How to Configure a Named ACL on Cisco (and Edit It by Sequence Number)
A named ACL does everything a numbered ACL does — top-down matching, first match wins, an implicit deny at the bottom — but it adds two things numbers can't give you: a descriptive name and true line-item editing. Because every entry carries a sequence number, you can slip a new rule in at exactly the right spot, pull a single line out, or renumber the whole list without deleting and retyping it. That editability is the reason most engineers reach for named ACLs by default. This guide builds a named standard ACL and a named extended ACL, applies each to an interface with a direction, verifies it, and then edits it live by sequence number. Every command is real Cisco IOS you can run on a physical router or in a Cisco Modeling Labs (CML) topology.
Part of the Access Control Lists (ACLs) learning hub
Step 1 — Choose standard vs extended, and where to apply it
Before you type anything, decide what you're matching on. A STANDARD ACL matches on the SOURCE IP address only. An EXTENDED ACL matches on protocol, source, destination, and (for TCP/UDP) port — far more precise. If you only need to say "who," use standard; if you need "who, to where, and what service," use extended.
Placement follows from that. Because a standard ACL can only see the source, dropping traffic too early can block more than you intend — the classic rule is to place a standard ACL close to the DESTINATION. An extended ACL is specific enough to drop unwanted traffic near the SOURCE, saving the network from carrying packets that will be discarded anyway. Also know the hard limit: one ACL per interface, per direction, per protocol.
Entering named-ACL configuration mode changes the prompt so you can see which type you're in: `config-std-nacl` for standard, `config-ext-nacl` for extended. The name is case-sensitive and must be unique.
! Standard = filter by SOURCE IP only
R1(config)# ip access-list standard MANAGEMENT
R1(config-std-nacl)#
! Extended = filter by protocol, source, destination, and port
R1(config)# ip access-list extended WEB-FILTER
R1(config-ext-nacl)#Step 2 — Add permit/deny entries (IOS auto-numbers them)
Inside the named ACL, add your permit and deny statements one per line. You do NOT type a sequence number the first time through — IOS assigns them automatically as 10, 20, 30, and so on. That gap of 10 is deliberate: it leaves room to insert new lines later (see Step 5).
Order is policy. The router reads top-down and stops at the FIRST match, so a broad `permit` placed above a specific `deny` will win and the deny below it never runs. Put your most specific rules first. For the standard list below, `permit host 192.168.10.5` matches one host; `permit 192.168.20.0 0.0.0.255` uses a WILDCARD mask (0 = must match, 255 = don't care) to permit the whole /24.
For the extended list, be explicit about the tail. The two `permit tcp ... eq 80/443` lines allow web traffic from 10.1.1.0/24; the trailing `deny ip any any` is optional here because there's already an implicit deny — but writing it makes your intent obvious and, as you'll see in verification, gives you a hit counter for what's being dropped.
R1(config)# ip access-list standard MANAGEMENT
R1(config-std-nacl)# permit host 192.168.10.5
R1(config-std-nacl)# permit 192.168.20.0 0.0.0.255
R1(config-std-nacl)# exit
! IOS auto-numbers the entries 10, 20, 30...
R1# show access-lists MANAGEMENT
Standard IP access list MANAGEMENT
10 permit 192.168.10.5
20 permit 192.168.20.0, wildcard bits 0.0.0.255
! Extended example
R1(config)# ip access-list extended WEB-FILTER
R1(config-ext-nacl)# permit tcp 10.1.1.0 0.0.0.255 any eq 80
R1(config-ext-nacl)# permit tcp 10.1.1.0 0.0.0.255 any eq 443
R1(config-ext-nacl)# deny ip any any
R1(config-ext-nacl)# exitStep 3 — Apply the ACL to an interface with a direction
An ACL does nothing until it's referenced. Bind it to an interface with `ip access-group NAME {in | out}`. Direction is from the ROUTER'S perspective, not the host's: `in` filters packets as they ENTER the interface into the router; `out` filters packets as they LEAVE the interface toward the wire. Filtering inbound is often preferable because the router drops unwanted traffic before spending effort routing it.
Pick the direction that actually sees the traffic you care about. A common mistake is applying `in` on an interface where the traffic you meant to filter is leaving — the ACL is valid but never matches. Apply exactly one ACL per direction; a second `ip access-group ... in` on the same interface replaces the first.
R1(config)# interface GigabitEthernet0/1
R1(config-if)# ip access-group MANAGEMENT in
R1(config-if)# exitStep 4 — Verify with show access-lists and show ip interface
`show access-lists` (or `show ip access-lists NAME` for just one) prints each entry WITH its sequence number and a running match counter. Those hit counts are your best troubleshooting tool: if a line you expect to match shows 0 matches while traffic is flowing, either your criteria are wrong or an earlier line is matching first. Use `clear ip access-list counters NAME` to zero them before a test.
`show ip interface` confirms the ACL is actually bound and in which direction — look for the `Inbound access list is ...` and `Outgoing access list is ...` lines. If the interface says the list is "not set," your `ip access-group` never took (wrong interface, or you forgot it).
R1# show access-lists MANAGEMENT
Standard IP access list MANAGEMENT
10 permit 192.168.10.5 (24 matches)
20 permit 192.168.20.0, wildcard bits 0.0.0.255 (5 matches)
R1# show ip interface GigabitEthernet0/1 | include access list
Outgoing access list is not set
Inbound access list is MANAGEMENTStep 5 — Edit live: insert a line by sequence number, delete a line by number
This is the payoff of named ACLs. Re-enter the list's configuration mode and, this time, TYPE the sequence number in front of the entry to control exactly where it lands. Because the auto-numbers left gaps of 10, you can drop a new rule between 10 and 20 by giving it sequence 15. IOS reinserts it in numeric order — you don't retype the rest of the list.
