Watch first
Standard ACLs (Day 34)
Video credit: Jeremy's IT Lab
Watch on YouTubeExtended ACLs (Day 35)
Video credit: Jeremy's IT Lab
Watch on YouTubePlain-English explanation
Access Control Lists (ACLs) filter traffic on Cisco routers (and some switches). Standard ACLs (1–99, 1300–1999) match source IP only — place them close to destination to avoid blocking unintended traffic early.
Extended ACLs (100–199, 2000–2699) match source/destination IP, protocol, and port — place close to source to filter before traffic crosses the network.
Every ACL has an implicit deny all at the end — if you forget a permit, everything drops.
Deep dive

Standard ACL — place close to the destination.
Supplementary figure from Panagiss CCNAmd

Extended ACL — place close to the source.
Supplementary figure from Panagiss CCNAmd
Additional topic reference
Standard example:
access-list 10 permit 192.168.10.0 0.0.0.255
access-list 10 deny any
Extended example:
access-list 100 deny tcp any any eq 23
access-list 100 permit ip any any
Placement logic:
| Type | Match | Best placement | |------|-------|----------------| | Standard | Source only | Near destination | | Extended | L3/L4 detail | Near source |
Named ACLs (modern):
ip access-list extended BLOCK-TELNET
deny tcp any any eq 23
permit ip any any
!
interface GigabitEthernet0/0
ip access-group BLOCK-TELNET in
Step-by-step — block Telnet, allow other IP
Requirement: Prevent subnet 10.1.1.0/24 from Telnet to server 10.2.2.50, allow other traffic.
On router near source 10.1.1.0:
ip access-list extended NO-TELNET-FROM-SALES
deny tcp 10.1.1.0 0.0.0.255 host 10.2.2.50 eq 23
permit ip any any
!
interface GigabitEthernet0/1
ip access-group NO-TELNET-FROM-SALES out
Verify with telnet test and show access-lists.
Commands to know
interface GigabitEthernet0/0 ip access-group 100 in ! show access-lists show ip interface GigabitEthernet0/0
Troubleshooting
| Symptom | Check | |---------|-------| | Everything blocked | Implicit deny — missing permit | | ACL seems ignored | Wrong interface or direction | | Works one way only | Return traffic filtered — stateful firewalls beyond CCNA | | Hit counts zero | Traffic not matching interface direction |
Insert explicit permit for required management before deny rules.
Exam relevance
Standard ACL cannot filter by destination port — only extended ACLs match TCP/UDP port numbers.
First match wins. Put specific denies before broad permits.
Practice checklist
- Write standard ACL permitting two subnets only
- Write extended ACL blocking HTTP to one server
- Explain placement choice for a given scenario
- Read ACL output with hit counters
- Convert three requirements into ordered ACL lines
Which ACL type can filter by destination TCP port?
Where should extended ACLs typically be placed?