On your Introduction to Access-Lists on Cisco IOS Router lesson, you have, in the picture for where to place the ACL, the word inbound twice. I believe that the top router should be “inbound” and the bottom router should be the “outbound.”
Thanks for pointing that out, I just fixed it.
Everything very clear but little confusing in number range.
standard access list number range(1300-199) confusing & 199 overlap with extended acl
You caught a typo It has to be 1300 - 1999, just fixed it.
You explain complex in English. Thanks Rene Molenaar. I am going to advertise you to college students here In Uganda. You make it all simple.
God bless you!!
I did not understand what do you mean in this statement “You can only have a single ACL per direction, so it’s impossible to have 2 inbound access-lists”
Is it possible to explain to me the meaning in other words please ?
Here’s what I mean:
access-list 1 permit 220.127.116.11 0.0.0.255
access-list 2 permit 18.104.22.168 0.0.0.255
access-group 1 in
access-group 2 in
Once you apply access-list 2 on the interface, 1 will be removed. You can’t have two inbound or two outbound access-lists.
Is there any example on how to configure classification on a router.
Take a look here:
if i do access list like:
access-list out_acz_in permit any 10.0.32.10
access list out_acsz_in udp permit any 10.0.32.10 eq h323
What isthe difference between both, what will be the default if i don`t mention tcp/udp and destination port in first case -what is the default type?
The first thing you have to decide is whether you are creating an standard or extended access-list. The next decision to make is whether you wanted to use an access-list number or an access-list name. In the examples you gave, you chose to use named access-lists for both (out_acsz_in). Also, in your example, we must be using extended access-lists (because you specified the destination of the traffic you are permitting).
Let’s look at your two examples, and reconfigure them so they are using the proper syntax.
Your first example is this:
(config)#access-list out_acz_in permit any 10.0.32.10
The correct syntax for this would be:
(config)#ip access-list extended out_acz_in (config-nacl)#permit ip any host 10.0.32.10
Here’s the difference between what you wrote, and what I wrote:
- The keyword “ip” must be used before “access-list” if you are using a named access-list. If you plan to use access-list numbers instead, this is not needed
- Named access-lists have to told whether they are standard or extended, hence the keyword “extended”
- Named access-lists require you press ENTER after you give the name. The IOS then takes you to a new submenu, (config-nacl)# where you can type all of your permit or deny lines one by one
- After the word “permit” or “deny” a protocol has to specified for an extended access-list. In this case, I chose “ip” which means any type of traffic, since you didn’t specify a port at the end
- The keyword “host” tells the access list that the next address you type in is supposed to be that specific ip. Think of “host” as a shortcut. Instead of typing 10.0.32.10 0.0.0.0, you can just type host 10.0.32.10. Both lines are acceptable and both do the same thing.
Now, let’s compare the correct syntax for both of your examples and go over the difference:
ip access-list extended out_acz_in permit ip any host 10.0.32.10
ip access-list extended out_acsz_in permit udp any 10.0.32.10 eq h323
Example 2 allows only the UDP ports associated with the H.323 protocol from anywhere to reach 10.0.32.10.
Example 1 allows ALL traffic from anywhere to 10.0.32.10.
As you can see, Example 2 is much more restrictive than Example 1. As to what is the default type, there really isn’t a “default.” How you write the access-list determines its behavior.
Thanks a million was a very excellent explanation really appreciate, i did not knew this inside edge with IOS ACL .
However its my mistake posted at wrong place -My question was with reference to ASA.Found this on the below link and was keen to get information about the qustion i asked previously
check this bit starting at
Can you explain why standard ACL need to be placed near the destination and extended ACL need to be placed near source?
The standard access-list only allows you to filter source addresses. If you place it close to the source, it’s possible that you filter too much (unwanted) traffic.
The extended access-list is very specific…you can filter source + destination address and source + destination ports. Since it’s so specific, it’s best to place it as close to the source as possible so you can drop unwanted traffic right away.
Thanks Rene…I understood it now.
Need your assistant to be clear the questions …
What are the high level difference between Named and Numbered access list?
As a function there is are no difference between the Named and the Numbered AC, so both function the same way as to what you have learned in our lessons.
The only difference is that on the named ACL’s you can put a better descriptive rather than putting numbers. For example, if you want to deny http traffic than you can name the named ACL something like:
ip access-list extended Deny_HTTP
This can give to your as an administrator a better idea of what this ACL is doing.
Another point is that in the old IOS it wasn’t possible to edit numbered ACLs, so if you wanted to change an entry then you had to remove the whole ACL and make it again, while on the named ACLs editing was & still possible. Nowadays both numbered and named ACLs can be edited without the need to change the whole configuration from the router.
The last point is that number ACLs are limited with range of numbers for both standard & extended while named ACL’s are not.
Hope I could answer to your question.
I have a question. What is the difference between inbound ACL and outbound ACL? When will we use inbound ACL and when we need to use outbound ACL? Thank you very much.
Hello Siu Kai L,
Both inbound and outbound get the job done, they filter packets. It depends on the scenario which one you might want to use. For example, let’s say you have a router with 4 interfaces:
* 1x WAN interface that connects to the Internet
* 3x LAN interface
Let’s say you want to restrict internet traffic from your LAN to the Internet. You could attach the same access-list INBOUND on all three LAN interfaces, or you can attach the access-list OUTBOUND on your WAN interface. Both get the job done, the only difference is you have to apply it once instead of on three interfaces.
You can also look at this from the other way around. Let’s say you want to restrict traffic from the Internet to your LAN. You could create an access-list and attach it INBOUND on your WAN interface, or you attach it OUTBOUND on all three LAN interfaces.
Both will get the job done, but adding it to the WAN interface INBOUND is probably easier since you only have to attach it once. Also, it prevents the traffic from going anywhere else since you filter it right away on where it enters the router.
Hope this helps!