Cisco IOS ACL types

Question

The built in command help list displays access list types based on which range.

router1(config)#access-list ?   
  <1-99>            IP standard access list
  <100-199>         IP extended access list
  <1100-1199>       Extended 48-bit MAC address access list
  <1300-1999>       IP standard access list (expanded range)
  <200-299>         Protocol type-code access list
  <2000-2699>       IP extended access list (expanded range)
  <700-799>         48-bit MAC address access list
  dynamic-extended  Extend the dynamic ACL absolute timer
  rate-limit        Simple rate-limit specific access list

router1(config)#

What are each of the types? Can multiple types of ACLs be applied to a given interface?

Answer 1

The main ones you will use in every day router work are:

Standard Access Lists:
Only allow the source IP addresses.

Extended Access Lists:
Allow you to specify source and destination IPs addresses was well as ports for protcols like TCP and UDP.

The MAC address lists are to create ACLs based on Layer 2 addressing (The hardware addresses) instead of Layer 3.

You should also be aware of named access lists which you can use instead of using the numbers and just declare the type of ACL.

Answer 2

The types are only there to group together the same ACLs. However there are some things to know about the numbering:

• Standard (1-99, 1300-1999) Can only define the SOURCE IP of the traffic.
• Extended (100-199, 2000-2699) Can define SOURCE and DESTINATION IP as well as SOURCE and DESTINATION PORTS.
• Standard type only defines IP traffic.
• Extended type defines TCP, UDP, ICMP, IP, AHP, EIGRP, IGRP, ESP, IGMP, OSPF, and PIM traffic.

The ACLs are NOT processed by order of group number, but they ARE processed in the order that they're entered.

Remember the three "per's": You can have one access-list per PROTOCOL, per DIRECTION, and per INTERFACE.

From these excellent articles on ACLs:

• Part 1
• Part 2