Extended Access-List example on Cisco Router

Hi Rene,
I have questions regarding ACL. I have VLAN 2 on L3 core switch. I would like to use ACL to block only single IP in the range to access internet. But, I want this IP to be able to access all other VLANs we have on our core (we have more than 10 vlans). Core switch has default route point to the firewall by using VLAN 3

L3 core switch —using VLAN 3-----Firewall----Internet

ip access-list block-internet
10 deny ip host host (Firewall Interface)
20 Permit ip any any
Int vlan 10
ip access-group block-internet in

It did not work. what is the proper way to do it? Any ideas? Thanks in advance.

Hello Bruce,

Think of the destination IP address when that host sends traffic to something on the Internet. It’s not the IP address of the default gateway, but the IP address of whatever device on the Internet tries to reach.

If you want to make sure that can only reach destinations in your VLANs but not go out to the Internet, you first need to permit traffic to those VLANs. For example:

permit ip host
permit ip host
permit ip host

Then deny all other traffic:

deny ip host any

Then permit everything else if this doesn’t apply to other devices in the subnet:

permit ip any any

If you can’t summary the subnet addresses of your VLANs and the number of VLANs might change sometimes then it’s not a bad idea to use an object-group in your ACL:

This example is for the ASA but it’s pretty much the same for Cisco IOS.

Hope this helps!


Hi Rene,

Thank you so much for your reply. That is exactly what I need. But, I am just curious. If I only block the traffic tcp port 80 and 443 , is it gonna work? Thank you.

  deny tcp host any eq www
  deny tcp host any eq 443
    permit ip any any

Hello Bruce

The access list entries that you have provided will block traffic with the following characteristics:

  1. A source IP address of
  2. Any source port
  3. Any destination IP address
  4. Specific destination ports 80 and 443.

So the access list will block any attempts of the host to access an http or https server.

I hope this has been helpful!


Hello Rene/Laz,
I apologize because my question may not be completely relevant to the topic. However, I would really like to get some help if possible.

Would you please provide me a template for Border inbound ACL at the internet WAN router on the WAN interface? So far this is what I have found. Please let me know if I am missing anything.

ip access-list extended INBOUND
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any unreachable
deny icmp any any
deny ip any
deny ip 172.16..0.0 any
deny ip any
deny ip any
deny ip host any
permit ip any any

Thank you in advance.

Hello AZM

It’s a good start and you cover most of the issues that can affect the edge. You will also need to examine your network and see what additional traffic you can deny, that is, traffic that you know is invalid for your network. For example, if you will never have an FTP session initiated from the Internet to an internal host, you can block that particular port as well.

Take a look at this Cisco documentation that describes best practices for ACLs at the edge, as they are the first line of defense of your network:

I hope this has been helpful!


how would the ACL configuration be if I had three hosts (, .2, .3) on vlan 10 which currently resides on Fa0/1 that need http access to a host ( on vlan 30 on Fa2/1?

Hello Liam

First you would create the ACL that matches the traffic that you need. I’m making the following assumptions:

  • you want the three hosts on VLAN 10 to have web access to the host on VLAN 30
  • you want to deny access from the three hosts on VLAN 10 to any other service on the host on VLAN 30
  • you want to deny access from the three hosts on VLAN 10 to any other host on VLAN 30
  • you want to deny access from any other host on VLAN 10 to any other host on VLAN 30

I’m making these assumptions because, if you don’t have any access lists at all, the default behaviour of the network is to allow these hosts to have access to the web host. So essentially, you want to allow the connectivity you describe, but deny everything else.

Having said that, the ACL will look something like this:

ip access-list extended my_list
 10 permit tcp host host eq 80
 20 permit tcp host host eq 80
 30 permit tcp host host eq 80

You would need to specify each individual host in order to achieve what you want. You don’t require any additional configurations since any packets that don’t match the access list will be denied.

Next, you must apply this to an interface. When applying extended access lists, it is best practice to place them as close as possible to the source. So the best place to employ this access list is at the Fa0/1 interface.

