Most people set up a network, get it talking, and call it a day. Plus, then something weird starts happening — a printer in HR can suddenly reach the finance server, or a contractor's laptop is poking around places it shouldn't. That's usually the moment someone remembers they were supposed to configure and verify extended ipv4 acls and just… didn't No workaround needed..
Look, access lists aren't glamorous. They don't show up in the pretty dashboard with the spinning graphs. But they're the difference between a network that trusts everything and one that actually has boundaries. And extended IPv4 ACLs? Those are where you stop playing with toy rules and start filtering on real detail And that's really what it comes down to..
The official docs gloss over this. That's a mistake.
Here's the thing — most guides treat this like a checklist. They're logic, written line by line, evaluated top to bottom, with a silent "deny everything" waiting at the end. They're not. Miss that part and you'll be confused for an hour Small thing, real impact..
What Is an Extended IPv4 ACL
An extended IPv4 ACL is a numbered or named list of rules on a router or Layer 3 switch that filters IPv4 traffic based on more than just source IP. Unlike a standard ACL — which can only look at where a packet came from — an extended one can inspect source, destination, protocol, and even port numbers Surprisingly effective..
So you're not just saying "block 10.0.0.5." You're saying "block 10.On top of that, 0. 0.5 from reaching 192.That said, 168. 5.10 on TCP port 22." That's a very different conversation But it adds up..
Numbered vs Named
The old-school way is numbered: 100–199 and 2000–2699 are the extended ranges. But named extended ACLs are cleaner. But you'll still see them in legacy configs and exam labs. You give it a name like BLOCK_GUEST_TO_VOICE and you can actually read your config later without counting lines Small thing, real impact..
Either type lives in the running config. Neither is "better" technically — named just saves your sanity.
The Implicit Deny
Every extended IPv4 ACL ends with a rule you didn't write: deny ip any any. Because of that, it's invisible. It's always there. If a packet doesn't match a permit line above it, it gets dropped. People forget this and then swear their "permit" isn't working when really their logic just never caught the packet in the first place.
Quick note before moving on Easy to understand, harder to ignore..
Why It Matters
Why does this matter? Because flat networks are how breaches spread. One laptop with a bad attachment shouldn't be able to touch your domain controller because nothing said it couldn't.
In practice, extended IPv4 ACLs are how you enforce segmentation without buying a firewall for every closet. A branch router with a well-written ACL can keep the guest VLAN off the POS system. Also, a core switch can stop engineering from casually scanning payroll. You don't need a security appliance to do basic boundary control — you need a list and the discipline to verify it.
And here's what most people miss: an ACL that isn't verified is a guess. You can write a beautiful rule set, apply it to the wrong interface, in the wrong direction, and accomplish nothing. Or worse — you block the thing you meant to allow and nobody tells you until the help desk lights up.
How It Works
The short version is: you write the rules, you apply them to an interface, and you pick a direction. But the details are where the real control lives.
Step 1 — Plan What You're Filtering
Before touching the CLI, know three things:
- What source should be affected
- What destination matters
- What protocol/port is in play
Turns out, half of ACL mistakes come from not answering those on paper first. Even so, 0. 20.0/24 to 10.0."Deny TCP 10.Which means 30. "I want to stop marketing from using RDP to servers" is a sentence. 0/24 eq 3389" is a rule No workaround needed..
Step 2 — Enter ACL Configuration
For a named extended ACL:
ip access-list extended GUEST_BLOCK
deny ip 10.99.0.0 0.0.255.255 10.10.0.0 0.0.255.255
permit ip any any
That wildcard mask (0.On the flip side, a /16 subnet mask is 255. Think about it: people mix those up constantly. 255.255. Consider this: 255. 0.0; the wildcard is 0.0.That said, it's the inverse. Now, 255. Plus, 255) is not a subnet mask. 0.Get that backwards and your match is garbage Less friction, more output..
For numbered, you'd start with access-list 110 extended style syntax depending on platform, but the logic is identical.
Step 3 — Apply to Interface and Direction
An ACL does nothing until it's on an interface. And direction matters more than people expect.
interface GigabitEthernet0/1
ip access-group GUEST_BLOCK in
in means packets entering that interface. out means leaving. A common real-talk mistake: applying in on the inside interface when you meant to filter traffic going toward the WAN on the outside. The router doesn't care what you meant. It filters what hits the interface in the direction you said The details matter here..
