What Is ACL? Security Definition
Also known as: ACL, Access Control List, networking ACL, standard ACL, extended ACL
On This Page
What do you want to do?
Quick Definition
An ACL is like a guest list for a private event. It tells the network who is allowed in, what they can do once inside, and who gets turned away. Network devices use ACLs to permit or deny traffic based on criteria like IP addresses, port numbers, or protocols.
Commonly Confused With
A security group is a stateful virtual firewall for AWS EC2 instances, while a Network ACL is a stateless firewall for AWS subnets. Security groups allow return traffic automatically, but NACLs require explicit outbound rules for return traffic.
If you allow inbound HTTP in a security group, the web server can send responses back without an additional rule. In a NACL, you must also add an outbound rule that allows ephemeral ports for the response.
A firewall is a dedicated security device or software that often provides stateful inspection, application-layer filtering, intrusion prevention, and logging. An ACL is a simpler list of rules that can be part of a firewall or a router. Not all ACL features are as advanced as a full firewall.
A router with an ACL can block traffic on port 23. A next-generation firewall can inspect the traffic to detect if it is actually Telnet traffic or if someone is trying to tunnel data over that port.
Permissions are rights assigned to a user or group for a specific resource, like read or write. ACLs are the structure that contains those permissions. An ACL is the list, and permissions are the entries in that list.
On a Linux file, the permission that User A can read the file is one entry. The ACL is the entire list of all users and their permissions for that file.
A routing table determines the path that packets take through the network based on destination IP addresses. An ACL determines whether packets are allowed to take that path at all. They work together but serve different purposes.
A routing table may say the path to 10.0.1.0/24 is through interface GigabitEthernet0/1. An ACL on that interface may deny all traffic from a specific source, so packets from that source will be dropped even if the route exists.
ACL appears directly in 955exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on CompTIA Security+. Practise them →
Must Know for Exams
The term ACL appears across many certification exams because it is a core concept that spans networking, security, cloud, and system administration. On the CompTIA Network+ exam, candidates must understand the purpose of ACLs for traffic filtering and security. Questions often ask about standard versus extended ACLs, and where to place them for optimal effect.
On the CompTIA Security+ exam, ACLs are covered under access control models. Candidates need to know that ACLs are a form of discretionary access control where the owner of the resource defines the permissions. Scenarios may involve configuring ACLs on a firewall to block specific threats.
On the CCNA exam, ACLs are a major topic. Candidates must know how to configure standard and extended numbered ACLs and named ACLs on Cisco routers. They must understand the implicit deny any rule, the wildcard mask syntax, and how to apply an ACL inbound or outbound on an interface.
Exam questions often present a topology and ask which ACL rules will allow or deny specific traffic flows. On the Linux+ exam, ACLs refer to file system permissions beyond the standard owner/group/others model. Candidates must know how to use getfacl, setfacl, and understand the mask entry that limits the maximum permissions.
On the AWS Solutions Architect Associate exam, ACLs refer to Network ACLs. Candidates must differentiate between security groups and NACLs, understand that NACLs are stateless and apply to subnets, and know the difference between inbound and outbound rules. Exam scenarios often ask which configuration will allow SSH access to an EC2 instance while blocking all other traffic.
On the Azure AZ-104 exam, ACLs appear in the context of Network Security Groups and Azure Firewall. Candidates must understand that NSGs contain security rules that act as ACLs for traffic filtering. On the Google ACE exam, ACLs are used in Google Cloud Firewall rules.
The exam expects candidates to know that firewall rules are stateful and that the most specific rule is applied. Across all exams, the common thread is that ACLs are a method of controlling access based on a set of ordered rules. Exam questions frequently test the implicit deny concept, the order of rule evaluation, and the difference between stateful and stateless filtering.
Simple Meaning
Imagine you run a small office building with several rooms: a lobby, a server room, an accounting office, and a break room. You want to control who can enter each room. An Access Control List is like a set of instructions posted at every doorway.
For the server room, the list might say only the IT manager and the system administrator can enter. For the accounting office, the list might say only accountants and the CFO can enter. The list also says what each person can do inside: the IT manager can touch the servers, but the system administrator can only look at the screens.
