Cisco ACL Generator

ACL name:

Use a short deployment-safe name such as EDGE-IN, DMZ-WEB-IN, or PARTNER-API.

Flow rows:

Use one flow per row. IPv4 CIDR, host IP, host x.x.x.x, any, and address wildcard forms are supported.

{{ params.source.length.toLocaleString() }} chars

Start sequence:

Leave room above existing entries when inserting into a live named ACL.

seq

Sequence step:

A step of 10 is common for ordered change windows and later resequencing.

step

Fix before pasting

{{ error }}

Default logging:

Keep None for unchanged syntax, or set Log when generated denies should be visible in ACL hit logging.

Include sequence numbers:

Turn off only when pasting into a platform or template that does not accept sequence prefixes.

Emit remark lines:

Disable only when the receiving template manages ACL comments elsewhere.

Add explicit terminal deny:

Cisco ACLs already have an implicit deny; enable this only when your review standard wants an explicit logged ending.

{{ result.configText }}

{{ header }}	Copy
{{ cell }}
No rows for the current input.

Export to PDF Fullscreen

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

Cisco extended access control lists are ordered rule sets for IPv4 traffic. Each access control entry says whether to permit or deny a packet after comparing the protocol, source address, destination address, and, for TCP, UDP, or ICMP, the relevant service or message type.

Order matters as much as the match fields. IOS evaluates ACL entries from top to bottom, and the first matching entry decides what happens to the packet. A broad permit ip any any above a narrow deny can make the deny meaningless; a broad deny above a required service can break an application before a later permit is ever reached.

A packet is checked against ordered access control entries. The first matching entry decides the result; unmatched traffic reaches the implicit deny.

Wildcard masks are another common source of mistakes. In ACL syntax, a zero bit must match and a one bit can vary, so 203.0.113.0 0.0.0.255 represents the 203.0.113.0/24 range. The host keyword is a shorthand for a zero wildcard mask, and any is a shorthand for the all-address wildcard form.

A generated ACL is still a deployment draft. It does not prove that the interface direction is right, that object groups and time ranges already exist on the device, or that logging volume is acceptable. The final review should compare the generated entries with the change request, the platform syntax, and live device policy before paste-in.

Technical Details:

Named extended IPv4 ACLs use ip access-list extended NAME, followed by ordered permit, deny, and remark entries. Extended entries can match protocol, source address, destination address, source port for TCP or UDP, destination port or ICMP type, and options such as established, fragments, or time-range NAME.

The ordered evaluation rule is the main safety constraint. A packet that matches an entry is not tested against later entries. Unmatched packets fall through to the platform's implicit deny, so a list with only deny entries usually blocks everything unless a permit appears before the end.

Rule Core

ACL rows become Cisco entries by normalizing the decision, protocol, address form, service form, and optional logging token. CIDR notation is converted into IOS address plus wildcard notation, while host and any shorthands remain compact in the final configuration.

Cisco ACL row shapes and generated IOS syntax
Input shape	Generated syntax	Review point
`any` or `0.0.0.0/0`	`any`	Matches every IPv4 address in that field.
`host 10.20.10.10` or `10.20.10.10/32`	`host 10.20.10.10`	Matches one IPv4 address.
`203.0.113.0/24`	`203.0.113.0 0.0.0.255`	Network base is normalized before the wildcard is emitted.
`10.20.0.0 0.0.255.255`	Address and wildcard are preserved after IPv4 validation.	Noncontiguous wildcard masks can be valid but deserve careful review.
`object-group WEB-SOURCES`	`object-group WEB-SOURCES`	The named object group must already exist on the target platform.
TCP or UDP service such as `443`, `eq 443`, or `1024-65535`	`eq 443` or `range 1024 65535`	Service names and ranges are accepted only for TCP and UDP rows.
ICMP type such as `echo` or `3 1`	ICMP message name or numeric type/code	Only one ICMP type or type/code pair is accepted per row.

For a normal CIDR block, the wildcard is the inverse of the subnet mask. A /24 leaves eight host bits, so the wildcard is 0.0.0.255. A /32 leaves no host bits, so the generated form can use host.

wildcard = ~ subnet mask

Port expansion is deliberate. A row with two source port variants and three destination port variants produces six access control entries, because IOS ACE syntax keeps one operator set per emitted entry. The generator blocks a single row when that expansion would exceed 40 ACEs and blocks the whole generated ACL when the expanded output exceeds 300 ACEs.

