4 Cisco access control list examples

In Four examples, we will configure 4 access controls lists covering both standards and extended access lists that will block different types of traffic

Example 1

Standard access list example

access list example 1


Blocking PC2 from accessing network

Only PC2 must be blocked, PC0 should be able to access the network.

To configure the access list, we will use the following commands

Router(config)#access-list 1 deny

Router(config)#access-list 1 permit any

Now, the access list will be assigned to FA 1/0 in the inbound direction.

After the configuration, PC2 should be blocked from network however this PC must be able to ping PC0

Download this lab to test the configuration.

Example 2

Standard access list for blocking PC2 from establishing the telnet connection with the router

access list example 1


VTY lines are configured on the router and the password is Cisco.

The other two PCs should be able to connect with the router using telnet protocol.

We can use the previously used commands to achieve the expected results. To block the telnet access, we have to create a standard access list with the name and assign the created access list to the VTY lines using the following command.

Router(config-line)#ip access-class ping in

We cannot assign numbered access list on the Telnet line as it only allows a named access list.

Download this lab to test the configuration; PC2 cannot use telnet while other computers are successfully using telnet.

Example 3

Extended access list to block internet access


The extended access list has the capability to allow or deny traffic based on the port number so we will create an access list to block the internet traffic.

Whenever we use the internet, the request is sent to the HTTP server on port 80 so to block the internet access; we have to block traffic destined for port 80 using the access list.

PC3 should be blocked to access the internet or any other web server on the internal network.

Command to configure the extended access list

Router(config)#no ip access-list extended 100

Router(config-ext-nacl)#deny tcp host any eq www

Router(config-ext-nacl)#permit ip any any

After creating and assigning the access list to the router’s interface, we can test the access list by generating HTTP traffic.

We can use the traffic generation tool available on the PC to generate traffic.

After generating the traffic, we will verify if the access list is working as required and blocking the web traffic.

As seen in the below output the access list has blocked the HTTP traffic from PC3

Extended IP access list 100

10 deny tcp host any eq www (20 match(es))

20 permit ip any any (19 match(es))

Example 4

Named extended access list to block only ICMP traffic


In a standard access list, if we want to block traffic then complete traffic blocked from one destination to another however extended access list allows us to choose the traffic that we would like to block. E.g. in this lab, PC3 will not be able to ping the server however it will access the web service.

Command to use

Router(config)#ip access-list extended Block-ICMP

Router(config-ext-nacl)#deny icmp host host

Router(config-ext-nacl)#permit ip any any

Once the access list is enabled on the interface, it will block the ICMP packets sent from the PC3 while all other traffic will be allowed.

Extended IP access list Block-ICMP

10 deny icmp host host (8 match(es))

20 permit ip any any (2 match(es))

Download this lab and try pinging the server, you will see the destination host unreachable error however you can use other services provided by the server.

Try using the web service, it will work fine.

Leave a Reply