All topic guides
SecurityAmalgamated guide

Access Control Lists

Standard vs extended ACLs, wildcard masks, placement, and named ACLs.

How the sources were combined

Both sources emphasize ACL placement (standard near destination, extended near source). Panagiss has path diagrams; jdepew88 has application examples (NAT, redistribution, VPN interesting traffic) — merged with placement rules upfront.

Overview

ACLs filter or classify traffic by IP, protocol, and port. CCNA emphasizes standard vs extended ACLs, wildcard masks, placement rules, and implicit deny — plus ACL use in NAT, VPN, and QoS.

What ACLs do

Access Control Lists (ACLs) identify traffic by packet characteristics — source/destination IP, protocol, port — and permit or deny it. Routers and some switches apply ACLs at interfaces to enforce security and to classify traffic for other policies (NAT, VPN interesting traffic, QoS, redistribution).

Every ACL is a sequence of Access Control Entries (ACEs) — individual permit or deny lines evaluated top to bottom. The first match wins; processing stops immediately.

Info

ACLs are not only for security. Extended ACLs commonly define interesting traffic for IPsec VPNs, inside hosts for NAT, and traffic classes for QoS marking.

ACL overview — filtering traffic based on packet characteristics before forwarding or policy actions.

ACL overview — filtering traffic based on packet characteristics before forwarding or policy actions.

Supplementary figure from Panagiss CCNAmd

Standard vs extended ACLs

TypeNumber rangeMatchesTypical use
Standard1–99, 1300–1999Source IP onlySimple permit/deny by host or subnet
Extended100–199, 2000–2699Source/dest IP, protocol, portGranular filtering (block Telnet, allow HTTP)

Standard ACLs cannot filter by TCP/UDP port or application — they permit or deny the entire protocol suite for a source address.

Extended ACLs add Layer 4 detail: deny tcp any any eq 23, permit udp any host 10.1.1.1 eq 53, etc.

Trap

Standard ACL default wildcard is 0.0.0.0 (host). Writing access-list 1 deny 10.10.10.0 without a wildcard is interpreted as denying host 10.10.10.0, not the /24 subnet. Always specify the wildcard for subnets: 10.10.10.0 0.0.0.255.

Placement rules — the #1 exam topic

Where you apply an ACL determines what traffic it sees and whether you accidentally block legitimate flows.

Standard ACL — place close to the destination so you do not block unintended sources early.

Standard ACL — place close to the destination so you do not block unintended sources early.

Supplementary figure from Panagiss CCNAmd

Extended ACL — place close to the source so unwanted traffic is dropped before crossing the network.

Extended ACL — place close to the source so unwanted traffic is dropped before crossing the network.

Supplementary figure from Panagiss CCNAmd

ACL typePlacement ruleWhy
StandardNear destinationMatches source only — placing near source blocks that source from everything, not just the target
ExtendedNear sourceMatches specific flows — filter early before traffic consumes WAN bandwidth

Inbound vs outbound

DirectionWhen processedEfficiency note
InboundBefore routing decisionMore efficient — denied packets are not routed
OutboundAfter routing, at exit interfacePacket is already routed; deny wastes processing
Tip

Exam default: apply ACLs inbound when possible. On a perimeter router, an inbound ACL on the outside interface blocks bad traffic before the routing table processes it.

Wildcard masks

ACLs use wildcard masks (inverse of subnet masks). A 0 bit = must match; a 1 bit = don't care.

GoalAddressWildcard
Single host10.1.1.100.0.0.0 or keyword host 10.1.1.10
Entire subnet 10.1.1.0/2410.1.1.00.0.0.255
Any addressany(implicit 255.255.255.255)
Match 10.1.0.0–10.1.3.25510.1.0.00.0.3.255

OSPF area matching uses the same wildcard logic — if you understand ACL wildcards, OSPF network statements click.

Named ACLs

Modern best practice uses named ACLs for readability and the ability to insert ACEs at specific sequence numbers.

