securitynetwork-plusBeginner26 min read

What Is Access Control List? Security Definition

Also known as: Access Control List, ACL, network security, CCNA ACL, Network Plus ACL

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

An Access Control List, or ACL, works like a guest list at an event. It is a list of permissions that tells a network device which users or data packets can enter and which should be turned away. Each rule in the list checks something specific, like an IP address or a port number, to make a decision. ACLs are used to secure networks by controlling exactly what flows through them.

Must Know for Exams

Access Control Lists are a high-priority topic in several major certification exams, including the Cisco CCNA, CompTIA Network+, and CompTIA Security+. In the CCNA exam, ACLs are tested heavily in the network security and infrastructure sections. Candidates must understand how to configure standard and extended ACLs on Cisco routers, how to apply them to interfaces in the correct direction, and how to interpret existing ACL configurations.

The exam also covers the order of operations, the implicit deny at the end, and the difference between numbered and named ACLs. In the CCNA, you may be asked to identify which traffic a given ACL will permit or deny, or to troubleshoot why certain traffic is being blocked. You also need to know that extended ACLs should be placed as close to the source as possible to save bandwidth, while standard ACLs are typically placed close to the destination because they only check source IP.

In CompTIA Network+, ACLs appear in the network security domain. The exam expects you to understand the purpose of ACLs, how they are used to filter traffic, and common configuration mistakes. You should know the difference between allow and deny rules and the concept of implicit deny.

The Network+ exam may present a scenario where you need to recommend an ACL rule to solve a specific problem, such as blocking traffic from a suspicious IP range while allowing other traffic. In CompTIA Security+, ACLs are covered in the context of access control models and network segmentation. The Security+ exam focuses more on the security implications, such as how ACLs implement the principle of least privilege, how they are used in firewalls, and how misconfigurations can lead to data breaches.

You may also see questions about the difference between ACLs and other access control mechanisms like Role-Based Access Control. Across all these exams, ACLs are a recurring theme in scenario-based questions, troubleshooting questions, and configuration questions. A solid understanding of ACLs is essential for passing.

Simple Meaning

Imagine you are the bouncer at a busy nightclub. The club has a strict guest list, and your job is to check everyone who tries to enter. The guest list is your Access Control List.

Each person who arrives gives you their name, and you check that name against your list. If the name is on the list, you let them in. If it is not, you politely refuse entry. You might also have special rules.

For example, you might let in all VIP guests without checking their names, or you might block anyone wearing a certain colour shirt. An Access Control List works the same way for computer traffic. Every piece of data that tries to enter or leave a network device, like a router or a firewall, is checked against a set of rules.

These rules are written in sequence, and the device reads them from top to bottom. The first rule that matches the traffic decides what happens. That traffic can be allowed through or denied.

Once a match is found, the device stops reading further rules. If no rule matches, the traffic is usually denied by default. ACLs can filter based on many things. Common factors include the source IP address where the data came from, the destination IP address where it wants to go, the port number which tells what kind of service is being requested, and the protocol like TCP or UDP.

By carefully writing these rules, network administrators can allow only the traffic that is necessary for business and block everything else. This is one of the most fundamental ways to protect a network from unwanted access, malware, and attacks. Without ACLs, any data could flow freely into a network, which would be like leaving the nightclub door wide open for anyone to walk in.

Full Technical Definition

An Access Control List is a sequential set of permit or deny rules applied to a router, switch, firewall, or other network device to filter traffic. ACLs operate at Layer 3 of the OSI model, where they examine packet headers, and can also function at Layer 4 by inspecting TCP and UDP port numbers. The most common implementations are standard ACLs and extended ACLs.

Standard ACLs filter only based on the source IP address. They are simpler but less precise. Extended ACLs filter based on source IP, destination IP, protocol type, port numbers, and sometimes other fields like ICMP type or TCP flags.