To remove a single entry, use `no` plus its sequence number — `no 20` deletes only line 20 and leaves everything else intact. (This is exactly what a legacy numbered ACL edited with the old `access-list` global command can't do cleanly; more on that in Common problems.) Always re-run `show access-lists` afterward to confirm the entry landed above the deny you care about, not below it.
R1(config)# ip access-list standard MANAGEMENT
! Insert a permit between 10 and 20
R1(config-std-nacl)# 15 permit host 192.168.10.9
! Remove only the entry at sequence 20
R1(config-std-nacl)# no 20
R1(config-std-nacl)# end
R1# show access-lists MANAGEMENT
Standard IP access list MANAGEMENT
10 permit 192.168.10.5
15 permit 192.168.10.9Step 6 — Resequence to open up room again
After a few inserts you can run out of gaps — say your list is now 10, 11, 12, 13 with no space to slot a rule between 11 and 12. `ip access-list resequence` renumbers the whole list in place. The syntax is `ip access-list resequence {name | number} starting-sequence-number increment`, so `... MANAGEMENT 10 10` renumbers the first entry to 10 and steps by 10 (10, 20, 30, ...), restoring clean gaps without changing rule order or behavior.
This is a global-configuration command (not entered from inside the named-ACL mode), and it works for both named and numbered ACLs. It only reassigns numbers — it never reorders your permits and denies — so it's safe to run anytime the numbering gets crowded.
R1(config)# ip access-list resequence MANAGEMENT 10 10
R1(config)# do show access-lists MANAGEMENT
Standard IP access list MANAGEMENT
10 permit 192.168.10.5
20 permit 192.168.10.9Common problems (and the fix)
1) The implicit deny catches everything you didn't permit. Every ACL ends with an invisible `deny any` (standard) / `deny ip any any` (extended). If your list is all permits, everything not listed is silently dropped — including things like DNS or your own management session. Fix: if you intend to allow the remainder, add an explicit `permit any` (standard) or `permit ip any any` (extended) as the LAST line, on purpose. Related surprise: if you apply `ip access-group NAME in` for an ACL that doesn't exist yet, IOS permits ALL traffic (a nonexistent ACL matches nothing, so nothing is denied) — build the ACL before you reference it.
2) Your new line landed at the bottom. If you add a permit/deny inside the named ACL WITHOUT a sequence number, IOS appends it at the next multiple of 10 — the end of the list. If there's a `deny` above it, first-match-wins means your new permit never runs. Fix: give the entry an explicit sequence number (Step 5) so it sits ABOVE the deny, then confirm with `show access-lists`.
3) You tried to edit a numbered ACL the old way and couldn't insert (or wiped the list). The legacy global command `access-list 10 permit ...` only APPENDS, and `no access-list 10` deletes the ENTIRE list, not one line. Fix: prefer named ACLs — or edit the numbered ACL from within its config mode (`ip access-list standard 10`), where modern IOS lets you use the same sequence-number insert/delete you just learned.
4) Right ACL, wrong direction or wrong interface. `ip access-group ... in` where the traffic actually leaves the router (or on a neighboring interface) is a valid config that never matches — the hit counters stay at 0. Fix: reason from the router's point of view, then confirm the binding and direction with `show ip interface` and watch the match counts in `show access-lists`.
5) You used a standard ACL where you needed extended. A standard ACL matches source only, so "block host X from reaching the server but let it reach everything else" is impossible with it — it would block X entirely. Fix: use an extended ACL so you can match source AND destination AND port, and place it near the source per Step 1.
Frequently asked questions
Where do I place a named standard ACL vs a named extended ACL?
A standard ACL matches on source address only, so place it as close to the destination as possible to avoid unintentionally dropping traffic bound elsewhere. An extended ACL matches source, destination, protocol, and ports, so place it close to the source to discard unwanted traffic before it crosses the network. Placement is about the ACL type, not whether it is named or numbered.
Can I edit a numbered ACL by sequence number too, or is that only for named ACLs?
Modern IOS lets you edit numbered ACLs by sequence number as well: enter 'ip access-list standard 10' (or extended) and you drop into the same named-style sub-mode where you can insert or delete individual lines. Sequence-number editing is a feature of the ACL configuration mode, not exclusive to named lists. Naming still helps because a descriptive name is easier to reference than a bare number.
Why is all my traffic blocked right after I applied the ACL?
Every ACL ends with an implicit 'deny any' that is not shown, so if none of your explicit entries match a packet, it is dropped. Confirm you have an explicit permit for the traffic you want, and check the direction because 'in' filters packets entering the interface while 'out' filters packets leaving it. Running 'show access-lists' shows per-line match counts so you can see which entry is actually catching the traffic.
What happens if I apply an ACL name to an interface before I create the ACL?
On Cisco IOS, referencing an ACL with 'ip access-group NAME in/out' when that ACL does not yet exist causes the router to permit all traffic, because an undefined ACL is treated as permit any. This is why applying the ACL before you finish writing its entries can be safe on IOS but is still risky, and once the first entry exists the implicit deny takes effect. Build and verify the entries with 'show access-lists' before you rely on it for security.
Can I apply more than one ACL to the same interface and direction?
No. The rule is one ACL per interface, per direction, per protocol, so you get at most one inbound and one outbound IPv4 ACL on a given interface. If you apply a second ACL in the same direction it simply replaces the first rather than stacking, so combine all your rules into a single named list.
Practice this on graded Cisco labs
Reading is step one — build Access Control Lists (ACLs) on real Cisco IOS and grade your own config, or try a free sample lab first.