This list is checked every time someone tries to enter a door. In networking, the door is a router or a firewall. The people are data packets traveling across the network. Each packet has a source IP address, a destination IP address, a port number, and a protocol type.
The ACL is a set of rules that the router or firewall checks against each packet. If a packet matches a rule that says permit, it gets through. If it matches a rule that says deny, it is blocked.
ACLs can be very simple, like allowing all traffic from the company's own IP range and denying everything else. They can also be very detailed, allowing only specific types of traffic like web browsing or email, and only from specific computers. ACLs are one of the most basic and powerful tools for network security.
They are used in routers, switches, firewalls, cloud security groups, and even operating systems to control access to files and folders. Without ACLs, every computer on the network could reach every other computer and service, which would be a huge security risk. ACLs give administrators precise control over traffic flow.
Full Technical Definition
An Access Control List is a sequential list of permissions or rules attached to an object, such as a network interface, a file system, or a cloud security group. In networking, ACLs are commonly implemented on routers and firewalls to filter traffic based on Layer 3 (IP) and Layer 4 (TCP/UDP) headers. Each rule, called an Access Control Entry, contains fields such as source IP address, destination IP address, source port, destination port, protocol type, and an action of either permit or deny.
ACLs are evaluated top-down, meaning the first matching rule determines the action applied to the packet. If no rule matches, an implicit deny rule at the end of the list blocks the packet by default. There are two main types of ACLs in networking: standard and extended.
Standard ACLs filter only based on the source IP address. They are simpler but less precise. Extended ACLs filter based on source and destination IP addresses, protocol type (TCP, UDP, ICMP, etc.
), and port numbers. For example, an extended ACL can allow HTTP traffic from a specific source IP to a specific web server while blocking all other traffic. ACLs are also used in file systems.
A file system ACL, such as in Linux or Windows, defines permissions for users and groups on files and directories. Each entry specifies a user or group, the type of access (read, write, execute), and whether the permission is allowed or denied. This is managed through commands like chmod and setfacl in Linux, or through security tabs in Windows.
In cloud environments like Amazon Web Services, ACLs are called Network Access Control Lists. A network ACL is a stateless firewall that controls traffic in and out of a subnet. Each subnet can have one inbound and one outbound ACL with numbered rules.
Stateless means that return traffic must be explicitly allowed by a separate outbound rule. This is different from a security group, which is stateful and automatically allows return traffic. ACLs are also used in switch security.
A port ACL on a Cisco switch can restrict traffic on a specific switch port to a specific MAC address or IP address. In routing protocols, ACLs can be used to filter route advertisements. For example, a distribute-list with an ACL can prevent certain routes from being injected into a routing protocol.
ACLs are configured using commands like access-list in Cisco IOS, iptables in Linux, or aws ec2 create-network-acl in AWS. The number and order of rules matter greatly because if a rule is too broad, it might permit or deny traffic unintentionally. Best practices include placing more specific rules before general rules and explicitly denying unwanted traffic rather than relying on the implicit deny.
Real-Life Example
Think of a large office building with a security guard at the main entrance. The guard has a binder with a list of names and their access levels. This binder is the ACL. Each person approaching the entrance has a badge with their name and photo.
The guard checks the name against the list. For example, the list says that Sarah from HR can enter the building between 8 AM and 6 PM, and she can go to the second floor where HR sits, but not to the IT server room on the fourth floor. John from IT can enter any time and go to any floor, but he is not allowed to take any equipment out of the building without a signed form.
These are the rules in the ACL. Now imagine a package delivery person arrives. Their name is not on the list at all. The guard denies them entry. This is the implicit deny rule at the bottom of the ACL.
If the building manager wants to let in a consultant for one week, they add a temporary rule to the list. The mapping to networking is straightforward. The security guard is the router or firewall.
The people are data packets. The badge information (name, department, time) is the packet header info (source IP, destination IP, port). The binder with rules is the ACL. The guard checking the list is the process of packet filtering.
If the packet matches a permit rule, it is allowed through the interface. If it matches a deny rule, it is dropped. If no match is found, the packet is dropped by the implicit deny.
Just like the building, you can have multiple ACLs for different doors. One ACL for the front door (inbound on a router interface), one for the server room door (DMZ interface), and one for the fire escape (outbound ACL). Each ACL controls different traffic flows.