This allows much finer control. ACLs are processed in a top-down order. The device evaluates each packet against the first rule in the list. If the packet matches that rule, the specified action, permit or deny, is applied immediately and no further rules are checked.

If no rule matches, the default action at the end of every ACL is an implicit deny. This means any traffic that does not match a permit rule is automatically dropped. When configuring ACLs on Cisco devices, the rules are numbered or named.

Standard ACLs typically use numbers 1 through 99 and 1300 through 1999. Extended ACLs use numbers 100 through 199 and 2000 through 2699. Named ACLs allow administrators to use descriptive text instead of numbers.

Each rule in an ACL includes a sequence number to indicate its position in the list. It is critical to place more specific rules before more general ones. If a broad deny rule is placed early in the list, it can accidentally block traffic that should be allowed.

ACLs are commonly applied to interfaces in a specific direction. Inbound ACLs filter traffic as it enters the interface, before it is processed by the router. Outbound ACLs filter traffic after it has been routed to the interface but before it leaves.

The choice of direction depends on the security policy and where you want to control traffic. In modern network security, ACLs are also used in firewalls, virtual private networks, and cloud security groups. On cloud platforms like AWS, a Network ACL is a stateless filter applied at the subnet level, while Security Groups are stateful and operate at the instance level.

The core concept of ordered, rule-based access control remains the same across all these implementations.

Real-Life Example

Think of a large corporate office building with a security desk at the main entrance. The security guard has a clipboard with a list of names and access levels. This clipboard is your Access Control List.

When you arrive, you tell the guard your name. The guard starts at the top of the list. If your name is on the list and you have a reason for being there, you are allowed to enter.

But if your name is not on the list, or if the list says employees only and you are a delivery driver after hours, you are denied entry. Now imagine the building has multiple floors and different departments. Some people are allowed only on the first floor, while others can access the executive suite on the top floor.

The guard might have a second list that specifies which floors each person can visit. This is like an extended ACL that checks not just who you are but where you want to go. In the network world, the visitor is a data packet.

The guard is the router or firewall. The clipboard with names is the ACL. The floors correspond to different network segments or servers. So if a packet comes from an unknown source and tries to reach a sensitive database server, the ACL will block it.

If a trusted employee's computer sends a request to the printer server, the ACL will permit it. The security guard always checks the list in order. If you are the building manager, your name might be near the top of the list, so you get fast access.

If the guard finds your name early, they stop looking and let you in. This is why ACL rules must be ordered correctly. A rule that permits all traffic from a trusted network should come before a rule that denies traffic from a suspicious IP range.

Otherwise, the deny rule might catch the trusted traffic first and block it mistakenly. The building also has a back door for deliveries. That door has its own guard and its own list.

This is like applying different ACLs to different interfaces of a router. The front door might have a strict ACL for incoming traffic from the internet, while the back door that connects to a partner network has a different, more permissive ACL.

Why This Term Matters

Access Control Lists are one of the most fundamental building blocks of network security. In real IT work, they are used constantly to enforce security policies, segment networks, and protect sensitive data from unauthorized access. Without ACLs, any device on a network could communicate with any other device, which would be a nightmare for security.

ACLs allow administrators to define exactly which traffic is necessary for business operations and block everything else. This principle is called least privilege. For example, a web server needs to receive HTTP and HTTPS traffic from the internet.

It does not need to receive SSH or RDP traffic from unknown sources. An ACL on the router in front of the web server can permit only ports 80 and 443 from any source, and deny all other traffic. This dramatically reduces the attack surface.

ACLs are also used to control management access to network devices themselves. An administrator might configure an ACL on a router to allow SSH connections only from a specific management subnet. This prevents attackers from trying to log in from anywhere on the internet.

In cloud environments, ACLs are even more important because networks are virtual and boundaries are fluid. On AWS, a Network ACL controls traffic entering and leaving a subnet. A misconfigured NACL can accidentally expose a database to the public internet.

