CCNA Study GuideCCNA 200-301

Access Control Lists on Cisco IOS: Standard, Extended, and Named ACLs

How to write, apply, and troubleshoot standard and extended ACLs on Cisco IOS, including the implicit deny rule, wildcard masks, and common exam question traps.

4 min read
10 sections
Courseiva Study Hub
JA

Reviewed by Johnson Ajibi, MSc IT Security

12+ years in network and security engineering · Founder, JTNetSolutions Limited & Courseiva

Quick answer

How to write, apply, and troubleshoot standard and extended ACLs on Cisco IOS, including the implicit deny rule, wildcard masks, and common exam question traps.

Access Control Lists on Cisco IOS: Standard, Extended, and Named ACLs

Access Control Lists (ACLs) are a fundamental tool for filtering traffic on Cisco routers and switches. For the CCNA 200-301 exam, you must understand how to write, apply, and troubleshoot standard, extended, and named ACLs. This post covers the mechanics, the implicit deny rule, wildcard masks, and common exam traps.

Types of ACLs

Cisco IOS supports three types of ACLs relevant to CCNA:

  • Standard ACLs: Filter based on source IP address only. Numbered 1–99 and 1300–1999.
  • Extended ACLs: Filter based on source/destination IP, protocol, and port numbers. Numbered 100–199 and 2000–2699.
  • Named ACLs: Can be standard or extended, but identified by a name instead of a number. Allow easier editing.

The Implicit Deny Rule

Every ACL ends with an implicit deny any statement. This means if a packet does not match any permit entry, it is dropped. The implicit deny is invisible in the configuration but always present. A common mistake is to forget that after a permit statement, all other traffic is denied. To allow other traffic, you must add an explicit permit any at the end.

Wildcard Masks

ACLs use wildcard masks to match IP addresses. A wildcard mask is the inverse of a subnet mask: 0 means match exactly, 1 means ignore.

  • 0.0.0.0 matches all bits (equivalent to host).
  • 255.255.255.255 matches any address (equivalent to any).
  • Example: To match the subnet 192.168.1.0/24, use 192.168.1.0 0.0.0.255.

Common shortcuts:

  • host 10.0.0.1 = 10.0.0.1 0.0.0.0
  • any = 0.0.0.0 255.255.255.255

Standard ACLs

Standard ACLs are applied closest to the destination because they only check source IP. They are numbered 1–99 or 1300–1999.

Example: Permit traffic from network 192.168.1.0/24, deny all others.

access-list 10 permit 192.168.1.0 0.0.0.255

Apply inbound on an interface:

interface GigabitEthernet0/0
 ip access-group 10 in

Extended ACLs

Extended ACLs provide granular control. They are numbered 100–199 or 2000–2699. Syntax:

access-list [number] [permit|deny] [protocol] [source] [source-wildcard] [destination] [destination-wildcard] [eq port]

Example: Permit HTTP traffic (TCP port 80) from host 10.0.0.1 to server 192.168.1.100, deny all other traffic.

access-list 100 permit tcp host 10.0.0.1 host 192.168.1.100 eq 80

Apply outbound on the server-facing interface:

interface GigabitEthernet0/1
 ip access-group 100 out

Extended ACLs should be placed as close to the source as possible to save bandwidth.

Named ACLs

Named ACLs allow easier management. Use ip access-list standard NAME or ip access-list extended NAME.

Example: Create a named extended ACL to block Telnet (TCP port 23) from subnet 10.0.0.0/24 to subnet 192.168.1.0/24.

ip access-list extended BLOCK_TELNET
 deny tcp 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 23
 permit ip any any

Apply inbound on interface facing 10.0.0.0/24:

interface GigabitEthernet0/0
 ip access-group BLOCK_TELNET in

Named ACLs allow deleting or inserting individual entries using sequence numbers.

Applying ACLs

ACLs are applied to interfaces with ip access-group in a specific direction:

  • Inbound: Packets arriving on the interface are checked before routing.
  • Outbound: Packets leaving the interface are checked after routing.

One ACL per interface per direction is allowed.

Troubleshooting ACLs

Common issues:

  • Missing implicit deny: Traffic not explicitly permitted is dropped.
  • Wrong order: ACLs are processed top-down. Place more specific entries first.
  • Wrong direction: Ensure ACL is applied on the correct interface and direction.
  • Typos in wildcard masks: Verify with show access-lists.

Commands:

  • show access-lists – displays all ACLs and hit counts.
  • show ip interface [interface] – shows applied ACLs.
  • debug ip packet [acl-number] – use with caution in production.

Exam Tips: What to Watch For

  • Implicit deny: Always remember it exists. If an ACL only has permit statements, all other traffic is denied.
  • Standard ACL placement: Place standard ACLs near the destination; extended near the source.
  • Wildcard mask tricks: The exam may ask for a wildcard that matches an odd/even subnet or specific hosts.
  • Protocol keywords: tcp, udp, icmp, ip (matches all IP protocols).
  • Port keywords: eq, gt, lt, neq, range.
  • Named ACL editing: You can delete a single entry with no sequence-number.
  • VTY access: To restrict Telnet/SSH, apply a standard ACL with access-class in line configuration.

Conclusion

Mastering ACLs is essential for CCNA. Practice writing standard, extended, and named ACLs, and always verify with show access-lists. Remember the implicit deny and place ACLs correctly.

Test your knowledge with practice questions on platforms like Boson ExSim or Cisco's official study materials. Focus on scenarios involving wildcard masks, port numbers, and ACL placement to solidify your understanding.

Practise CCNA questions

Original exam-style practice questions with detailed, explained answers. Track your weak topics and review missed questions before exam day.

Courseiva provides free IT certification practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics. Explore related practice questions for Cisco, CompTIA, Microsoft Azure, AWS, and other certification exams.