Quick answer: CCNA ACLs filter traffic using permit/deny statements. Standard ACLs filter by source IP only and are placed closest to the destination. Extended ACLs filter by source, destination, protocol, and port, and are placed closest to the source. Named ACLs allow editing and descriptive names. Wildcard masks use 0 for exact match and 255 for "any." Master ACLs for the CCNA exam by understanding placement logic, wildcard masks, and practicing with real config examples.
Standard ACLs: Filtering by Source Only
Standard ACLs (numbered 1–99 or 1300–1999) evaluate traffic based solely on the source IP address. They are the simplest form of ACL, but their simplicity comes with a critical limitation: they cannot distinguish between traffic types (e.g., web vs. SSH) or consider the destination.
Key characteristics:
- Numbered range: 1–99 (standard) and 1300–1999 (expanded standard)
- Filter criteria: Source IP address only
- Placement rule: Closest to the destination (to avoid blocking unintended traffic)
- Implicit deny all at the end
Why place standard ACLs near the destination? Because they only see the source, placing them too close to the source could block all traffic from that host—including traffic destined for other networks. For example, if you want to block Host A from reaching Server B but allow Host A to reach Server C, placing a standard ACL on Router A (near the source) would block Host A from both servers. Placing it on Router B (near the destination) allows granular control.
Config example:
R1(config)# access-list 10 deny host 192.168.1.10
R1(config)# access-list 10 permit any
R1(config)# interface gigabitethernet 0/1
R1(config-if)# ip access-group 10 out
Extended ACLs: Granular Traffic Filtering
Extended ACLs (numbered 100–199 or 2000–2699) provide much finer control. They evaluate source IP, destination IP, protocol (TCP, UDP, ICMP, IP), and port numbers. This makes them the go-to choice for most real-world filtering scenarios.
Key characteristics:
- Numbered range: 100–199 and 2000–2699
- Filter criteria: Source, destination, protocol, and port
- Placement rule: Closest to the source (prevents unwanted traffic from traversing the network)
- Supports established connections (allow return traffic)
Why place extended ACLs near the source? Because they can identify specific traffic types, placing them close to the source prevents unwanted traffic from consuming bandwidth across the entire network. For example, blocking Telnet (port 23) from a specific host to a server can be done at the ingress router nearest that host.
Config example:
R1(config)# access-list 100 permit tcp host 192.168.1.10 host 10.1.1.100 eq 80
R1(config)# access-list 100 permit tcp host 192.168.1.10 host 10.1.1.100 eq 443
R1(config)# access-list 100 deny ip any any
R1(config)# interface gigabitethernet 0/0
R1(config-if)# ip access-group 100 in
Wildcard Masks: Matching IP Addresses
Wildcard masks are the inverse of subnet masks. A 0 means "must match exactly," and a 255 means "ignore this octet." For host-specific matches, use host keyword (equivalent to 0.0.0.0). For any address, use any (equivalent to 255.255.255.255).
Common wildcard patterns:
| Desired Match | Subnet Mask | Wildcard Mask |
|---|---|---|
| Single host | 255.255.255.255 | 0.0.0.0 |
| /24 network | 255.255.255.0 | 0.0.0.255 |
| /16 network | 255.255.0.0 | 0.0.255.255 |
| Any address | 0.0.0.0 | 255.255.255.255 |
Example: To match 192.168.1.0/24, use access-list 10 permit 192.168.1.0 0.0.0.255
Trick: Subtract the subnet mask from 255.255.255.255 to get the wildcard mask. For a /27 (255.255.255.224), wildcard = 0.0.0.31.
Named ACLs: Flexibility and Editability
Named ACLs (introduced in IOS 12.0) overcome a major limitation of numbered ACLs: you cannot delete a single line from a numbered ACL without removing the entire ACL. Named ACLs allow line insertion, deletion, and resequencing.
Advantages:
- Descriptive names (e.g.,
BLOCK_HTTP) - Sequential line numbers (default increments of 10)
- Edit individual lines without removing the entire ACL
Config example:
R1(config)# ip access-list extended BLOCK_SSH
R1(config-ext-nacl)# deny tcp any any eq 22
R1(config-ext-nacl)# permit ip any any
R1(config-ext-nacl)# exit
R1(config)# interface gigabitethernet 0/1
R1(config-if)# ip access-group BLOCK_SSH in
Editing: Use ip access-list resequence to renumber lines if you run out of space. Named ACLs support both standard and extended types.