Understanding ACLs is critical for system administrators, network engineers, and security professionals. ACLs are also used in quality of service policies to prioritize certain types of traffic, and in route maps to influence routing decisions. They appear in almost every security framework and compliance standard, from PCI DSS to HIPAA.

When auditors check network security, one of the first things they look at is whether ACLs are properly implemented to restrict access. In short, ACLs are not just a theoretical concept. They are a daily tool that professionals use to keep networks safe, reliable, and compliant.

How It Appears in Exam Questions

In certification exams, ACL questions appear in several distinct formats. The most common type is the scenario-based question. The exam presents a network diagram and describes a security requirement.

For example, a company wants to allow HTTP traffic from the internet to a web server but block all other traffic. You must select the correct ACL configuration from multiple choices. These questions test your ability to translate a business requirement into the correct ACL syntax and rule placement.

Another frequent type is the troubleshooting question. The exam describes a network where users on one subnet cannot access a server after an ACL was applied. You are given the ACL output and must identify which rule is causing the problem.

This tests your understanding of rule order and the implicit deny. You might need to determine that a broad deny rule placed before a more specific permit rule is blocking legitimate traffic. Configuration questions ask you to complete a partially written ACL.

For instance, the exam shows an extended ACL with several permit statements but no deny statement, and asks what rule should be added to block Telnet traffic from a specific subnet. You must know the correct syntax, including the protocol (TCP), the port number (23), and the direction. Some questions test your knowledge of where to apply ACLs.

The exam might show a router with two interfaces and ask whether the ACL should be applied inbound on the external interface or outbound on the internal interface. You need to understand traffic flow and the difference between inbound and outbound filtering. Architecture questions ask about placement as well.

For example, you might be asked why standard ACLs are typically placed near the destination while extended ACLs are placed near the source. The correct answer involves bandwidth efficiency and the fact that standard ACLs only filter on source IP, so placing them near the source could block legitimate traffic destined for other networks. Finally, there are concept questions that ask about the default action at the end of an ACL.

A common question is: What happens to traffic that does not match any rule in an ACL? The correct answer is that it is implicitly denied. These questions are straightforward but require precise knowledge.

To succeed, you must practice reading and writing ACL configurations until the syntax and logic become second nature.

Practise Access Control List Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A small company has a network with two main parts: an internal office network used by employees and a DMZ where a public web server is hosted. The network administrator notices that employees are having trouble accessing the internet, and at the same time, the web server is receiving many suspicious connection attempts from unknown IP addresses. The administrator decides to apply an Access Control List on the router that connects the company to the internet.

The first goal is to block all incoming traffic from the internet except HTTP and HTTPS requests directed at the web server. The second goal is to ensure that employees inside the office can still browse the web. The administrator configures an extended ACL on the external interface of the router.

The ACL starts with a rule that permits TCP traffic from any source to the specific IP address of the web server on ports 80 and 443. The next rule denies all other TCP traffic from the internet to any internal address. Then, to allow employees to browse the web, the administrator adds a rule that permits all traffic from the internal office network to any destination, but this rule is placed on the internal interface in the outbound direction.

The administrator also includes a rule to allow responses to return to the employees by using the established keyword. Finally, an implicit deny at the end of the ACL blocks everything else. After applying the ACL, the suspicious connection attempts to the web server are rejected unless they are trying to use HTTP or HTTPS.

Employees can still browse the internet because their traffic is permitted outbound and responses are allowed back. The network is now more secure, and the administrator has used ACLs to enforce a clear security policy.

Common Mistakes

Placing a broad deny rule at the beginning of the ACL that blocks all traffic before more specific permit rules are evaluated.

ACLs are processed in order from top to bottom. If the first rule denies all traffic, no further rules are checked, so even legitimate traffic that later permit rules would have allowed is blocked.

