ACL Rule Builder

Build access control list rules interactively. Configure action, protocol, source, destination, and ports — then generate syntax for Cisco IOS extended ACLs and Linux iptables. Copy the output directly into your device configuration.

Action

Protocol

Source IP

Src Port

Destination IP

Dst Port

Description

What Are Access Control Lists?

Access Control Lists (ACLs) are ordered sets of rules that filter network traffic based on source, destination, protocol, and port. They're the primary mechanism for enforcing security policies on routers, switches, and firewalls — controlling what traffic is allowed or blocked at each network boundary.

ACLs work with other network security features like NAT, port forwarding, and VLAN segmentation to create layered network security. Understanding ACLs is essential for anyone managing a network beyond the basics.

Types of ACLs

Type	Cisco IOS	Linux Equivalent	Filtering Criteria
Standard ACL	1-99, 1300-1999	iptables -s	Source IP only
Extended ACL	100-199, 2000-2699	iptables full	Source, dest, protocol, port
Named ACL	ip access-list	iptables chain	Human-readable names
Reflexive ACL	evaluate / reflect	iptables -m state	Stateful session tracking
Time-based ACL	time-range	iptables -m time	Active during specific times

ACL Rule Order Matters

ACLs are processed top-down — the first matching rule wins. This ordering is critical for both performance and correctness:

! WRONG order — specific rule never matches
ip access-list extended BAD-EXAMPLE
 deny   ip any any               ! Blocks everything first!
 permit tcp any any eq 80        ! Never reached

! CORRECT order — specific rules first
ip access-list extended GOOD-EXAMPLE
 permit tcp any any eq 80        ! Allow HTTP first
 permit tcp any any eq 443       ! Allow HTTPS
 deny   ip any any               ! Block everything else

Pro Tip: Always place more specific rules before general ones. If you need to allow web traffic from one subnet but block all other traffic, put the permit rule first and the deny rule last. Also remember that Cisco IOS has an implicit deny ip any any at the end of every ACL — if traffic doesn't match any rule, it's blocked. Use our Subnet Calculator to compute the correct wildcard masks for your rules.

Common ACL Patterns

Use Case	Rule Pattern	Example
Allow web traffic	permit tcp src any dst any 80,443	Internet access for users
Block IoT to LAN	deny ip IoT-subnet LAN-subnet	IoT isolation
Allow DNS only	permit udp src any dst DNS-server 53	Restricted DNS resolution
Allow SSH from admin	permit tcp admin-IP any dst device 22	Remote management
Allow ICMP (ping)	permit icmp src any dst any	Network diagnostics
Block P2P	deny tcp/udp any any 6881-6889	BitTorrent blocking

Note: When building ACLs for VLAN segmentation, the most common pattern is: allow IoT devices to reach the internet but block them from accessing your main LAN. This prevents a compromised IoT device from attacking your PCs and servers. See our smart home security guide and subnet planner for complete segmentation strategies.

Cisco Wildcard Masks

Cisco ACLs use wildcard masks (the inverse of subnet masks). Here's a quick reference — use our Subnet Calculator for custom calculations:

CIDR	Subnet Mask	Wildcard Mask	Hosts
/32	255.255.255.255	0.0.0.0	Single host
/24	255.255.255.0	0.0.0.255	254
/16	255.255.0.0	0.0.255.255	65,534
/8	255.0.0.0	0.255.255.255	16,777,214

Key Takeaways

ACLs filter traffic based on source, destination, protocol, and port — order matters (first match wins).
Place specific rules before general ones — the implicit deny at the end blocks unmatched traffic.
Use extended ACLs for granular control (protocol + port) and standard ACLs for simple source filtering.
Cisco uses wildcard masks (inverse of subnet masks) — use our Subnet Calculator for conversion.
Test ACL rules in a lab or with logging enabled before deploying to production.
Combine with VLAN segmentation for comprehensive network security.

Video: ACLs Explained

Related Tools

Frequently Asked Questions

What is the difference between standard and extended ACLs?

Standard ACLs filter traffic based on source IP address only. Extended ACLs filter on source IP, destination IP, protocol, and port numbers. Extended ACLs provide much more granular control and are used for most real-world filtering scenarios.

Where should I apply ACLs on a router?

Apply ACLs as close to the traffic source as possible for extended ACLs (to avoid unnecessary routing), and close to the destination for standard ACLs (since they only filter by source). On Cisco routers, you apply ACLs inbound or outbound on specific interfaces.

What happens to traffic that doesn't match any ACL rule?

In Cisco IOS, there's an implicit deny ip any any at the end of every ACL — unmatched traffic is dropped. In Linux iptables, the default policy (usually ACCEPT or DROP) determines what happens. Always configure your default policy explicitly.

Can ACLs slow down my network?

On modern hardware (ASIC-based routers and switches), ACLs are processed in hardware at line rate with negligible impact. On software-based routing (like a Linux server or Raspberry Pi), very long ACLs with complex matching can add latency.

How do I test ACL rules before deploying?

Add log to the end of Cisco ACL rules to see what traffic matches. In iptables, use -j LOG before the actual rule. Test in a lab environment first, and always have console access to the device in case you lock yourself out.

Can I use ACLs for IoT device isolation?

Yes, ACLs combined with VLAN segmentation are the standard approach for IoT isolation. Create a deny rule blocking IoT subnet from accessing your main LAN, while permitting internet access. See our IoT network isolation guide.

About Tommy N.

Tommy is the founder of RouterHax and a network engineer with 10+ years of experience in home and enterprise networking. He specializes in router configuration, WiFi optimization, and network security. When not writing guides, he's testing the latest mesh WiFi systems and helping readers troubleshoot their home networks.