IP services and securityIntermediate27 min read

What Is Extended ACL? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

An extended ACL is like a detailed security guard who checks not only who is trying to enter a building but also what they are carrying and where they want to go. It looks at the source and destination addresses, the type of traffic (like web or email), and the specific port numbers. This allows network administrators to create very specific rules to allow or block traffic. It is more precise than a standard ACL, which only looks at the source address.

Commonly Confused With

Extended ACLvsStandard ACL

A standard ACL only filters based on the source IP address of the packet. It cannot filter by destination IP, protocol, or port. An extended ACL can filter on all of these, making it much more granular. Standard ACLs are simpler and faster, but less secure for complex policies.

If you need to block all traffic from a specific workstation, a standard ACL is fine. If you need to block only FTP traffic from that workstation to a specific server, you need an extended ACL.

Extended ACLvsNamed ACL

Named ACLs are simply a different way to create an ACL using a descriptive name instead of a number. They can be either standard or extended. The capabilities are identical to numbered ACLs of the same type. The name just makes the configuration easier to read and manage.

Instead of 'access-list 110 permit...' you write 'ip access-list extended BLOCK-FTP' and then add rules. The functionality is identical to a numbered extended ACL.

Extended ACLvsDynamic ACL

Also known as lock-and-key ACL, a dynamic ACL temporarily modifies the ACL rules based on user authentication. It allows a user to authenticate and then gain temporary access through a firewall. An extended ACL is static-the rules are fixed until an administrator changes them manually.

A user connects to the router via Telnet, authenticates, and then the dynamic ACL adds a temporary permit rule for that user's IP. An extended ACL would have that rule permanently configured.

Extended ACLvsReflexive ACL

A reflexive ACL is a type of ACL that automatically creates temporary permit entries for returning traffic that is part of a session initiated from the inside network. It is similar to a stateful firewall feature but is stateless in implementation. Extended ACLs do not automatically allow return traffic; you must explicitly configure rules for both directions or use the 'established' keyword.

An internal host sends a packet to a web server. A reflexive ACL creates a temporary permit rule for the returning packets. An extended ACL would need a separate rule to allow the return traffic based on source port or the 'established' keyword.

Extended ACLvsVLAN ACL (VACL)

A VACL filters traffic within a VLAN, not just on a router interface. It can filter traffic that is being bridged between ports within the same VLAN. Extended ACLs are typically applied to Layer 3 interfaces (routed interfaces) and filter traffic crossing router boundaries. VACLs work at Layer 2.

If you want to block traffic between two PCs in the same VLAN without a router, you would use a VACL. If the traffic must go through a router to reach another VLAN, you would use an extended ACL on the router interface.

Extended ACLvsSecurity Group (AWS/Azure)

A security group is a stateful virtual firewall that controls traffic to and from cloud resources like EC2 instances. It filters based on similar criteria (IP, port, protocol) but is stateful, meaning return traffic is automatically allowed. An extended ACL in a traditional router is stateless, requiring explicit rules for both directions.

In AWS, you create a security group rule allowing inbound HTTP traffic from the internet. Return traffic is automatically permitted. With an extended ACL, you would need two rules: one for inbound HTTP and one for outbound return traffic (or use the 'established' keyword for TCP).

Extended ACL appears directly in 27exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on CompTIA Security+. Practise them →

Must Know for Exams

Extended ACLs are a core topic in the CCNA (200-301) exam, where they appear in the 'Network Access' domain. Cisco expects candidates to understand the difference between standard and extended ACLs, know the syntax for creating and applying them, and be able to interpret ACL configurations. You may be asked to identify which traffic is permitted or denied by a given ACL, or to write an ACL that matches a specific security policy. The CCNA exam places heavy emphasis on the use of wildcard masks, the 'established' keyword, and the placement of ACLs (ingress vs. egress).

For the CompTIA Network+ exam (N10-008), extended ACLs are covered under 'Network Security' and 'Network Operations'. Network+ expects you to know the purpose of extended ACLs and how they differ from standard ACLs. You might encounter scenario-based questions where you must choose the correct type of ACL to implement a given policy. Understanding the concept is more important than memorizing Cisco-specific syntax.

The CompTIA Security+ exam (SY0-601) covers ACLs in the context of access control models and network security. While Security+ does not focus on Cisco syntax, it expects you to understand that extended ACLs provide more granular security than standard ACLs. You may be asked to describe how ACLs can be used to enforce the principle of least privilege or to segment a network.

