Overview
ACLs filter or classify traffic by IP, protocol, and port. CCNA emphasizes standard vs extended ACLs, wildcard masks, placement rules, and implicit deny — plus ACL use in NAT, VPN, and QoS.
What ACLs do
Access Control Lists (ACLs) identify traffic by packet characteristics — source/destination IP, protocol, port — and permit or deny it. Routers and some switches apply ACLs at interfaces to enforce security and to classify traffic for other policies (NAT, VPN interesting traffic, QoS, redistribution).
Every ACL is a sequence of Access Control Entries (ACEs) — individual permit or deny lines evaluated top to bottom. The first match wins; processing stops immediately.
ACLs are not only for security. Extended ACLs commonly define interesting traffic for IPsec VPNs, inside hosts for NAT, and traffic classes for QoS marking.

ACL overview — filtering traffic based on packet characteristics before forwarding or policy actions.
Supplementary figure from Panagiss CCNAmd
Standard vs extended ACLs
| Type | Number range | Matches | Typical use |
|---|---|---|---|
| Standard | 1–99, 1300–1999 | Source IP only | Simple permit/deny by host or subnet |
| Extended | 100–199, 2000–2699 | Source/dest IP, protocol, port | Granular filtering (block Telnet, allow HTTP) |
Standard ACLs cannot filter by TCP/UDP port or application — they permit or deny the entire protocol suite for a source address.
Extended ACLs add Layer 4 detail: deny tcp any any eq 23, permit udp any host 10.1.1.1 eq 53, etc.
Standard ACL default wildcard is 0.0.0.0 (host). Writing access-list 1 deny 10.10.10.0 without a wildcard is interpreted as denying host 10.10.10.0, not the /24 subnet. Always specify the wildcard for subnets: 10.10.10.0 0.0.0.255.
Placement rules — the #1 exam topic
Where you apply an ACL determines what traffic it sees and whether you accidentally block legitimate flows.

Standard ACL — place close to the destination so you do not block unintended sources early.
Supplementary figure from Panagiss CCNAmd

Extended ACL — place close to the source so unwanted traffic is dropped before crossing the network.
Supplementary figure from Panagiss CCNAmd
| ACL type | Placement rule | Why |
|---|---|---|
| Standard | Near destination | Matches source only — placing near source blocks that source from everything, not just the target |
| Extended | Near source | Matches specific flows — filter early before traffic consumes WAN bandwidth |
Inbound vs outbound
| Direction | When processed | Efficiency note |
|---|---|---|
| Inbound | Before routing decision | More efficient — denied packets are not routed |
| Outbound | After routing, at exit interface | Packet is already routed; deny wastes processing |
Exam default: apply ACLs inbound when possible. On a perimeter router, an inbound ACL on the outside interface blocks bad traffic before the routing table processes it.
Wildcard masks
ACLs use wildcard masks (inverse of subnet masks). A 0 bit = must match; a 1 bit = don't care.
| Goal | Address | Wildcard |
|---|---|---|
| Single host | 10.1.1.10 | 0.0.0.0 or keyword host 10.1.1.10 |
| Entire subnet 10.1.1.0/24 | 10.1.1.0 | 0.0.0.255 |
| Any address | any | (implicit 255.255.255.255) |
| Match 10.1.0.0–10.1.3.255 | 10.1.0.0 | 0.0.3.255 |
OSPF area matching uses the same wildcard logic — if you understand ACL wildcards, OSPF network statements click.
Named ACLs
Modern best practice uses named ACLs for readability and the ability to insert ACEs at specific sequence numbers.
ip access-list extended BLOCK-TELNET deny tcp any any eq 23 permit ip any any ! interface GigabitEthernet0/0 ip access-group BLOCK-TELNET in
ip access-list standard MGMT-ONLY deny host 10.10.10.10 permit 10.10.10.0 0.0.0.255
Enter numbered ACL config mode to inject lines: ip access-list extended 110 then 15 deny tcp host 10.10.10.11 ... inserts between lines 10 and 20.
Applying ACLs to interfaces
interface GigabitEthernet0/1 ip access-group 100 in ip access-group 101 out
Rules:
- Maximum one ACL per interface per direction (one inbound + one outbound allowed)
show ip interface GigabitEthernet0/1 | include access list— shows applied ACLs ("not set" if none)- VTY lines use
access-classinstead ofip access-groupto restrict Telnet/SSH sources
Implicit deny and rule order
Every ACL ends with an implicit deny any any (or deny any for standard). Unmatched traffic is dropped.
| Scenario | Result |
|---|---|
| No ACL on interface | All traffic permitted (default router behavior) |
| ACL applied with only permits | Everything not explicitly permitted is denied |
ACL with explicit deny any log | Same deny, but generates syslog for auditing |
Order matters:
access-list 1 deny host 10.10.10.10 access-list 1 permit 10.10.10.0 0.0.0.255
Reversing these lines permits 10.10.10.10 because the subnet permit matches first.
ACEs auto-number in increments of 10 (10, 20, 30…). Use show access-lists to verify sequence and hit counts.
Traffic sourced from the router itself is not filtered by interface ACLs. An outbound ACL on F0/0 does not block Telnet initiated from the router's CLI — only transit traffic.
ACL applications beyond filtering
| Application | How ACL is used |
|---|---|
| NAT | access-list 1 permit 10.0.2.0 0.0.0.255 identifies inside hosts to translate |
| VPN (IPsec) | Extended ACL defines interesting traffic for encryption |
| Redistribution | Route maps reference ACLs to permit/deny routes between protocols |
| QoS | Class maps match ACL traffic for marking and queuing |
| VTY security | access-class 1 in on VTY lines limits management sources |
Configuration examples
access-list 100 deny tcp any any eq 23 access-list 100 permit ip any any ! interface GigabitEthernet0/0 ip access-group 100 in
access-list 10 permit 192.168.100.0 0.0.0.255 ! interface GigabitEthernet0/1 ip access-group 10 in
access-list 1 permit host 10.0.0.10 ! line vty 0 15 access-class 1 in transport input ssh login local
Verification and troubleshooting
show access-lists show access-lists 100 show ip interface GigabitEthernet0/0 | include access list show running-config | section access-list
| Symptom | Likely cause |
|---|---|
| All traffic blocked | Only deny lines, or no permit before implicit deny |
| Specific host still allowed | Permit line above deny; wrong wildcard |
| ACL seems ignored | Applied outbound when you meant inbound; wrong interface |
| Can't Telnet to router | VTY access-class or extended ACL blocking port 23 |
Exam checklist
| Trap | Remember |
|---|---|
| Standard ACL near source | Blocks source from all destinations |
| Extended ACL near destination | Too late — traffic already crossed the network |
| Forgetting implicit deny | Must have at least one permit or all traffic drops |
| Wrong wildcard | 0.0.0.255 for /24, not 255.255.255.0 |
| Router-originated traffic | Interface ACLs don't filter locally generated packets |
| Two inbound ACLs | Not allowed — one per direction only |