I hope this has been helpful!


Hello Laz,

I executed following commands on cisco router.

debug ip packet 101  detail 
access-list 101 permit tcp any any

I was expecting all the tcp packets will be logged .
But I did not see any logs .
Are these the right commands to log messages ?


Hi Sachin,
if you are connected to this Cisco router using telnet/ssh do not forget to enable:
Device# terminal monitor

Also check out if you are really logging required severity level. By default “debug” is logged, but you can check it by executing show command:
Device# show logging

The next thing is that logging works only on packets that are generated by router itself and on packets that are destined to router itself, other packets are CEF switched.
Logging itself does work only on Process Switched packets. To make all packets Process Switched on transit router just disable CEF on it.
Device(config)# no ip cef

So if you have for example this topology:

  (R1) ––––––––– (R2) ––––––––– (R3)
Loopback0                     Loopback0          

Imagine that R1 and R3 have loopbacks configured. If you want to ping from R1 loopback to R3 loopback then transit router is R2. Thus on R2 you should do this configuration:

R2(config)# no ip cef
R2(config)# logging monitor debugging 
R2(config)# access-list 100 permit icmp host host
R2(config)# end
R2# terminal monitor
R2# debug ip packet 100 detail
IP packet debugging is on (detailed) for access list 100

Now when you are connected over telnet/ssh to R2 and R1 sends ping to R3 loopback sourced from R1s own loopback you should see it in debug on R2.

There is lesson for it what you definitelly want to check out:

Hello Sachin

You can enable logging on packets that are examined by an access list by adding the “log” keyword at the end of the access list statement. Any packet that matches the access list causes an information log message to be sent to the logging destination (buffer or console depending on how you have it set up). In your example, you could do the following:

access-list 101 permit tcp any any log

Once that’s done, any new packets coming in that match will be logged.

I hope this has been helpful!


Please i have a concern…

We noticed our switch randomly block phones on vlan 34 which is odd.Some of this communication are within the same subnet and should not be hitting the access list at all.

Here is my log

.29.132(48378) (Vlan34 004e.006e.0000) ->, 1 packet
*Apr 15 22:03:04.421: %SEC-6-IPACCESSLOGP: list 134 denied tcp (Vlan34 004e.006e.0000) ->, 1 packet
*Apr 15 22:03:14.427: %SEC-6-IPACCESSLOGP: list 134 denied tcp (Vlan34 004e.006e.0000) ->, 1 packet
*Apr 15 22:03:15.439: %SEC-6-IPACCESSLOGP: list 134 denied tcp (Vlan34 004e.006e.0000) ->, 1 packet
*Apr 15 22:03:16.451: %SEC-6-IPACCESSLOGP: list 134 denied tcp (Vlan34 004e.006e.0000) ->, 1 packet
*Apr 15 22:03:24.412: %BUFCAP-6-DISABLE: Capture Point cap disabled.
*Apr 15 22:03:24.726: %SEC-6-IPACCESSLOGP: list 134 denied udp (Vlan34 01dc.0200.0400) ->, 1 packet

The access-list 134 is below:

cisco-stack1#show ip access-list 134
Extended IP access list 134
9 permit ip any host
10 permit ip any host (124 matches)
20 permit ip any host
29 permit ip host
30 permit ip host
31 permit ip host
32 permit ip host
40 permit udp host eq domain
50 permit udp host eq domain
60 permit ip host host
61 permit ip host host
62 permit ip host any
70 permit ip host host
71 permit ip host any
80 permit ip host host
81 permit ip host host
82 permit ip host any
90 permit ip host host
91 permit ip host any
92 permit ip host any
100 deny ip any log-input (3067200 matches)
110 deny ip any
120 deny ip any (54250 matches

Any ideas to fix this please

Local span Capture on po1 (which goes to ip phone 10.20.29.X ) displays traffic from the ip phone to with a destination mac of 22:Ac:1a:0c:ab:c1 which is the mac address of SVI vlan34 on the c9200L. This explains why this traffic is being processed on SVI vlan34 and consequently being processed by ACL 134 even though both devices are the same subnet.
Traffic destined for should have the mac address of

Kindly advice how to fix this…

Hello Temitope

So here’s what I see. You have an IP phone A with an IP address of and it is sending traffic to device B, but both of these devices are on the same subnet, since you are using a subnet mask of But you are seeing traffic from A going to the SVI (the default gateway?) rather than to the correct phone.