Always place the most specific rules first, especially permit rules. Put deny rules for specific threats after the necessary permit rules. Remember that the last rule is an implicit deny, so you do not need a blanket deny at the end.

Applying an ACL in the wrong direction on the interface, often applying an inbound ACL when an outbound ACL was intended.

If you apply an ACL inbound, it filters traffic before the router processes it. If you apply it outbound, it filters traffic after routing. Using the wrong direction can cause traffic that should be allowed to be blocked, or traffic that should be blocked to be allowed.

Think about the flow of traffic. If you want to filter traffic coming into the router from a network, use inbound. If you want to filter traffic leaving the router to a network, use outbound. Draw the traffic flow and check your direction before applying.

Using a standard ACL when an extended ACL is needed, trying to filter based on destination IP or port with only source IP checks.

Standard ACLs only check the source IP address. They cannot filter based on destination IP, protocol, or port number. If you need to allow HTTP traffic to a specific server but block other traffic, a standard ACL cannot do that.

Choose the right type of ACL for the job. Use standard ACLs when you only need to filter based on source IP, typically for allowing or denying traffic from a specific network. Use extended ACLs when you need finer control involving destination, protocol, or ports.

Forgetting about the implicit deny at the end of an ACL and assuming that traffic not explicitly denied is automatically allowed.

Every ACL ends with an implicit deny statement, even if it is not written. Any traffic that does not match a permit rule is denied. If you only include permit rules for some traffic and assume other traffic will pass, it will be blocked.

When designing an ACL, remember the default action is deny. Only traffic that matches a permit rule will be allowed. Make sure your permit rules cover all the legitimate traffic you want to permit. If you want to allow everything except specific traffic, you need a permit any rule at the end, but this is often a bad security practice.

Writing ACL rules without considering the order, such as placing a rule that permits a specific host after a rule that denies the entire subnet that host belongs to.

Once a packet matches a rule, the ACL stops processing. If you deny the whole subnet first, a permit rule for a specific host later in the list will never be reached. The specific host will be denied even though you intended to allow it.

Order your rules so that more specific conditions come before general ones. If you want to deny most of a subnet but allow one host, place the permit rule for the host before the deny rule for the subnet.

Exam Trap — Don't Get Fooled

The exam shows an ACL with rules that seem to permit traffic, but the traffic is still blocked. The trap is that a later question asks about the direction the ACL is applied, and the learner assumes it is inbound when it is actually outbound, or vice versa, leading to an incorrect analysis. Always check the interface and direction first before analyzing the rules.

Look for the keywords inbound or outbound in the configuration. Ask yourself: Is this filtering traffic before it enters the router or after it leaves? Picture the traffic flow on the network diagram.

Once you confirm the direction, then examine the rules. If you skip the direction check, you will likely get the answer wrong.

Commonly Confused With

Access Control ListvsFirewall

A firewall is a dedicated device or software that provides more advanced security features than a simple ACL. While an ACL is essentially a list of rules applied on a router or switch, a firewall offers stateful inspection, application-layer filtering, intrusion prevention, and logging. ACLs are often a component of a firewall's overall filtering capability, but they are not a full firewall by themselves.

An ACL on a router can block traffic on port 23 (Telnet). A firewall can do that too, but it can also inspect the content of the traffic to see if it contains malicious data, and it can track the state of connections to allow only return traffic from sessions that started inside the network.

Access Control ListvsSecurity Group

A Security Group is a stateful virtual firewall used in cloud environments like AWS. The key difference is that Security Groups are stateful, meaning if you allow inbound traffic, the outbound response is automatically allowed regardless of outbound rules. ACLs, especially Network ACLs in AWS, are stateless, so you must explicitly define rules for both inbound and outbound traffic for responses to flow.

If you allow incoming HTTP traffic to a web server in a Security Group, the web server can send the response back without an explicit outbound rule. With a Network ACL, you would need a separate outbound rule to allow the return traffic.

