Cisco ACL Configuration: Standard, Extended, Named, and Time-Based Access Lists on IOS/IOS-XE

Introduction

Access Control Lists (ACLs) are one of the most fundamental security and traffic-control tools on Cisco IOS/IOS-XE devices. They filter packets based on IP address, protocol, port, or time of day — applied to interfaces, VTY lines, route-maps, and QoS policies. This run book covers Standard, Extended, Named, and Time-Based ACLs with production-ready examples.

ACL Types Overview

• Standard ACL (1–99, 1300–1999) — matches source IP only
• Extended ACL (100–199, 2000–2699) — matches source/destination IP, protocol, port
• Named ACL — standard or extended, referenced by name; supports editing individual entries by sequence number
• Time-Based ACL — extended ACL entries active only during a defined time-range

Standard ACL — Configuration

Standard ACLs filter on source IP only. Place them as close to the destination as possible.

! Permit only the infrarunbook management subnet
access-list 10 permit 10.10.10.0 0.0.0.255
access-list 10 deny   any log

! Apply inbound on VTY lines (restrict SSH access)
line vty 0 15
 access-class 10 in
 transport input ssh

Extended ACL — Configuration

Extended ACLs match source IP, destination IP, protocol, and port. Place them as close to the source as possible.

! Block Telnet, permit HTTPS to infrarunbook web servers
access-list 110 deny   tcp any any eq 23 log
access-list 110 permit tcp any host 10.10.20.10 eq 443
access-list 110 permit tcp any host 10.10.20.11 eq 443
access-list 110 permit tcp any any established
access-list 110 permit icmp any any
access-list 110 deny   ip any any log

! Apply to WAN-facing interface
interface GigabitEthernet0/0/0
 description WAN
 ip access-group 110 in

Named ACL — Standard

Named ACLs allow descriptive names and support per-entry deletion using sequence numbers.

ip access-list standard MGMT-ACCESS
 10 permit 10.10.10.0 0.0.0.255
 20 permit 172.16.0.0 0.0.255.255
 30 deny   any log

line vty 0 15
 access-class MGMT-ACCESS in

Named ACL — Extended

ip access-list extended INFRA-FILTER
 10 remark Deny Telnet
 20 deny   tcp any any eq 23 log
 30 remark Deny SNMP from untrusted hosts
 40 deny   udp any any eq 161 log
 50 remark Permit DNS to solvethenetwork resolvers
 60 permit udp any host 10.10.1.53 eq 53
 70 permit udp any host 10.10.1.54 eq 53
 80 permit tcp any any eq 80
 90 permit tcp any any eq 443
 100 permit ip any any

interface GigabitEthernet0/0/1
 description LAN
 ip access-group INFRA-FILTER in

Editing Named ACL Entries

Unlike numbered ACLs, named ACL entries can be deleted individually by sequence number.

! Delete a specific entry
ip access-list extended INFRA-FILTER
 no 40

! Insert a new entry between existing entries
ip access-list extended INFRA-FILTER
 65 permit udp any host 10.10.1.55 eq 53

! Resequence if entries are crowded
ip access-list resequence INFRA-FILTER 10 10

Time-Based ACL

Time-based ACLs restrict access to certain hours. Requires NTP for accurate time.

! Define time range (business hours Mon-Fri)
time-range BUSINESS-HOURS
 periodic weekdays 08:00 to 18:00

! Reference in extended ACL
ip access-list extended TIME-RESTRICTED
 10 permit tcp 10.10.10.0 0.0.0.255 any eq 443 time-range BUSINESS-HOURS
 20 deny   tcp 10.10.10.0 0.0.0.255 any eq 443 log
 30 permit ip any any

interface GigabitEthernet0/0/1
 ip access-group TIME-RESTRICTED in

Infrastructure ACL (iACL) — Protect the Router

Apply an ACL to protect the router control plane — permit only required protocols and management access, deny everything else destined for the router itself.