The only reason I can see this happening is that IP phone A thinks that the destination address of is not in its own subnet so it is sending such traffic to the default gateway, and it is hitting the access list as a result. The only way this can happen is if the subnet mask of IP Phone A is incorrect. I suspect that the subnet mask is rather than

I hope this has been helpful!


Thank you so much!
this has already being checked but not the case now.
Traffic destined to should have the mac address of, this issue could be caused by a possible corruption of the arp packets being distributed along the network.

Please what could possibly be why the ip phone is mapping to its vlan gateway and not the destination server.hence traffic within the same subnet is blocked by the ACL.

please be aware that we have a GPON platform at the GPON core, and then the device that the phone connects to is a Zhone 2804GPON ONT.our phone is on vlan 24.The ACL is blocking traffic within the same subnet.

When this issue happens, those phones are sending traffic to the destination mac of their gateway regardless of the destination ip. We took several captures and confirmed this. We also took more captures and confirmed that the gateway is not sending arp replies with incorrect data to the phone.
We disabled proxy arp on the switch which would cause this behavior and the issue persisted

Hello Temitope

This is indeed an interesting situation. Can you give us some more information about your topology including information about the GPON topology? Is the phone on the customer premises? Where are the active components of the GPON network, and how do they interconnect with the 9200 device? A small diagram of your topology would help in resolving this issue.

Let us know so we can continue to help you …


1 Like

Hey All. Quick question i’m hoping someone can shed some light on.
I’m having a look through some ACL’s that are on a L3 switch applied to a SVI inbound. I’m documenting them before migrating over to a firewall in the near future.

What reason would there be a rule that is permitting traffic from the subnet, to its own subnet? It is the first entry and has a heap of hits too.

I would have thought that traffic from within the same broadcast domain wouldn’t need to be processed by the acl applied inbound on the svi?

If i recall correctly, sometimes an acl will stop traffic generated from the router\svi itself (could use some clarification here). but i’m not sure why that would apply in this case.

With the high hits, i’m assuming becuase packets that are hitting the SVI ip\gateway are matching and the hitcount is incrementing.

Extended IP access list VLAN68_INBOUND
Prety standard ACL with permitting traffic to other networks.
Nothing unusual.

Extended IP access list VLAN68_INBOUND
    10 permit ip (189436587 matches)
    11 permit ip any (6110620 matches)
    12 permit ip any (2428203 matches)
    13 permit ip any (559334 matches)

 + more lines

Implicit deny on end

Vlan68 is up, line protocol is up
Inbound  access list is VLAN68_INBOUND

Hello Josh

Statement 10 in the access list states that any packet with a source and destination IP addresses within this range of addresses would be matched. The range is In other words: to

Now, if the VLAN68 SVI serves as the gateway for this whole range of addresses, then yes, the fact that you see matches is strange. However, it is likely that VLAN68 only serves a subset of this range. What is the IP address and subnet mask of the VLAN 68 SVI?

Here’s an example. Let’s say the SVI has an IP address of and you have a host on this subnet with an IP address of This host sends a packet to This packet will be sent to the default gateway (SVI VLAN68) to be routed, and a match will be made on the access list because both source and destination addresses fall within the permitted range.

I hope this has been helpful!



Hi Laz ,


On above figure , we have created an inbound ACL on Router 2 to permit Icmp traffic , here is the syntax

R2 (config)#access-list 100 permit icmp host echo
R2 (config)#access-list 100 deny ip any any

Please confirm the reachablity if we try to ping as below

R1 #Ping (Source ip address is 192 .168.12.1 ) , the device is unreachable because in ACL , we putted the network in deny condition .
Please correct if i am wrong .