For the AWS Solutions Architect exam (SAA-C03), the concept of extended ACLs is analogous to Network ACLs (NACLs) in Amazon VPC. AWS NACLs are stateless and filter traffic based on rules that include source/destination IP, protocol, and port ranges, just like extended ACLs. Understanding extended ACLs helps you grasp how AWS NACLs work. The AZ-104 exam (Microsoft Azure) covers Network Security Groups (NSGs) and Application Security Groups (ASGs), which also filter traffic based on similar criteria (source, destination, port, protocol). The Google ACE exam covers VPC firewall rules, which again are stateful but also use source/destination/port/protocol filtering. So while not always called "extended ACL", the concept is universal.

In all these exams, common question types include: "Which ACL would you use to block HTTP traffic from subnet A to subnet B?" with multiple choices; "Given the following ACL, which traffic is denied?" requiring you to trace packet flows; and "Where should you place this ACL?" testing your understanding of traffic flow and security best practices.

Simple Meaning

Imagine you are the manager of a large office building with many different departments. A standard access control list is like having a security guard at the front door who only checks the ID badge of everyone coming in. If their badge says they work for the company, they are let in, no questions asked. This is simple but not very secure because any employee can go anywhere in the building, even to restricted areas.

An extended ACL is much more sophisticated. It is like having a security guard who checks your ID, then asks what department you work in, what floor you need to go to, and what specific room you are visiting. The guard also checks what equipment you are carrying. For example, you might be allowed to enter the building, but only if you are going to the IT department on the third floor, and only during business hours, and only if you are carrying a laptop. If you try to go to the accounting server room on the second floor with a box of cables, the guard will stop you.

In computer networking, this works the same way. A standard ACL only looks at where the traffic came from (the source IP address). It can either allow or block all traffic from that address, regardless of where it is trying to go or what type of traffic it is. An extended ACL, on the other hand, can look at the source IP address, the destination IP address, the protocol being used (like TCP for web traffic or UDP for video calls), and even the specific port numbers (like port 80 for web pages or port 25 for email). This allows network engineers to create very precise rules. For instance, they can allow employees to access the company website but block them from using file-sharing services, or allow email traffic but block instant messaging. This level of control is essential for modern network security and is a core concept for many IT certification exams.

Full Technical Definition

An Extended Access Control List (Extended ACL) is a sequence of permit or deny statements, known as Access Control Entries (ACEs), that filter network packets based on multiple criteria. Unlike standard ACLs which only evaluate the source IP address of a packet, extended ACLs can evaluate the source IP address, destination IP address, protocol type (e.g., IP, TCP, UDP, ICMP, GRE, ESP), and, when applicable, the source and destination port numbers. This allows for highly granular security policies.

Extended ACLs operate at Layer 3 (network layer) and Layer 4 (transport layer) of the OSI model. They are processed sequentially from top to bottom. When a packet enters or exits an interface and the interface has an extended ACL applied, the router or firewall examines the packet against each ACE in order. As soon as a match is found, the specified action (permit or deny) is executed, and no further rules are processed. If the packet does not match any rule, it is implicitly denied at the end of the ACL. This "implicit deny" is a critical security feature that blocks all traffic unless explicitly permitted.

The syntax for an extended ACL in Cisco IOS is typically: access-list [number] [permit|deny] [protocol] [source source-wildcard] [destination destination-wildcard] [eq port]. For example: access-list 110 permit tcp 192.168.1.0 0.0.0.255 any eq 80. This rule permits TCP traffic from the 192.168.1.0/24 network to any destination on port 80 (HTTP). The wildcard mask (0.0.0.255) indicates which bits of the source address must match; a 0 means the bit must match exactly, and a 1 means it is ignored. This is the inverse of a subnet mask.

Extended ACLs can also filter based on established connections using the 'established' keyword for TCP, which matches packets that have the ACK or RST bit set, indicating they are part of an ongoing session. They can filter ICMP traffic by type and code, allowing precise control over ping and traceroute. They can also filter for specific IP options, fragments, and time ranges. Modern implementations on routers and firewalls often support named extended ACLs, which allow descriptive names instead of just numbers, making management easier.

In real-world IT implementations, extended ACLs are placed as close to the source of the traffic as possible. This minimizes unnecessary traffic crossing the network. For example, if you want to block a specific department from accessing a certain server, you would apply the extended ACL on the interface closest to that department. Common placements include on ingress interfaces (traffic entering a router interface) or egress interfaces (traffic leaving a router interface). Ingress filtering is often preferred because it discards unwanted traffic before it consumes routing resources.