This analogy shows why order matters. If the building has a rule that says allow all employees, but then a rule that says deny John, the allow rule would be matched first for John, and he would be allowed in despite the deny rule. The same happens in networking.
If a broad permit rule appears before a specific deny rule, the specific deny rule never gets evaluated.
Why This Term Matters
ACLs are a fundamental building block of network security and access control in IT. Without ACLs, networks would be flat and open, meaning any device could communicate with any other device, and any user could access any file. That is completely unacceptable in any professional environment.
ACLs provide the first line of defense at the network perimeter. A well-configured ACL on a border router can block entire classes of malicious traffic, such as traffic from known bad IP addresses or traffic on vulnerable ports like Telnet or SSH from the internet. Inside the network, ACLs segment traffic between different departments or trust zones.
For example, an ACL can prevent the guest Wi-Fi network from accessing the internal accounting server. This is called network segmentation and is a core security principle. In cloud infrastructure, AWS Network ACLs are critical for securing virtual private cloud subnets.
They act as a stateless firewall at the subnet level. If you do not configure a NACL correctly, you could accidentally expose a database to the entire internet or block all traffic to your web servers. In system administration, file system ACLs are essential for multi-user environments.
On a Linux server hosting multiple websites, ACLs allow you to give one developer read-write access to a specific website folder while another developer can only read it. This prevents accidental deletions or unauthorized modifications. ACLs also appear in compliance requirements.
Regulations like PCI DSS require strict access controls. Auditors will check that ACLs are in place to restrict access to cardholder data environments. In networking, ACLs are used for more than just security.
They are also used for traffic filtering, quality of service marking, and routing policy. For example, an ACL can match traffic from a specific IP range and then mark it for priority queuing. Understanding ACLs is essential for troubleshooting.
If legitimate traffic suddenly stops flowing, the first thing to check is whether an ACL is blocking it. Many network outages are caused by misconfigured ACLs. Professionals need to know how to read ACL entries, understand the order of operations, and know the difference between inbound and outbound ACLs on an interface.
How It Appears in Exam Questions
Exam questions about ACLs come in several common formats. The first format is simple definition or matching questions. These might ask, What does ACL stand for? or Which type of ACL filters based only on source IP address?
The answer is standard ACL. Another common format is order of evaluation questions. A question might present an ACL with several entries and ask which action is taken for a specific packet.
For example, an ACL has a rule that denies any traffic from 10.0.0.0/8, then permits any traffic from 10.0.1.0/24. A packet arrives from 10.0.1.5. Which action is taken? The correct answer is deny because the first rule matches the source network.
The second rule is never reached. Configuration questions are very common on the CCNA exam. A question might show a partial configuration and ask which command completes the ACL to block Telnet traffic from a specific subnet.
The candidate must know the access-list command syntax. Another example: A router has an ACL applied outbound on interface GigabitEthernet0/0. A packet arrives with a destination IP of 192.
168.1.100 and a source IP of 10.0.0.1. The ACL has rules evaluating the destination IP. The candidate must understand that outbound ACLs check the destination IP. Scenario-based questions on the AWS exam often present a VPC with public and private subnets.
They describe a requirement to allow only HTTP traffic from the internet to reach a web server in the public subnet, and to allow only the web server to access a database in the private subnet. The question asks which Network ACL rules accomplish this. The candidate must configure inbound and outbound rules for both subnets.
Another scenario on the Security+ exam might describe a company that wants to prevent internal users from accessing social media sites during work hours. The candidate must determine whether an ACL on the firewall can block traffic to specific domains or IP addresses. Troubleshooting questions appear on the Network+ and CCNA exams.
A question might describe that users in one department cannot reach a server, and the ACL on the router was recently changed. The candidate must examine the ACL entries and find the error, such as a rule that is too broad or a missing permit statement. On the Linux+ exam, questions might show the output of getfacl and ask what permission a specific user has on a file.
The candidate must interpret the ACL entries correctly. There are also questions about the difference between ACLs and other security mechanisms. For example, a question on the AZ-104 might ask, What is the difference between an NSG and an Azure Firewall?
One difference is that an NSG acts as a distributed ACL while Azure Firewall is a centralized service. Across all these question types, the key skill is reading ACL rules carefully, understanding the order of evaluation, and knowing the implicit deny.
