Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ACL Implementation Guide: Page 3 of 3

Applying the ACL

Creating an ACL is the first step in a two-step packet filtering configuration process. The second step is to apply an ACL to a specific interface. To do so, you must apply the ACL number to the interface and then specify if the ACL should be applied to inbound traffic entering the interface or outbound traffic exiting the interface. Applying an ACL to an interface is the same no matter if you are using a standard or extended ACL type. This example shows  how to configure extended ACL # 101 inbound to interface Gigabit 1/0/5:


Editing an ACL

If you want to edit an ACL without completely deleting it, you can do so with sequence numbers. For example, let's say we want to add a second deny statement to our standard ACL #1. First, we can view the ACL in its current form by issuing the show ip access-list 1 command as follows:


Notice the 10 and 20 numbers at the beginning of each access control entry? These are called sequence numbers. We can use them to add additional entries to the list and have them placed before or in between entries that already exist. In this example, we will add an entry that denies packets coming from the network with a mask of We want to place this entry between entries 10 and 20 so we will use sequence 15 as shown here:


Now if we look at ACL #1 a second time, we see that our new entry with sequence 15 is placed between 10 and 20:


Other uses for ACLs

Access control lists can be used for things other than filtering traffic. The lists are built the same way, but instead of applying them to an interface for filtering purposes, the lists can be used to identify certain traffic so they can be used for other purposes. Some real-world examples include identifying network traffic to NAT and encrypting or hiding traffic to prevent redistribution into routing protocols via route maps.