Cheat sheet

Access Control List (ACL) Cheat Sheet

Quick reference for building, applying, and verifying IPv4 access control lists on Cisco IOS/IOS-XE. Covers standard, extended, and named ACLs with placement rules for CCNA/CCNP practice. Every ACL ends with an implicit deny — add an explicit permit if you filter by deny.

Standard Numbered ACL (1-99, 1300-1999)

Matches SOURCE address only, so place it near the DESTINATION. Wildcard is an inverse mask (0=match, 1=ignore): /24=0.0.0.255, /26=0.0.0.63, /30=0.0.0.3. 'host <ip>'=0.0.0.0; 'any'=0.0.0.0 255.255.255.255.

CommandWhat it does
access-list <1-99> permit <source> <wildcard>Permit a source network/host range.
access-list <1-99> deny <source> <wildcard>Deny a matching source.
access-list <1-99> permit host <source-ip>Match one host ('host' = wildcard 0.0.0.0).
access-list <1-99> permit anyMatch every source address.
access-list <1-99> deny <source> <wildcard> logDeny and log matches to console/syslog.
access-list <1-99> remark <text>Add a descriptive comment line.
no access-list <1-99>Delete the entire numbered ACL.

Extended Numbered ACL (100-199, 2000-2699)

Matches source, destination, protocol, and port — filter granularly and place it near the SOURCE to drop unwanted traffic early. Port keywords: eq 22 (SSH), eq 23 (telnet), eq 80 (HTTP), eq 443 (HTTPS), eq 53 (DNS).

CommandWhat it does
access-list <100-199> permit <protocol> <source> <src-wc> <dest> <dst-wc>Match a protocol (ip/tcp/udp/icmp) from source to destination.
access-list <100-199> permit tcp <source> <src-wc> <dest> <dst-wc> eq <port>Permit TCP to a specific destination port.
access-list <100-199> permit tcp any host <server-ip> eq 22Allow SSH to a server from anywhere.
access-list <100-199> permit tcp any host <server-ip> eq 443Allow HTTPS to a server.
access-list <100-199> permit udp <source> <src-wc> <dest> <dst-wc> eq 53Allow DNS queries to a resolver.
access-list <100-199> permit tcp <source> <src-wc> <dest> <dst-wc> establishedPermit return traffic of existing TCP sessions (ACK/RST set).
access-list <100-199> deny ip <source> <src-wc> <dest> <dst-wc>Deny all IP between two ranges.

Named ACL (standard / extended)

Enter sub-config mode, then add entries (auto-numbered) or edit by sequence number without rebuilding the list. Named ACLs are the preferred modern method.

CommandWhat it does
ip access-list standard <name>Enter standard named-ACL config mode.
ip access-list extended <name>Enter extended named-ACL config mode.
<sequence> permit <source> <wildcard>Insert an entry at a specific sequence number (standard).
permit tcp any host <server-ip> eq 443Append an entry (auto-assigned next sequence).
no <sequence>Remove a single entry by its sequence number.
ip access-list resequence <name> <start> <increment>Renumber all entries (e.g. start 10, step 10) to reopen gaps.

Apply to Interface or VTY Line

Only ONE ACL per interface, per direction, per protocol. Use 'in' to filter traffic entering the router on that interface, 'out' to filter traffic leaving it.

CommandWhat it does
interface <type/number>Enter interface config (e.g. GigabitEthernet0/1).
ip access-group <number|name> inApply ACL to inbound traffic on the interface.
ip access-group <number|name> outApply ACL to outbound traffic on the interface.
line vty 0 4Enter VTY line config to restrict remote management.
access-class <number|name> inFilter inbound SSH/Telnet sessions to the device (management ACL).
access-class <number|name> outFilter outbound sessions originated from the device's VTYs.

Verification & Counters

Hit counts confirm which lines are matching; check 'show ip interface' to see where an ACL is bound.

CommandWhat it does
show access-lists [<number|name>]Show all (or one) ACL with per-line match counts.
show ip access-lists [<number|name>]Show IPv4 ACLs only.
show ip interface <type/number>Show which ACL is applied inbound/outbound on an interface.
show running-config | include accessFilter the config for ACL definition/apply lines.
show running-config | section access-listPrint full ACL definition blocks.
clear access-list counters [<number|name>]Reset ACL hit counters to zero.

Frequently asked questions

What's the difference between a standard and an extended ACL, and where do I place each?

A standard ACL (1-99 or 1300-1999) matches the SOURCE address only, so place it as close to the DESTINATION as possible to avoid blocking traffic too broadly. An extended ACL (100-199 or 2000-2699) matches source, destination, protocol, and port, so place it close to the SOURCE to drop unwanted traffic before it crosses the network.

How do I insert or delete one line without rebuilding the whole ACL?

Use a named ACL. Enter 'ip access-list standard|extended <name>', then type a line with an explicit sequence number (e.g. '15 permit host 10.1.1.5') to insert it in order, or 'no <sequence>' to remove just that line. If sequence gaps run out, run 'ip access-list resequence <name> <start> <increment>' to renumber.

Do I need a 'permit any' at the end of my ACL?

Every ACL has an invisible implicit 'deny any' (deny ip any any for extended) as its last line. If your list only contains deny statements, all other traffic is silently dropped — add an explicit 'permit any' (standard) or 'permit ip any any' (extended) at the end to allow the rest.

Stop memorizing — practice on real Cisco IOS

A cheat sheet gets you unstuck; a graded lab makes it stick. Start with the free sample.