wc> <dest> <dst-wc> | Match a protocol (ip/tcp/udp/icmp) from source to destination. |
access-list <100-199> permit tcp <source> <src-wc> <dest> <dst-wc> eq <port> | Permit TCP to a specific destination port. |
access-list <100-199> permit tcp any host <server-ip> eq 22 | Allow SSH to a server from anywhere. |
access-list <100-199> permit tcp any host <server-ip> eq 443 | Allow HTTPS to a server. |
access-list <100-199> permit udp <source> <src-wc> <dest> <dst-wc> eq 53 | Allow DNS queries to a resolver. |
access-list <100-199> permit tcp <source> <src-wc> <dest> <dst-wc> established | Permit return traffic of existing TCP sessions (ACK/RST set). |
access-list <100-199> deny ip <source> <src-wc> <dest> <dst-wc> | Deny all IP between two ranges. |
Named ACL (standard / extended)
Enter sub-config mode, then add entries (auto-numbered) or edit by sequence number without rebuilding the list. Named ACLs are the preferred modern method.
| Command | What it does |
|---|---|
ip access-list standard <name> | Enter standard named-ACL config mode. |
ip access-list extended <name> | Enter extended named-ACL config mode. |
<sequence> permit <source> <wildcard> | Insert an entry at a specific sequence number (standard). |
permit tcp any host <server-ip> eq 443 | Append an entry (auto-assigned next sequence). |
no <sequence> | Remove a single entry by its sequence number. |
ip access-list resequence <name> <start> <increment> | Renumber all entries (e.g. start 10, step 10) to reopen gaps. |
Apply to Interface or VTY Line
Only ONE ACL per interface, per direction, per protocol. Use 'in' to filter traffic entering the router on that interface, 'out' to filter traffic leaving it.
| Command | What it does |
|---|---|
interface <type/number> | Enter interface config (e.g. GigabitEthernet0/1). |
ip access-group <number|name> in | Apply ACL to inbound traffic on the interface. |
ip access-group <number|name> out | Apply ACL to outbound traffic on the interface. |
line vty 0 4 | Enter VTY line config to restrict remote management. |
access-class <number|name> in | Filter inbound SSH/Telnet sessions to the device (management ACL). |
access-class <number|name> out | Filter outbound sessions originated from the device's VTYs. |
Verification & Counters
Hit counts confirm which lines are matching; check 'show ip interface' to see where an ACL is bound.
| Command | What it does |
|---|---|
show access-lists [<number|name>] | Show all (or one) ACL with per-line match counts. |
show ip access-lists [<number|name>] | Show IPv4 ACLs only. |
show ip interface <type/number> | Show which ACL is applied inbound/outbound on an interface. |
show running-config | include access | Filter the config for ACL definition/apply lines. |
show running-config | section access-list | Print full ACL definition blocks. |
clear access-list counters [<number|name>] | Reset ACL hit counters to zero. |
Frequently asked questions
What's the difference between a standard and an extended ACL, and where do I place each?
A standard ACL (1-99 or 1300-1999) matches the SOURCE address only, so place it as close to the DESTINATION as possible to avoid blocking traffic too broadly. An extended ACL (100-199 or 2000-2699) matches source, destination, protocol, and port, so place it close to the SOURCE to drop unwanted traffic before it crosses the network.
How do I insert or delete one line without rebuilding the whole ACL?
Use a named ACL. Enter 'ip access-list standard|extended <name>', then type a line with an explicit sequence number (e.g. '15 permit host 10.1.1.5') to insert it in order, or 'no <sequence>' to remove just that line. If sequence gaps run out, run 'ip access-list resequence <name> <start> <increment>' to renumber.
Do I need a 'permit any' at the end of my ACL?
Every ACL has an invisible implicit 'deny any' (deny ip any any for extended) as its last line. If your list only contains deny statements, all other traffic is silently dropped — add an explicit 'permit any' (standard) or 'permit ip any any' (extended) at the end to allow the rest.
Stop memorizing — practice on real Cisco IOS
A cheat sheet gets you unstuck; a graded lab makes it stick. Start with the free sample.