ip access-list extended iACL-PROTECT-RP
 10 remark Permit iBGP from known peers
 20 permit tcp host 10.0.0.1 host 10.0.0.2 eq 179
 30 permit tcp host 10.0.0.1 eq 179 host 10.0.0.2
 40 remark Permit OSPF
 50 permit ospf 10.10.0.0 0.0.255.255 any
 60 remark Permit SSH from mgmt subnet only
 70 permit tcp 10.10.10.0 0.0.0.255 any eq 22
 80 remark Permit NTP
 90 permit udp host 10.10.1.10 any eq 123
 100 deny ip any host 10.0.0.2 log

interface GigabitEthernet0/0/0
 ip access-group iACL-PROTECT-RP in

ACL on VTY Lines

ip access-list standard VTY-ALLOW
 10 permit 10.10.10.0 0.0.0.255
 20 deny any log

line vty 0 15
 access-class VTY-ALLOW in
 transport input ssh
 exec-timeout 10 0

Verification Commands

! Show all ACLs with hit counters
show ip access-lists

! Show a specific ACL
show ip access-lists INFRA-FILTER

! Show ACLs applied to an interface
show ip interface GigabitEthernet0/0/1 | include access list

! Show time-range status
show time-range

! Clear hit counters
clear ip access-list counters INFRA-FILTER

Wildcard Mask Reference

• 0.0.0.0

  — exact host (same as

  host

  keyword)

• 0.0.0.255

  — any host in a /24

• 0.0.255.255

  — any host in a /16

• 255.255.255.255

  — any host (same as

  any

  keyword)

Common Mistakes

• Applying a Standard ACL near the source — blocks too much traffic unintentionally
• Forgetting the implicit

  deny any

  — add explicit

  deny any log

  to see drops
• Not using

  established

  for return TCP traffic in inbound extended ACLs
• Using numbered ACLs in production — named ACLs are easier to manage and edit
• Removing an ACL from config while it is still applied to an interface

Frequently Asked Questions

What is the difference between a standard and extended ACL?

Standard ACLs (1–99) match only on source IP. Extended ACLs (100–199) match on source IP, destination IP, protocol, and port numbers — providing far more granular filtering.

Where should I apply a standard ACL?

As close to the destination as possible. Since standard ACLs only match source IP, applying them near the source would block that source from reaching all destinations, not just the intended one.

Where should I apply an extended ACL?

As close to the source as possible. Extended ACLs can match destination and port specifically, so you can block only the unwanted traffic early without affecting other flows.

Can I edit individual entries in a numbered ACL?

No. Numbered ACLs require you to delete and recreate the entire list. Use named ACLs in all production environments — they support per-entry deletion by sequence number.

What does the wildcard mask 0.0.0.255 mean?

A wildcard mask is the inverse of a subnet mask. 0.0.0.255 means the first three octets must match exactly and the last octet can be anything — equivalent to matching a /24 subnet.

Why is there an implicit deny at the end of every ACL?

Cisco IOS appends an invisible

deny ip any any

. If no ACE matches a packet it is dropped silently. Always add an explicit

deny any log

as the last entry so drops appear in syslog.

What does the established keyword do?

It matches TCP packets that have the ACK or RST bit set — meaning they belong to an already-established TCP session. Use it in inbound ACLs on external interfaces to permit return traffic for sessions initiated from inside.

How do time-based ACLs work without NTP?

They use the router local clock which can drift over time. Without NTP synchronisation the ACL may activate or deactivate at incorrect times. Always configure NTP before deploying time-based ACLs.

Can ACLs be applied in both inbound and outbound directions?

Yes. Use

ip access-group NAME in

for inbound and

ip access-group NAME out

for outbound. Only one ACL per direction per interface is permitted.

What is an infrastructure ACL (iACL)?

An iACL is applied to the router own IP addresses to protect the control plane. It permits required routing protocols, SSH from management subnets, and NTP, then denies all other traffic destined for the router itself — a critical hardening step for edge and core routers.

How do I remove an ACL from an interface without deleting it?

Use the no form:

no ip access-group INFRA-FILTER in

. The ACL definition remains in the configuration and can be re-applied later.

Can I use ACLs to restrict SNMP access?

Yes. Define a standard ACL permitting only your NMS server IPs, then reference it:

snmp-server community infrarunbook-ro RO SNMP-ALLOW

where SNMP-ALLOW is the ACL name.