Named extended ACL

ip access-list extended BLOCK-TELNET deny tcp any any eq 23 permit ip any any ! interface GigabitEthernet0/0 ip access-group BLOCK-TELNET in

Named standard ACL

ip access-list standard MGMT-ONLY deny host 10.10.10.10 permit 10.10.10.0 0.0.0.255

Enter numbered ACL config mode to inject lines: ip access-list extended 110 then 15 deny tcp host 10.10.10.11 ... inserts between lines 10 and 20.

Applying ACLs to interfaces

Access-group on interface

interface GigabitEthernet0/1 ip access-group 100 in ip access-group 101 out

Rules:

  • Maximum one ACL per interface per direction (one inbound + one outbound allowed)
  • show ip interface GigabitEthernet0/1 | include access list — shows applied ACLs ("not set" if none)
  • VTY lines use access-class instead of ip access-group to restrict Telnet/SSH sources

Implicit deny and rule order

Every ACL ends with an implicit deny any any (or deny any for standard). Unmatched traffic is dropped.

ScenarioResult
No ACL on interfaceAll traffic permitted (default router behavior)
ACL applied with only permitsEverything not explicitly permitted is denied
ACL with explicit deny any logSame deny, but generates syslog for auditing

Order matters:

Correct order — deny host, then permit subnet

access-list 1 deny host 10.10.10.10 access-list 1 permit 10.10.10.0 0.0.0.255

Reversing these lines permits 10.10.10.10 because the subnet permit matches first.

ACEs auto-number in increments of 10 (10, 20, 30…). Use show access-lists to verify sequence and hit counts.

Warning

Traffic sourced from the router itself is not filtered by interface ACLs. An outbound ACL on F0/0 does not block Telnet initiated from the router's CLI — only transit traffic.

ACL applications beyond filtering

ApplicationHow ACL is used
NATaccess-list 1 permit 10.0.2.0 0.0.0.255 identifies inside hosts to translate
VPN (IPsec)Extended ACL defines interesting traffic for encryption
RedistributionRoute maps reference ACLs to permit/deny routes between protocols
QoSClass maps match ACL traffic for marking and queuing
VTY securityaccess-class 1 in on VTY lines limits management sources

Configuration examples

Block Telnet, permit all other IP (extended)

access-list 100 deny tcp any any eq 23 access-list 100 permit ip any any ! interface GigabitEthernet0/0 ip access-group 100 in

Permit management subnet only (standard, near destination)

access-list 10 permit 192.168.100.0 0.0.0.255 ! interface GigabitEthernet0/1 ip access-group 10 in

Restrict SSH to admin workstation (VTY)

access-list 1 permit host 10.0.0.10 ! line vty 0 15 access-class 1 in transport input ssh login local

Verification and troubleshooting

ACL verification

show access-lists show access-lists 100 show ip interface GigabitEthernet0/0 | include access list show running-config | section access-list

SymptomLikely cause
All traffic blockedOnly deny lines, or no permit before implicit deny
Specific host still allowedPermit line above deny; wrong wildcard
ACL seems ignoredApplied outbound when you meant inbound; wrong interface
Can't Telnet to routerVTY access-class or extended ACL blocking port 23

Exam checklist

TrapRemember
Standard ACL near sourceBlocks source from all destinations
Extended ACL near destinationToo late — traffic already crossed the network
Forgetting implicit denyMust have at least one permit or all traffic drops
Wrong wildcard0.0.0.255 for /24, not 255.255.255.0
Router-originated trafficInterface ACLs don't filter locally generated packets
Two inbound ACLsNot allowed — one per direction only

Related lessons on this site

Continue in this domain

Security · guide 1 of 3

Sources & further reading

Panagiss CCNAmd

jdepew88 CCNA Notes (markdown)

psaumur CCNA Course Notes

This page is an amalgamated study guide synthesized from the markdown sources above, cross-checked against Cisco's official CCNA exam topics. Verify scope before your exam date.