Validation and safety review boundaries for generated Cisco ACLs
Boundary	Limit or behavior	Why it matters
ACL name	Letters, numbers, underscore, period, colon, and hyphen, up to 64 characters.	Keeps the named ACL practical for IOS-style configuration mode.
Sequence numbers	Start value from `1` to `2147483647`; step from `1` to `1000000`.	Gaps leave room for later insertions and resequencing.
Remarks	Whitespace is normalized and long remarks are shortened to 100 characters.	Short remarks are easier to review and paste across IOS-family targets.
Logging	Blank, `none`, `log`, and `log-input` are recognized.	Logging improves evidence, but high-volume matches can affect device and syslog load.
Options	Simple IOS tokens such as `established`, `fragments`, and `time-range NAME` are accepted.	Unsupported characters are blocked before output is copied.
Broad matches	Any-any and wide source/destination combinations are flagged in review rows.	Broad entries can shadow later rules or expose more traffic than intended.

Remarks and sequence numbers are configuration aids, not packet match fields. A remark line helps a reviewer understand why the next entry exists, while sequence numbers make insertions and ordered review easier. Turning either off changes paste syntax, not the packet matching performed by permit and deny entries.

Logging choices deserve platform-specific judgment. log and log-input can make deny verification easier, and log-input may include ingress-interface evidence on supported platforms. Logging every high-volume deny or catch-all entry can produce noise and CPU impact, so review logging against the exact IOS or IOS XE train and the organization's syslog policy.

Everyday Use & Decision Guide:

Start with the ACL name and one row per intended traffic flow. The accepted columns are action, protocol, source, destination, destination_port, remark, log, source_port, and option. Headers are optional, and older six-column rows still work for simple action, protocol, source, destination, service, and remark inputs.

The first useful pass is usually narrow and numbered. Keep sequence numbers on, leave a step of 10, add short remarks, and put narrow host or subnet permits above broad denies. Set default logging only when blank row values should inherit log or log-input; row values still override that default.

Use Browse when the source rows already live in a CSV, TXT, ACL, or config file under 256 KiB.
Use Normalize after a valid parse to rewrite the rows into the canonical column order.
Keep Emit remark lines on when comments belong in the device configuration.
Turn off Include sequence numbers only when the receiving template rejects sequence prefixes.
Enable Add explicit terminal deny only when the review standard wants a visible final deny ip any any log.

The result tabs serve different review jobs. Cisco ACL Config is the paste-ready named ACL. ACE Ledger shows each generated ACE after row and port expansion. Safety Review calls out first-match risks, any-any scope, unlogged denies, missing remarks, expansion, and sequence planning. ACL Match Mix summarizes permit and deny counts by protocol so a reviewer can spot a surprising match profile.

A common mistake is treating a valid generated config as a complete change. Object groups, time ranges, interface direction, hardware limits, and existing ACL entries are outside the generated rows. Use the safety review as a checklist, then compare the final config against the target device before deployment.

When the summary says Blocked, fix the named field or row before copying config. When it says Cisco ACL ready, read the review table anyway, especially if the badges show broad matches or many logged entries.

Step-by-Step Guide:

Use this flow to turn a traffic-flow spreadsheet into a named IPv4 extended ACL draft.

Enter ACL name. If the summary reports a name issue, keep only letters, numbers, underscore, period, colon, and hyphen, with no more than 64 characters.
Paste or load Flow rows. Include a header when possible, or use the default order of action, protocol, source, destination, destination port, remark, log, source port, and option.
Review the row status below the textarea. A valid parse shows source-row and generated-ACE counts; a failed parse shows the first problem, such as an invalid IPv4 address, unsupported protocol token, bad port range, or source port on an ICMP row.
Set Start sequence and Sequence step. Leave gaps when the ACL may need inserted entries during the same change window.
Open Advanced only when the defaults need to change. Check Default logging, Include sequence numbers, Emit remark lines, and Add explicit terminal deny against the target platform and review standard.
Open Safety Review. Clear Risk rows such as a terminal broad match before later rows, and make a deliberate decision on Review rows such as unlogged denies or missing remarks.
Open ACE Ledger when rows contain multiple services. Confirm that expansion created the intended separate entries and that the source and destination forms match the change request.
Copy Cisco ACL Config only after the summary remains ready and the generated ACL lines match the intended device syntax.

Interpreting Results:

Cisco ACL ready means the entered rows can produce IOS-style named extended ACL syntax under the selected options. It does not mean the policy is least privilege, that the target platform supports every option token, or that the ACL has been applied in the correct direction.

