Back to Command Reference
Global ConfigDomain 7.0

access-list

Declares a sequential rule within a numbered Access Control List (ACL). ACLs match traffic patterns by examining layer 3 packet headers, enabling administrators to either block threats at the border or permit specific blocks for operations like Network Address Translation (NAT).

Quick Reference

Execution ModeRouter(config)#
Standard ACL Range1–99 and 1300–1999
Extended ACL Range100–199 and 2000–2699
Processing LogicTop-Down matching with Implicit Deny

Standard Syntax Breakdown

access-list [1-99] [permit | deny] [source-ip] [wildcard-mask]

A Standard ACL is limited to looking only at the source IPv4 address of an incoming packet. It cannot inspect ports, protocols, or destination boundaries.

Like OSPF network statements, ACL statements rely entirely on wildcard masks (inverse masks) to define address block boundaries. The keywords host (wildcard 0.0.0.0) and any (wildcard 255.255.255.255) are available as shorthand options to clean up code strings.

CLI Deployment Scenarios

Scenario 1: Standard Host Filtering

You need to create a list that permits a single administrative workstation to pass while dropping everyone else from a management network segment.

Router(config)# access-list 1 permit host 10.20.30.50
! Note: An implicit deny matches everything else automatically.
Router(config)# interface g0/0
Router(config-if)# ip access-group 1 in

CCNA Exam Gotchas

[!]

The Invisible "Implicit Deny" Trap

Every access list built inside Cisco IOS terminates with an invisible, permanent rule: deny any. If you write a list containing only a single entry like access-list 10 deny host 192.168.1.5, applying this list to an interface will **instantly drop 100% of all traffic** trying to traverse that port. You must have at least one permit statement.

[!]

Standard vs. Extended Placement Rules

Memorize this placement rule for the design portion of the exam:
• **Standard ACLs:** Place as **close to the destination** as possible. Because they lack destination parsing, putting them too early will break access to valid downstream routes.
• **Extended ACLs:** Place as **close to the source** as possible to drop blocked packets immediately and preserve network core bandwidth.