IPv4 ACLs Types – Cisco Routers

There are many different ACLs types for example, access control lists for IP version 4, for IP version 6, for IPX, for DECnet, AppleTalk , etc . In this lesson we are going to discuss IP version 4 ACLs for Cisco. IP version 4 access control lists has two different IPv4 ACLs types, standard access list and extended access list.

Standard access-list

Standard access lists permit or deny traffic only based on source addresses. Usually standard access lists has used for server-based filtering. Standard access lists differentiate routes on a network using IP address. The port and destination of the packet not evaluated.  Standard access lists only contain a list of addresses or address ranges and a statement as to whether access to or from; that address is permitted or denied. The command syntax for configuring standard access list is following:

Router1(config)# access-list {1-99} {permit | deny} source-addr [source-wildcard]

  • The range of the standard access list is from 1 to 99. So the first value {1-99} specifies the standard ACL number range.
  • {permit | deny} specifies whether to permit or deny the configured source IP address traffic.
  • The third value is the source IP address of the traffic.
  • The last parameter is wildcard mask to be applied to the previously configured IP address to indicate the range. We will discuss wildcard mask in detail later.

Extended access lists

Extended access lists permit or deny traffic based on source IPv4 addresses, destination IPv4 addresses, protocol type, port (TCP, UDP, etc) and other features and are used for packet-based filtering for packets that traverse the network. The command syntax for configuring an extended numbered IP ACL:

Router(config)# access-list {100-199, 2000 – 2699} {permit | deny} protocol source-addr [source-wildcard] [operator operand] destination-addr [destination-wildcard] [operator operand] [established]

  • Just like the standard ACLs, the range of acl start from {100-199 or 2000 – 2699}.
  • {permit | deny} value specifies whether to permit or deny according to the criteria followed.
  • The third value specifies protocol type ( IP, TCP, UDP, and other specific IP sub-protocols).
  • The source IP address and wildcard mask determine traffic source.
  • The destination IP address and its wildcard mask indicate the final destination of the network traffic.

When destination IP address and mask are configured, the port number must be specified, otherwise, all traffic to that destination will be dropped.

Note:- Access lists use the deny or permit statement for allowed or denied packet entry into a server or network.