Step 4 — Verify What's Actually Happening
This is the part most guides skim. Don't It's one of those things that adds up..
show ip access-lists
That command shows you the rules AND the match counters. If your deny line says "0 matches" and you're sure traffic should hit it, your ACL isn't seeing that traffic — wrong interface, wrong direction, or wrong address range.
Also use:
show running-config interface g0/1
to confirm the group is attached. And show ip interface g0/1 will tell you which ACL is applied in which direction, even if you forgot That's the part that actually makes a difference..
Step 5 — Test With Real Traffic
Ping isn't enough if you're filtering TCP ports. If you blocked SSH, try to SSH. In real terms, if counters move on the deny line, you configured and verified extended ipv4 acls correctly. Use an actual connection attempt. If they don't, back to the plan Worth keeping that in mind..
Common Mistakes
Honestly, this is the part most guides get wrong — they list syntax but not the facepalms.
Wrong order. ACLs are processed top-down. Put a permit ip any any first and your specific denies below it will never be reached. The router stops at the first match. Always put specific rules above broad ones.
Wildcard confusion. Already mentioned, but worth repeating: wildcard is inverse of subnet mask. A /24 network 192.168.1.0 has wildcard 0.0.0.255. Write 0.0.255.0 and you matched something you didn't intend The details matter here..
Applying to the wrong direction. "I applied it but nothing changed!" — yeah, because you put out on an interface that never sends that flow. Draw the packet path. Then apply Not complicated — just consistent..
Forgetting the implicit deny when you actually want mostly open. If you write only deny lines and no permit, the invisible deny any any kills everything else. Sometimes that's what you want. Often it isn't.
Editing numbered ACLs blindly. On old IOS, you couldn't insert a line in the middle of a numbered list without recreating it. Named ACLs let you sequence. Use named. Save the pain.
Verifying only with show run. The config existing doesn't mean it's applied or matching. Counters are your truth Not complicated — just consistent..
Practical Tips
Here's what actually works when you do this for real, not just in a lab:
Use names that say what the ACL does, not its number. ACL_101 tells you nothing in six months. DENY_IOT_TO_CORP does The details matter here. Took long enough..
Put your most specific denies at the top. On the flip side, then narrower permits. Then a deliberate final permit or deny — never leave it to the implicit one by accident if you care about logging Most people skip this — try not to. But it adds up..
Speaking of logging: add log to critical deny lines during troubleshooting. You'll see matches in the console or buffer. Just don't leave it on forever; it eats CPU And that's really what it comes down to..
Document the intent above the ACL if your platform allows remarks:
ip access-list extended BLOCK_GUEST
remark Stop guest VLAN reaching internal servers
deny ip 10.99.0.0 0.0.255.255 10.10.0.0
0.0.255.255
permit ip any any
Remarks like this save the next person (or you, three months later) from guessing why a rule exists.
If you're dealing with IPv6, don't assume the same mindset carries over. IPv6 uses ipv6 access-list and the implicit deny still applies, but there's also the link-local and ICMPv6 neighbor discovery traffic you must permit or you'll break basic connectivity. A common safe pattern is to explicitly allow ICMPv6 and established sessions before your denies Simple, but easy to overlook..
For larger environments, consider object groups if your platform supports them. Instead of repeating the same subnet in ten lines, define it once:
object-group network CORP_SERVERS
10.10.0.0 255.255.0.0
!
ip access-list extended LIMIT_GUEST
deny ip object-group CORP_SERVERS any
permit ip any any
This keeps the ACL readable and reduces typo-driven outages And it works..
Finally, back up the running config before and after changes. A quick copy running-config startup-config plus an off-box backup means a mistaken ACL that locks you out isn't a career-limiting event — you can revert from console or management plane.
In short, configuring and verifying extended IPv4 ACLs is less about memorizing syntax and more about disciplined planning: know the traffic, respect the top-down match order, apply in the correct direction, and prove it with counters rather than assumptions. In real terms, do that, and access control becomes a tool you trust instead of a mystery that breaks the network at 2 a. m.