Practise ACL Questions
Test your understanding with exam-style practice questions.
Example Scenario
A small company called GreenBooks has an internal network with three departments: sales, accounting, and IT. The company has a single server that hosts both a web application for sales orders and a database for financial records. The IT administrator needs to configure an ACL on the company's router to ensure that only sales department computers can access the web application, and only accounting department computers can access the database.
The sales computers are on the 192.168.1.0/24 subnet. The accounting computers are on the 192.168.2.0/24 subnet. The server has IP address 10.0.0.10. The web application runs on TCP port 443.
The database runs on TCP port 3306. The administrator creates an extended ACL with the following rules. Rule 10 permits TCP traffic from source 192.168.1.0/24 to destination 10.0.0.
10 with destination port 443. Rule 20 permits TCP traffic from source 192.168.2.0/24 to destination 10.0.0.10 with destination port 3306. Rule 30 denies all other IP traffic. The ACL is applied inbound on the router interface that connects to the server VLAN.
Now when a sales employee tries to access the web application, the packet matches rule 10 and is permitted. If that same sales employee tries to access the database, the packet does not match rule 10 or rule 20, so it matches rule 30 and is denied. If an employee from IT tries to access the server for maintenance, their traffic is denied because the ACL does not have a permit rule for the IT subnet.
The administrator later adds a rule to allow SSH access from the IT subnet for maintenance. This scenario shows how ACLs enforce network segmentation and least privilege. The order of rules matters because if rule 30 had been placed before the permit rules, all traffic would be denied.
Common Mistakes
Thinking that ACLs are evaluated in a random order or that the most specific rule is always applied first.
ACLs are evaluated sequentially from the top down. The first rule that matches the packet determines the action. A broad rule placed before a specific rule will always be matched first, making the specific rule irrelevant.
Always place more specific rules before more general rules. For example, permit a specific host before permitting the entire subnet.
Forgetting the implicit deny at the end of every ACL.
Many learners think that if a packet does not match any permit or deny rule, it is allowed by default. In reality, all ACLs have an invisible final rule that denies all traffic. If you do not include an explicit permit rule, all traffic is blocked.
Always remember that the default action for any ACL is deny. If you want to allow traffic, you must write an explicit permit rule for it.
Confusing ACLs with firewalls or thinking they provide stateful inspection.
ACLs are stateless filters. They examine each packet individually without considering whether it is part of an established connection. A stateful firewall tracks connection state and allows return traffic automatically. An ACL would require a separate rule for return traffic.
Use ACLs for simple permit or deny filtering. For advanced connection tracking, use a stateful firewall instead of a standard ACL.
Applying an ACL in the wrong direction on an interface.
An ACL applied inbound filters traffic coming into the interface. An ACL applied outbound filters traffic leaving the interface. If you apply an inbound ACL when you intend to filter outgoing traffic, the rules will not match the traffic you want to control.
Check the direction of traffic flow. If you want to block traffic coming from the internet into your network, apply the ACL inbound on the interface that faces the internet. If you want to block traffic leaving your network, apply it outbound on the interface that faces the internal network.
Using a standard ACL when an extended ACL is needed for granular control.
Standard ACLs filter only on source IP address. They cannot filter based on destination, port, or protocol. This is too coarse for most security requirements. For example, you cannot allow web traffic while blocking FTP using a standard ACL.
Use extended ACLs when you need to control traffic based on destination IP, port numbers, or protocol types. Use standard ACLs only for simple source-based filtering, such as blocking traffic from a specific IP range.
Writing ACL rules with the wrong wildcard mask syntax on Cisco devices.
The wildcard mask is the inverse of a subnet mask. For example, to match the subnet 192.168.1.0/24, you use a wildcard mask of 0.0.0.255. Many learners mistakenly use a subnet mask like 255.255.255.0, which will not match correctly.
Remember that wildcard masks use 0 to indicate bits that must match and 1 to indicate bits that can be ignored. For a /24 network, the host bits are the last octet, so the wildcard mask is 0.0.0.255.
Assuming that ACLs on cloud platforms like AWS are stateful.