Placement Logic: The Golden Rule
ACL placement directly impacts network performance and security. Memorize this for the CCNA exam:
| ACL Type | Placement Rule | Reason |
|---|---|---|
| Standard | Closest to destination | Prevents blocking unintended traffic |
| Extended | Closest to source | Reduces unnecessary traffic across the network |
Example scenario: You want to allow HTTP traffic from 192.168.1.0/24 to 10.1.1.0/24, but block all other traffic.
- Standard ACL approach: Place on the destination router's inbound interface. But this blocks all traffic from 192.168.1.0/24 to any destination, not just the 10.1.1.0/24 network.
- Extended ACL approach: Place on the source router's outbound interface. Use
access-list 100 permit tcp 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255 eq 80. This only allows HTTP traffic to the specific destination.
Comparison Table: Standard vs. Extended vs. Named ACLs
| Feature | Standard ACL | Extended ACL | Named ACL |
|---|---|---|---|
| Number range | 1–99, 1300–1999 | 100–199, 2000–2699 | Any name |
| Filter criteria | Source IP only | Source, dest, protocol, port | Same as extended |
| Placement | Near destination | Near source | Same as extended |
| Editability | Cannot edit lines | Cannot edit lines | Can add/remove lines |
| Use case | Simple source blocking | Granular traffic filtering | Production networks |
12 CCNA ACL Practice Questions
Test your understanding with these CCNA-style questions. Each includes a scenario and answer.
Question 1: Which ACL type should you use to block Telnet from 10.1.1.0/24 to 192.168.1.0/24 while allowing all other traffic?
Answer: Extended ACL (e.g., deny tcp 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 23)
Question 2: Where should you place a standard ACL that denies host 172.16.1.5? Answer: Closest to the destination (on the interface facing the server or destination network)
Question 3: What wildcard mask matches the network 192.168.1.128/25? Answer: 0.0.0.127 (subtract 255.255.255.128 from 255.255.255.255)
Question 4: How do you delete a single entry from a named ACL?
Answer: Use ip access-list extended NAME then no permit tcp ... (the specific line)
Question 5: What is the implicit deny rule in all ACLs?
Answer: deny any any at the end (blocks all unmatched traffic)
Question 6: Which ACL number range is reserved for extended ACLs? Answer: 100–199 and 2000–2699
Question 7: Can you apply an ACL to a VTY line for SSH access control?
Answer: Yes, using access-class command (not ip access-group)
Question 8: What command shows the contents of an ACL?
Answer: show access-lists [number/name]
Question 9: If you apply an extended ACL inbound on an interface, when is traffic evaluated? Answer: Before the routing decision (traffic is checked on arrival)
Question 10: What does access-list 10 permit host 10.1.1.1 match?
Answer: Only traffic from source 10.1.1.1 (wildcard 0.0.0.0)
Question 11: Can a standard ACL filter based on destination port? Answer: No. Standard ACLs only filter by source IP.
Question 12: What is the purpose of the established keyword in an extended ACL?
Answer: Allows return traffic for TCP connections initiated from the inside network (matches ACK/RST bits)
Common Mistakes to Avoid
- Forgetting the implicit deny: Always include a
permit any anyat the end unless you intend to block all traffic. - Wrong placement: Standard ACLs near source can cause unintended blocks. Extended ACLs near destination waste bandwidth.
- Incorrect wildcard mask: Using subnet mask instead of wildcard mask (e.g., 255.255.255.0 instead of 0.0.0.255).
- Applying to wrong interface direction:
inchecks traffic entering the interface;outchecks traffic leaving. - Not resequencing numbered ACLs: You cannot insert lines; you must remove and recreate.
Takeaway and Next Steps
Mastering ACLs is essential for the CCNA exam and real-world network security. The key differentiators are placement logic (standard near destination, extended near source) and wildcard mask calculation. Practice with config examples until the commands become second nature.
Your action plan:
- Memorize ACL number ranges and wildcard mask formulas
- Practice creating standard, extended, and named ACLs in a lab
- Understand placement scenarios with multi-router topologies
- Work through all 12 practice questions above until you can answer instantly
For more hands-on practice, visit Courseiva.com for interactive CCNA ACL practice questions with detailed explanations and lab simulations. Our platform helps you build muscle memory for exam day.