Anatomy of ACL

| Home | Access Control Lists Overview | 10 Things to know about ACLs |
| Power Point ACL Tutorial | ACL PowerPoint | ACL Tutorial with Q&A | Demystifying ACLs |
| Cisco paper on ACLs | Anatomy of ACLs | ACL Wildcards |

The Anatomy of Access Lists

The Standard IP Access List

List # Rule Pattern Definition

Source Address Wild Card Mask

access-list nn permit or deny xxx.xxx.xxx.xxx ccc.ccc.ccc.ccc

Allowed Range for Standard List is 1-99

Specify the nature of this line:
permit or deny

The IP address of the source of the packet

This mask must be applied to the source to determine which bits are significant.
0 in the mask is apply
1 in the mask is ignore (AKA inverse mask)

The Extended IP Access List

Note: Shaded sections below are optional. They are used only when the protocol specified is TCP or UDP.

List # Rule Pattern Definition

Protocol Source Address Source Mask Destination Address Destination Mask Operator Port#

access-list nnn permit or
deny see below sss.sss.sss.sss ccc.ccc.ccc.ccc ttt.ttt.ttt.ttt rrr.rrr.rrr.rrr see below (TCP
or
UDP) ppp
(TCP
or
UDP)

Allowed Range is 100-199 Choose one only ICP, ICMP, TCP, UDP, etc. IP address of packet’s source. 0 = apply
1 = ignore IP address of packet’s destination. 0 = apply
1 = ignore eq for =
gt for >
lt for <
neq for 1 see port table below

The Standard IPX Access List

List # Rule Pattern Definition

Source Address Destination Address

access-list nnn permit or deny xxx ccc

Range for Standard IPX 800-899 Choose one only The IPX address of the source of the packet. The IPX address of the destination of the packet.

Common Port Numbers Filtered Using IP Extended Access Lists

Protocol Port Number Protocol Name

TCP 20 File Transfer Protocol (FTP) data

TCP 21 File Transfer Protocol (FTP) program

TCP 23 Telnet

TCP 25 Simple Mail Transfer Protocol (SMTP)

UDP 53 Domain Name Service (DNS)

UDP 69 Trivial File Transfer Protocol (TFTP)

TCP 80 Hypertext Transfer Protocol (HTTP)

UDP 161, 162 Simple Network Management Protocol (SNMP)

Protocols With Access Lists

Specified By Numbers

Protocol Range

IP Standard 1 to 99

IP Extended 100 to 199

XNS 400 to 499

Extended XNS 500 to 599

AppleTalk 600 to 699

IPX Standard 800 to 899

IPX Extended 900 to 999

IPX SAP 1000 to 1099

Standard VINES 1 to 100

Extended VINES 101 to 200

Simple VINES 201 to 300

Top

List #	Rule	Pattern Definition
List #	Rule	Source Address	Wild Card Mask
access-list nn	permit or deny	xxx.xxx.xxx.xxx	ccc.ccc.ccc.ccc
Allowed Range for Standard List is 1-99	Specify the nature of this line: permit or deny	The IP address of the source of the packet	This mask must be applied to the source to determine which bits are significant. 0 in the mask is apply 1 in the mask is ignore (AKA inverse mask)

Protocol	Port Number	Protocol Name
TCP	20	File Transfer Protocol (FTP) data
TCP	21	File Transfer Protocol (FTP) program
TCP	23	Telnet
TCP	25	Simple Mail Transfer Protocol (SMTP)
UDP	53	Domain Name Service (DNS)
UDP	69	Trivial File Transfer Protocol (TFTP)
TCP	80	Hypertext Transfer Protocol (HTTP)
UDP	161, 162	Simple Network Management Protocol (SNMP)

Specified By Numbers
Protocol	Range
IP Standard	1 to 99
IP Extended	100 to 199
XNS	400 to 499
Extended XNS	500 to 599
AppleTalk	600 to 699
IPX Standard	800 to 899
IPX Extended	900 to 999
IPX SAP	1000 to 1099
Standard VINES	1 to 100
Extended VINES	101 to 200
Simple VINES	201 to 300