AWS Network ACLs are stateless. This means that if you allow inbound traffic on port 80 from the internet, you must also create a separate outbound rule to allow the return traffic. Many learners forget this and wonder why connections do not work.
For AWS NACLs, always configure both inbound and outbound rules for the traffic you want to allow. Use AWS Security Groups for stateful filtering instead.
Exam Trap — Don't Get Fooled
The implicit deny at the end of an ACL is often tested by giving an ACL with only permit statements and asking what happens to traffic that does not match any of them. Many learners choose allow. Always remember that every ACL ends with an invisible deny any any rule.
If a packet does not match any of the explicit rules, it is denied. In exam questions, if the ACL has only permit rules and the destination traffic does not match them, the answer is deny.
Step-by-Step Breakdown
Define the Traffic Filtering Requirement
Before creating an ACL, you must identify what traffic you want to allow or block. For example, you might need to block all inbound traffic on port 23 to prevent Telnet access, or allow only HTTP traffic from a specific subnet to a web server.
Choose the ACL Type
Decide between a standard ACL, which filters only on source IP, or an extended ACL, which filters on source and destination IP, protocol, and port. For most tasks, extended ACLs are preferred because they offer more precise control.
Create the ACL Rules in Sequence
Write the access control entries in the correct order. Start with the most specific rules first. Each rule has a number or name for identification, followed by the action (permit or deny), and the matching criteria. For extended ACLs, include the protocol, source, destination, and port if applicable.
Apply the ACL to an Interface
After creating the ACL, you must apply it to a router or firewall interface. Specify whether the ACL filters inbound traffic (traffic coming into the interface) or outbound traffic (traffic leaving the interface). The direction depends on where the traffic originates relative to the device.
Test the ACL Behavior
Use tools like ping, telnet, or traceroute to verify that the ACL is permitting and denying traffic as intended. Check that legitimate traffic passes and unauthorized traffic is blocked. If something is not working, review the order of rules and the wildcard masks.
Practical Mini-Lesson
In this practical lesson, you will learn how to think about and work with ACLs in a real IT environment. ACLs are not just a theoretical concept. They are something you will configure, troubleshoot, and rely on daily.
The first thing to understand is the ACL evaluation model. ACLs use first-match logic. Picture a bouncer at a club with a list of names. The bouncer reads the list from top to bottom.
As soon as the bouncer finds your name, the action is taken: you are let in or turned away. The bouncer does not read the rest of the list. This is exactly how a router processes an ACL.
When a packet arrives, the router starts at the first entry. If the source IP, destination IP, protocol, and port all match that entry, the packet is either permitted or denied. Processing stops.
If there is no match, the router checks the next entry. This continues until the end of the list. If no match is found, the implicit deny rule catches everything. This means a misplaced rule can break connectivity.
For example, if you have an ACL on your router that permits all traffic from the 192.168.1.0/24 network, and then denies traffic from the 192.168.1.100 host, the host 192.168.1.100 will still be permitted because the first rule matches it.
The deny rule never gets checked. The correct order is to place the specific deny rule before the broad permit rule. Another critical point is the wildcard mask. In Cisco IOS, ACLs use wildcard masks instead of subnet masks.
A wildcard mask is the inverse of a subnet mask. For the network 10.0.0.0/24, the subnet mask is 255.255.255.0, and the wildcard mask is 0.0.0.255. The wildcard mask tells the router which bits of the IP address to check.
A 0 means check that bit exactly. A 1 means ignore that bit. For example, to match all hosts in 10.0.0.0/24, you use wildcard mask 0.0.0.255, which means the first 24 bits must be 10.
0.0, and the last 8 bits can be anything. If you want to match a single host, you use wildcard mask 0.0.0.0, which means all bits must match exactly. In file system ACLs, the concept is similar but the syntax differs.
On Linux, you use setfacl -m u:username:rwx file to grant a specific user permissions. The ACL is stored as a list of entries. You can view it with getfacl. The order of entries matters here too.
The file system checks user entries, then group entries, then mask, then other. If a user is listed specifically, that entry is used regardless of what the group entry says. This is different from network ACLs, where the order is exactly the list order.
In AWS, Network ACLs are numbered. The numbers are just placeholders for ordering. You can insert a rule at a specific number to place it in the correct sequence. AWS evaluates rules from lowest number to highest number.