Access Control ListvsRoute Table

A route table determines the path that traffic takes through a network, telling routers where to send packets based on destination IP. An ACL determines whether traffic is allowed to take that path at all. Route tables are about direction, while ACLs are about permission. They work together but serve different purposes.

A route table can tell a router to send all traffic destined for 10.0.0.0/8 to a specific next-hop IP. An ACL on the same router can then decide that only traffic from certain source IPs is allowed to actually go that way. The route table says 'how', the ACL says 'if'.

Access Control ListvsVLAN Access Map

A VLAN access map is a more advanced filtering mechanism used on Cisco switches to control traffic between VLANs. It works similarly to an ACL but is applied at Layer 2 and can filter based on MAC addresses and other Layer 2 criteria. ACLs typically operate at Layer 3 and above, filtering IP packets.

An ACL can block traffic from a specific IP address. A VLAN access map can block traffic from a specific MAC address, which is more useful in environments where IP addresses might change frequently.

Step-by-Step Breakdown

1

Define the Security Policy

Before creating an ACL, you must know exactly what traffic you want to allow and what you want to block. Write down the source IPs, destination IPs, protocols, and ports. This policy will guide every rule you create.

2

Select the ACL Type

Decide whether you need a standard ACL that filters only on source IP, or an extended ACL that can also filter on destination IP, protocol, and port. Choose the type that matches the granularity of your security policy.

3

Determine the Placement and Direction

Identify which router or switch interface the ACL will be applied to and whether it will filter inbound or outbound traffic. For extended ACLs, place them close to the source to block unwanted traffic early. For standard ACLs, place them close to the destination.

4

Write the Rules in the Correct Order

Write the rules sequentially, starting with the most specific permit or deny statements. Each rule must include the action, source, and for extended ACLs, the destination, protocol, and port. Ensure specific rules come before general ones.

5

Apply the ACL to the Interface

Use the appropriate command (like ip access-group on Cisco) to bind the ACL to the selected interface in the chosen direction. Without this step, the ACL exists but does not filter any traffic.

6

Verify and Test the ACL

Use show commands to display the ACL configuration and check how many packets have matched each rule. Test traffic from different sources and destinations to confirm that the ACL is enforcing the policy correctly. Look for unexpected denies or permits.

7

Monitor and Update

ACLs are not set-and-forget. Traffic patterns change, new threats emerge, and network requirements evolve. Regularly review ACL logs and rule hit counts to identify stale rules or misconfigurations. Update the ACL as needed to maintain security without disrupting business.

Practical Mini-Lesson

To really understand Access Control Lists, you need to think like a network packet and also like the administrator who writes the rules. ACLs are not just about blocking bad guys. They are about precisely controlling communication.

Every packet that enters or leaves a network device carries a header with information including source IP, destination IP, protocol, and port. The ACL is the gatekeeper that reads this header and makes a decision. When you configure an ACL in a real environment, you typically work in a command-line interface or a cloud console.

On a Cisco router, you start by entering global configuration mode. For a standard ACL, you type something like access-list 10 permit 192.168.1.0 0.0.0.255. That rule allows all traffic from the 192.

168.1.0/24 network. For an extended ACL, you might type access-list 100 permit tcp any host 10.0.0.5 eq 80. That rule allows any source to send TCP traffic to the specific host 10.0.

0.5 on port 80. The wildcard mask after the IP address is important. It tells the router which bits in the IP address must match exactly. A wildcard mask of 0.0.0.255 means the first three octets must match, and the last can be anything.

This is the opposite of a subnet mask. After writing the ACL, you apply it to an interface with the ip access-group command. For example, ip access-group 100 in on interface GigabitEthernet0/0 applies the ACL to inbound traffic on that interface.

One of the most common real-world challenges is troubleshooting ACLs when something stops working. The first step is to check the interface configuration to confirm the ACL is applied. The second step is to examine the ACL rules for order and correctness.

