Week 7Security Fundamentals40 min

Standard and Extended ACLs

Learning objectives

  • Compare standard vs extended ACL capabilities and placement
  • Write ACL entries with correct wildcard masks and protocol matching
  • Apply implicit deny and rule order best practices
  • Choose inbound vs outbound ACL placement for scenario questions

Watch first

Recommended video

Standard ACLs (Day 34)

Video credit: Jeremy's IT Lab

Watch on YouTube
Recommended video

Extended ACLs (Day 35)

Video credit: Jeremy's IT Lab

Watch on YouTube

Plain-English explanation

Access Control Lists (ACLs) filter traffic on Cisco routers (and some switches). Standard ACLs (1–99, 1300–1999) match source IP only — place them close to destination to avoid blocking unintended traffic early.

Extended ACLs (100–199, 2000–2699) match source/destination IP, protocol, and port — place close to source to filter before traffic crosses the network.

Every ACL has an implicit deny all at the end — if you forget a permit, everything drops.

Deep dive

Standard ACL — place close to the destination.

Standard ACL — place close to the destination.

Supplementary figure from Panagiss CCNAmd

Extended ACL — place close to the source.

Extended ACL — place close to the source.

Supplementary figure from Panagiss CCNAmd

Standard example:

access-list 10 permit 192.168.10.0 0.0.0.255
access-list 10 deny any

Extended example:

access-list 100 deny tcp any any eq 23
access-list 100 permit ip any any

Placement logic:

| Type | Match | Best placement | |------|-------|----------------| | Standard | Source only | Near destination | | Extended | L3/L4 detail | Near source |

Named ACLs (modern):

ip access-list extended BLOCK-TELNET
 deny tcp any any eq 23
 permit ip any any
!
interface GigabitEthernet0/0
 ip access-group BLOCK-TELNET in

Step-by-step — block Telnet, allow other IP

Requirement: Prevent subnet 10.1.1.0/24 from Telnet to server 10.2.2.50, allow other traffic.

On router near source 10.1.1.0:

ip access-list extended NO-TELNET-FROM-SALES
 deny tcp 10.1.1.0 0.0.0.255 host 10.2.2.50 eq 23
 permit ip any any
!
interface GigabitEthernet0/1
 ip access-group NO-TELNET-FROM-SALES out

Verify with telnet test and show access-lists.

Commands to know

ACL application

interface GigabitEthernet0/0 ip access-group 100 in ! show access-lists show ip interface GigabitEthernet0/0

Troubleshooting

| Symptom | Check | |---------|-------| | Everything blocked | Implicit deny — missing permit | | ACL seems ignored | Wrong interface or direction | | Works one way only | Return traffic filtered — stateful firewalls beyond CCNA | | Hit counts zero | Traffic not matching interface direction |

Insert explicit permit for required management before deny rules.

Exam relevance

Exam trap

Standard ACL cannot filter by destination port — only extended ACLs match TCP/UDP port numbers.

Order matters

First match wins. Put specific denies before broad permits.

Practice checklist

  • Write standard ACL permitting two subnets only
  • Write extended ACL blocking HTTP to one server
  • Explain placement choice for a given scenario
  • Read ACL output with hit counters
  • Convert three requirements into ordered ACL lines

Which ACL type can filter by destination TCP port?

Where should extended ACLs typically be placed?

Video credits

These are free, open educational videos from independent creators. We link and embed them with attribution; all rights belong to the respective channels.