R1# Ping source loop back 0 , device is reachable because we put the the permit statement
Please correct if i am wrong .

Now the issue came , keep in notice please

i am unable to find permit or deny statement in show access list , if we ping like this

Case 1: R1#ping

Is we get reachability if we ping like this ?
If no then how can we acheive it ?

Case 2:

R1#ping source loopback 0

Is we get reachability if we ping like this ?
If no then how can we acheive it ?


Laz sir , request to you please illustrate the below question in simple and descriptive way .


What I’m trying to do is to deny ping access from the network to reach the network but not deny ping access to go from network and reach the network. So basically PC2 and PC3 can’t ping PC0 and PC1 but PC0 and PC1 can or the other way around,this is what I tried to do so far with no success.

How can we acheive it with configuration detail and explain what it meant by the term that implementation closer to destination in standard ACL and in extended ACL it is closer to the source , i am unable to recognize it , please explain with topology

Question 3

Please explain this post as i am unable to get it in which router second permit statement allowed for echo reply and confirm that it is on outbound or inbound interface and how you decided it . Kindly explain with all syntax in lucid manner .

Post as below

Robocop(config)#access-list 100 permit icmp host echo
Robocop(config)#access-list 100 deny ip any any

for this case, Robocop cannot ping to ED209 ip

how can i allow robocop to ping ED209

Shivam Chaudhary

Hi Rene / Team ,

i have share a reference of toplogy with a statement , what i learned in this got some confusion and want to know is ACL will be possible on below task if we apply it .

Question 1


Can we apply deny and permit statement apply at a same time , if apply then what was the last statement in ACL , kindly share the syntax

A) Deny the host communicating with (Host to Network ) Deny
B)Permit the host communicating with (Host to Network ) Permit
C) Deny the Network communicating with (Network to Network ) Deny
D) what is the last statement .

Is that acl can we apply in real network , as what i learned from this lesson , you mentioned only deny or permit statement at a single time , can it is posiible to apply both permit and deny statement on ACL , Just let me know .

Question 2 ,

Why we create same ACL List on multiple interface or even if we have 3 or more deny or permit statement regarding the flow of traffic , you said to consider and count in one ACL . What was the reason behind this , why you call it in your lesson ?

Question 3

Request you to please share the syntax of ACL with permit or deny icmp traffic in a network , it is very tough to understand the block or permit icmp in a network .

How can we apply ACL on below given task

permit icmp traffic from one network to single host
deny icmp traffic from one network to other network
deny icmp traffic from one host to other host .
permit icmp traffic from one network to other network

Shivam Chaudhary

Hello Shivam

In such situations, the best thing to do is lab it up and experiment for yourself so that you can experience the results of such tests. This would be the most efficient way to see what happens in each case.

For case 1, if you were to ping from R1 using the command ping then the ping will fail. This is because, by default, R1 will use the source address of the closest interface to the destination, based on the routing table. In this case, the source interface will be Fa0/0 with an IP address of THis means that this source address will be blocked by the access list.

For case 2, you are specifying the source interface as loopback 0, so the source IP address will be which matches the permit statement in the ACL, and is thus allowed.

In order to achieve this, you should apply an incoming extended access list on the interface of Router1 that connects to the network as shown by the arrow in the diagram.

The access list should be something like this:

access-list 100 deny icmp echo
access-list 100 permit any any

This will cause all ping requests from to be blocked. Make sure you use the echo keyword so only ping requests are blocked. Otherwise, ping replies will also be blocked, meaning that the response to pings from to will be blocked.

In this case, we are using extended access lists. For blocking pings from, we are placing the access list as close as possible to the source, which is the interface on the router closest to this network. We could place it on Router 0 as well, but that would cause any attempted pings to traverse the yellow network as well before being blocked, and this is inefficient.

I’m not sure I understand the question. Can you please clarify what your specific question is? Thanks!

I hope this has been helpful!


1 Like