Cisco ACL generator result statuses and review actions
Result cue	Meaning	Follow-up
`Blocked`	A required field or row failed validation.	Fix the error message before using the generated config.
`Ready` review row	No issue was detected for that check.	Still compare the generated ACEs with the change request.
`Review` review row	The config can be built, but the row deserves attention.	Decide whether the warning is acceptable for the target device.
`Risk` review row	An ACL-order or breadth issue may change traffic handling.	Move or narrow the entry before deployment unless the risk is intentional.
`ACL Match Mix`	Permit and deny ACE counts grouped by protocol.	Investigate unexpected protocols or a deny-heavy profile before paste-in.

Do not overread the chart or summary badges. They count generated entries, not expected packet volume or business approval. A single broad permit may be more important than many narrow denies, and a single logged catch-all can create more operational noise than the rest of the list.

The copied ACL should be tested on a lab or maintenance device path when the change is sensitive. Use device commands such as show ip access-list and platform-specific packet tests to confirm sequence order, hit counts, object references, and logging behavior.

Worked Examples:

Partner HTTPS permit. A row of permit,tcp,203.0.113.0/24,10.20.10.10/32,443,Allow partner HTTPS,log,, produces a named ACL entry like permit tcp 203.0.113.0 0.0.0.255 host 10.20.10.10 eq 443 log. ACE Ledger shows one generated ACE, and Safety Review should keep the address breadth acceptable because neither endpoint is any-any.

Multiple destination services. A deny row with destination ports 22,3389 expands into two ACEs, one for SSH and one for RDP. The summary count increases by two, Expansion in Safety Review asks for review, and ACE Ledger shows each service on its own line so the reviewer can confirm both entries are intended.

Explicit terminal deny. With Add explicit terminal deny enabled, the config appends a generated deny ip any any log entry after the source rows. Terminal behavior changes from informational to ready, but the reviewer still needs to confirm that logging every unmatched packet will not overload syslog or the device CPU.

ICMP source-port mistake. A row such as permit,icmp,198.51.100.0/24,10.20.10.10/32,echo,Allow monitoring ping,log,1234, is blocked because source ports are not valid for ICMP rules. The corrective path is to clear source_port, keep echo in destination_port, and recheck that Cisco ACL Config emits the intended ICMP message type.

Broad match found during review. A row of permit,ip,any,any,,Temporary allow,log,, is syntactically valid but produces an any-any ACE. The summary badge warns about broad scope, and Address breadth in Safety Review should stop the change unless that catch-all is intentional and ordered after narrower entries.

Security and Privacy Notes:

ACL generation happens in the browser after the page loads. The entered rows, generated config, ledger, chart data, and JSON output are handled client-side by this tool, with no server-side ACL generation endpoint in the bundle.

Treat the output as a security-sensitive draft. It may contain internal host addresses, object-group names, and change-request comments. Review it with the same care as a device configuration snippet, and do not paste it into production until platform syntax and policy intent have both been checked.

FAQ:

Does a ready result mean the ACL is safe to deploy?

No. A ready result means the inputs can be converted into named IPv4 extended ACL syntax. You still need to confirm order, platform support, object groups, time ranges, interface direction, and expected traffic behavior.

What row formats are accepted?

Rows may include headers for action, protocol, source, destination, destination port, remark, log, source port, and option. IPv4 CIDR, host syntax, any, object groups, and address-plus-wildcard syntax are accepted for address fields.

Why did one row create several ACEs?

Multiple source or destination port values are expanded into separate entries. IOS ACE syntax stays easier to audit when each emitted line has one specific port operator or range.

Why is my ICMP row blocked?

ICMP rows do not use TCP or UDP source ports. Put the ICMP message name or numeric type/code in destination_port, leave source_port blank, and run the parse again.

Should I use log or log-input on every deny?

Usually no. Logging important denies can help verification, but high-volume matches can create device and syslog load. Use Safety Review to find unlogged denies, then choose logging based on the target platform and traffic volume.

Does the generated ACL include the interface command?

No. The output creates the named ACL content. Applying it with the correct interface, direction, VTY line, route map, or other reference remains a separate device configuration step.

Glossary:

ACL: Access control list, an ordered set of permit and deny rules.
ACE: Access control entry, one permit or deny line inside an ACL.
Wildcard mask: ACL address mask where zero bits must match and one bits can vary.
Named extended ACL: An IPv4 ACL identified by a name and able to match protocol, source, destination, and services.
Implicit deny: The deny result reached when no earlier ACE matches a packet.
Object group: A named address or service collection referenced by an ACL entry on platforms that support it.
Sequence number: The ordered number before an ACL entry, used for insertion and review.
log-input: A logging option that may add ingress-interface evidence on supported platforms.

References:

Configure IP Access Lists, Cisco.
IP Access List Overview, Cisco.
Creating an IP Access List and Applying It to an Interface, Cisco.
Understanding Access Control List Logging, Cisco Security.