Best practice is to number rules in increments of 10 or 100 to allow for future insertions. When troubleshooting ACLs, always check the order of rules first. Count the entries and verify that the specific rules come first.
Check the direction of the ACL on the interface. Remember that an inbound ACL filters traffic before the router makes a routing decision, while an outbound ACL filters traffic after the routing decision. This affects whether the source or destination IP address is used in the rule.
For the CCNA exam, you will need to know that standard ACLs should be placed close to the destination to avoid filtering unintended traffic. Extended ACLs should be placed close to the source to filter unwanted traffic early and conserve bandwidth. Finally, always test ACL changes during a maintenance window.
A misconfigured ACL can lock you out of a device. Have a backup plan, such as a console connection or a scheduled reload, just in case.
Memory Tip
ACLs are like a coat check list. The first name on the list gets the action. If your name is not on the list, you are left out in the cold.
Learn This Topic Fully
This glossary page explains what ACL means. For a complete lesson with labs and practice, see the topic guide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
SY0-701CompTIA Security+ →XK0-006CompTIA Linux+ →200-301Cisco CCNA →N10-009CompTIA Network+ →AZ-104AZ-104 →ACEGoogle ACE →SAA-C03SAA-C03 →220-1101CompTIA A+ Core 1 →220-1102CompTIA A+ Core 2 →CS0-003CompTIA CySA+ →CDLGoogle CDL →SC-900SC-900 →SOA-C02SOA-C02 →ISC2 CCISC2 CC →Related Glossary Terms
802.1Q is the networking standard that allows multiple virtual LANs (VLANs) to share a single physical network link by tagging Ethernet frames with VLAN identification information.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
Frequently Asked Questions
What does ACL stand for in networking?
ACL stands for Access Control List. It is a list of rules that control which traffic is permitted or denied through a network device.
What is the difference between a standard ACL and an extended ACL?
A standard ACL filters traffic based only on the source IP address. An extended ACL filters based on source and destination IP addresses, protocol type, and port numbers.
What is the implicit deny in an ACL?
The implicit deny is a hidden rule at the end of every ACL that denies all traffic that does not match any explicit rule. It cannot be removed.
How do I apply an ACL to a router interface in Cisco IOS?
Use the command ip access-group <acl-number> in or out under the interface configuration mode. The in or out keyword specifies the direction.
Are AWS Network ACLs stateful or stateless?
AWS Network ACLs are stateless. You must explicitly allow inbound and outbound traffic separately.
Can I use an ACL to block a specific user by MAC address?
Standard and extended ACLs do not filter by MAC address. They work at Layer 3 and Layer 4. For MAC filtering, you need a port ACL on a switch or a different mechanism.
What is a wildcard mask and how is it different from a subnet mask?
A wildcard mask is the inverse of a subnet mask and is used in Cisco ACLs. A 0 in the wildcard mask means the corresponding bit must match, and a 1 means the bit can be ignored.
Why is the order of ACL rules so important?
ACLs are evaluated from the first rule downward. The first matching rule is applied, and later rules are ignored. Incorrect order can cause unintended blocks or permissions.
Summary
An Access Control List is a foundational concept in IT that appears in networking, system administration, cloud computing, and security. At its core, an ACL is a set of ordered rules that permit or deny access to resources based on criteria like IP addresses, ports, protocols, or user identities. Understanding how ACLs work is not just about memorizing command syntax.
It is about grasping the sequential evaluation logic, the implicit deny, and the importance of rule placement. In exams like CCNA, Security+, AWS Solutions Architect, and Linux+, ACLs are a recurring topic. You will be asked to interpret existing ACLs, create new ones, or troubleshoot broken connectivity caused by ACL errors.
Common mistakes include misordering rules, forgetting the implicit deny, and confusing ACLs with stateful firewalls. In real-world IT work, ACLs are used every day at the network perimeter, between VLANs, on file servers, and in cloud subnets. A misconfigured ACL can bring down an entire service or create a security vulnerability.
Mastering ACLs will make you a more effective network engineer, system administrator, or cloud architect. Keep practicing with labs and exam simulators to build confidence in reading and writing ACL rules. Remember that the first rule wins, and if traffic does not match any rule, it is denied.