The third step is to use a tool like traceroute or ping from the affected device to see if the traffic reaches the router. If it does, but the destination does not respond, the ACL is likely blocking the return traffic. This is where understanding stateful versus stateless filtering becomes critical.

A basic ACL is stateless. It does not remember if a packet is part of an existing conversation. So if you allow outbound traffic to a web server, you also need a rule to allow the returning HTTP response traffic.

Many administrators forget this and wonder why their users can browse the internet but web pages never load. In modern networks, ACLs are often integrated with other security technologies. For example, a Next-Generation Firewall might use ACLs as part of its policy but add deep packet inspection and intrusion detection on top.

In cloud environments, ACLs are often managed through web interfaces and APIs, but the logic is exactly the same. A professional must also be aware of the performance impact of ACLs. A very long ACL with hundreds of rules can slow down a router because every packet must be compared against each rule until a match is found.

This is why it is important to keep ACLs as short as possible and to place the most frequently matched rules at the top. The practical skill of writing clean, efficient ACLs is highly valued in the industry. It demonstrates that you can secure a network without breaking it.

Memory Tip

ACL stands for Always Check the List. Think of the three core steps: define, order, apply. If you remember the order of rules from top to bottom, and that the last rule is an implicit deny, you will avoid the most common errors.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

What is the difference between a standard ACL and an extended ACL?

A standard ACL filters packets only based on the source IP address. An extended ACL can filter based on source IP, destination IP, protocol, and port number. Extended ACLs give you much more control over what traffic is allowed or denied.

What does implicit deny mean in an ACL?

Implicit deny is the default rule at the end of every ACL. Any traffic that does not match a permit rule is automatically denied, even if no explicit deny rule is written. This ensures that only explicitly permitted traffic is allowed.

Do I need to add a deny rule at the end of an ACL?

You do not need to add a deny rule because the implicit deny already blocks unmatched traffic. However, some administrators add an explicit deny rule for logging purposes, so they can see how many packets were blocked.

Why is the order of rules in an ACL important?

ACLs are processed from top to bottom. The first rule that matches a packet determines what happens. If a general deny rule is placed before a specific permit rule, the specific rule will never be reached, and legitimate traffic might be blocked.

Can I use an ACL to filter traffic on a switch port?

Yes, you can apply ACLs to switch virtual interfaces (SVIs) and sometimes to physical ports using port access control lists. The principle is the same, but the configuration varies by switch model and operating system.

What is the difference between an ACL and a firewall?

An ACL is a simple list of rules that filters packets based on header information. A firewall is a more advanced security system that can perform stateful inspection, application-layer filtering, and intrusion detection. ACLs are often a feature within a firewall.

How do I know whether to apply an ACL inbound or outbound?

Apply an ACL inbound to filter traffic as it enters the interface, before the router processes it. Apply it outbound to filter traffic after it has been routed but before it leaves the interface. Choose based on where you want to control access relative to the router.

Summary

An Access Control List is a fundamental security tool that every IT professional must understand. It is essentially a set of ordered rules that determine which network traffic can pass through a router, firewall, or other network device. By filtering packets based on attributes like source IP, destination IP, and port number, ACLs enforce the principle of least privilege, allowing only necessary traffic and blocking the rest.

The key points to remember for exams are that ACLs are processed sequentially from top to bottom, the first match wins, and an implicit deny exists at the end of every list. You must also know the difference between standard and extended ACLs, how to choose the correct direction for application, and the importance of placing more specific rules before general ones. In real-world practice, ACLs are used to secure network perimeters, segment internal networks, control management access, and protect sensitive resources.

They are a critical component of network security and appear in every major certification exam from CompTIA to Cisco. Mastering ACLs will not only help you pass your exams but also give you practical skills that you will use daily in your career. Remember the three core steps: define your policy, write your rules in the correct order, and apply them to the right interface in the right direction.