Home | Access Control Lists Overview | 10 Things to know about ACLs | Adding Remarks
ACL Tutorial with Q&A | Demystifying ACLs | ACL Wildcards
ACL PowerPoint 1 | ACL PowerPoint 2 | Cisco ACL paper

The Anatomy of Access Lists

The Standard IP Access List

List # Rule Pattern Definition
Source Address Wild Card Mask
access-list nn permit or deny ccc.ccc.ccc.ccc
Allowed Range for Standard List is 1-99 Specify the nature of this line:
permit or deny
The IP address of the source of the packet This mask must be applied to the source to determine which bits are significant. 
0 in the mask is apply
1 in the mask is ignore (AKA inverse mask)

The Extended IP Access List

Note: Shaded sections below are optional. They are used only when the protocol specified is TCP or UDP.
List # Rule Pattern Definition
Protocol Source Address Source Mask Destination Address Destination Mask Operator Port#
access-list nnn permit or deny see below sss.sss.sss.sss ccc.ccc.ccc.ccc ttt.ttt.ttt.ttt rrr.rrr.rrr.rrr see below (TCP or UDP) ppp (TCP or UDP)
Allowed Range is 100-199 Choose one only ICP, ICMP, TCP, UDP, etc. IP address of packet’s source 0 = apply
1 = ignore
IP address of packet’s destination 0 = apply
1 = ignore
eq for =
gt for >
lt for <
neq for 1
see port table below

Common Port Numbers Filtered Using IP Extended Access Lists

Protocol Port Number Protocol Name
TCP 20 File Transfer Protocol (FTP) data
TCP 21 File Transfer Protocol (FTP) program
TCP 23 Telnet
TCP 25 Simple Mail Transfer Protocol (SMTP)
UDP 53 Domain Name Service (DNS)
UDP 69 Trivial File Transfer Protocol (TFTP)
TCP 80 Hypertext Transfer Protocol (HTTP)
UDP 161, 162 Simple Network Management Protocol (SNMP)

Protocols With Access Lists

Specified By Numbers
Protocol Range
IP Standard 1 to 99
XNS 400 to 499
Extended XNS 500 to 599
AppleTalk 600 to 699
IPX Standard 800 to 899
IPX Extended 900 to 999
IPX SAP 1000 to 1099
Standard VINES 1 to 100
Extended VINES 101 to 200
Simple VINES 201 to 300