An ACL is a list of rules that can be applied to an interface to make a policy to the traffic.

There are two main types of ACL:

Standard: is usually applied to the outbound interface because it only looks at the source of the package. It is usually identified by numbers between 1 and 99. It is also possible to put a name in it but the syntax is different.

Extended: is usually applied in the inbound interface because it looks at the source and destination IPs and prevents unnecessary traffic in the network. It also looks at the port to restrict or allow based on what type of service. You can name with numbers (between 100 and 199) and names, which makes it much easier to manage.

Standard ACL syntax:

access-list 10
access-list 10 allow
access-list 10 deny

Note: 10 is the identification of the ACL, is the wildcard of the network, for a single host the wildcard is not necessary.

And apply to one interface:

interface g0/0
ip access-group 10 out

Extended ACL syntax:

access-list 100 remark Allow HTTP+SSH
access-list 100 permit tcp host host eq 22
access-list 100 permit tcp any any eq 80

ip access-list extended WEB-POLICY
permit tcp host eq 80
permit tcp eq 80

Note: 100 and WEB-POLICY Are the identification of the ACLs. When you inform host you don’t have to inform the wildcard because it is known, and eq stands for equal and followed by the port you are applying the rule.

Applying to an interface:

interface g0/0
ip access-group 100 out

interface g0/1
ip access-group WEB-POLICY in

Altering one rule of the Extended ACL:

ip access-list extended 100
30 permit ip

Remember! ACLs have always hidden one last rule that means DENY EVERYTHING FROM ANY TO ANY. So, if you want to permit everything else you have to set this command at the end:

access-list 100 deny icmp any any echo
access-list 100 deny icmp any any echo-reply
access-list 100 permit ip any any

If you want to allow the traffic that was already established, which means the response to a request adds “established” at the end of the rule:

access-list 100 permit tcp any any established

Note: it can be applied to a tcp but not to an udp or ip.

Useful commands (show all ACLs or show only ACL 100):

show access-lists
show access-list 100

Removing a rule or modifying it:

ip access-list extended 100
do show access-list 100
no 30
20 xxxxx

Note: 100 is the identifier of the ACL and 30 and 20 are the numbers of the rule line listed in the second command.

A common errors while creating ACL rules is blocking returning traffic. Double-check these conditions to avoid issues.

Follow how to allow the traffic for already established TCP connections.

access-list 100 permit tcp any any established
access-list 100 deny tcp any any eq telnet

In the example above, the ACL 100 is applied to inbound of a WAN interface, for example. It blocks telnet coming in but allows incoming traffic for TCP established connections coming in that can be a telnet connection.