Extended ACLs are foundational to network security policies. They are used to segment networks, restrict access to sensitive resources, enforce compliance requirements, and prevent certain types of attacks. They are a core topic in the CCNA, Network+, and Security+ exams, and a supporting concept in AWS (security groups are stateful, but ACLs are stateless) and Azure (NSGs and ASGs). Understanding extended ACLs is critical for any network or security professional.

Real-Life Example

Think of extended ACLs like the security system at a large university library. The library has many sections: the main reading room, the computer lab, the rare book collection, and the student lounge. A standard ACL would be like a guard at the main entrance who only checks if you have a student ID. If you have one, you can go anywhere. This means any student can wander into the rare book collection, which is not secure.

Now, consider an extended ACL system. At the main entrance, a guard scans your ID and asks for your specific destination. If you say "Rare Book Collection" but you are a freshman, the guard looks up the rule: "Only students with a Graduate Assistant badge or faculty card can access rare books on the third floor, only during the hours of 9 AM to 5 PM, and only if the librarian is present." If you do not meet all those conditions, you are stopped. This is the equivalent of an extended ACL checking source (your student status), destination (the rare book room), protocol (your reason for entry), and time (operating hours).

Another analogy is a nightclub with a VIP section. Standard ACL would just check if you are on the guest list. Extended ACL would check if you are on the guest list (source), check if you have a VIP wristband (destination), check if your dress code passes the protocol check (TCP/UDP), and check if you have a valid drink coupon for the VIP bar (port number). Even if you are on the guest list, if you are wearing sneakers, you might be denied entry to the VIP area. This precise filtering is exactly what extended ACLs do in a network-they allow or block traffic based on a combination of attributes, not just one.

Why This Term Matters

Extended ACLs matter because they provide the granular control needed to enforce modern network security policies. In today's networks, you cannot simply allow or block based on IP address alone. An employee might be allowed to send email but not browse social media. A server might be accessible to internal users but not to the public internet. An extended ACL makes these distinctions possible.

Without extended ACLs, network administrators would have to build complex topologies with separate VLANs and routers to achieve even basic traffic filtering, which is inefficient and difficult to manage. Extended ACLs allow a single router or firewall interface to enforce multiple, specific rules. For example, you can permit SSH access from the management network to the core switch, permit web traffic from the web server to the internet, block all traffic from the HR network to the finance server except during payroll week, and allow DNS queries from any internal host to the DNS server, all on the same interface.

This granularity is essential for compliance with regulations like PCI DSS, HIPAA, and GDPR, which often require restricting access to sensitive data. Extended ACLs are also critical for preventing specific types of attacks. For example, you can create an ACL that blocks incoming TCP packets with the SYN flag set on external interfaces, helping to mitigate SYN flood attacks. You can also block traffic to specific high-risk ports like SMB (445) or RDP (3389) from the internet.

extended ACLs are a fundamental building block for more advanced security technologies like firewalls and Intrusion Prevention Systems (IPS). Understanding extended ACLs is therefore not just a certification requirement but a practical necessity for anyone managing or securing an IP network.

How It Appears in Exam Questions

Extended ACL questions appear in several common patterns across IT certification exams. The most frequent type is the scenario-based question where you are given a network diagram and a security policy, and you must choose the correct ACL configuration to implement that policy. For example, the policy might state: 'Allow all internal users in the 10.10.0.0/16 network to access the web server at 172.16.0.10 on port 443 only. Block all other traffic to that server.' You would be presented with multiple ACL configurations and must select the one that correctly matches the policy, taking into account the correct syntax, wildcard mask, and direction.

Another common pattern is the 'troubleshooting' question. Here you are shown a router configuration with an extended ACL applied to an interface. The question describes a symptom, such as 'Users in VLAN 10 cannot reach the DNS server at 10.0.0.53.' You must analyze the ACL rules to determine which rule is incorrectly blocking the traffic, or which rule is missing. This requires you to simulate the ACL processing step by step.

A third pattern involves understanding the 'implicit deny'. Questions may ask: 'What happens to traffic that does not match any entry in an extended ACL?' The correct answer is that it is implicitly denied. They may also ask about the order of operations: 'If a packet matches multiple rules in an ACL, which rule is applied?' The answer is the first matching rule.

You may also encounter questions about 'standard vs. extended' where you must choose the correct type for a given scenario. For example, 'You need to block all traffic from subnet 192.168.1.0/24, regardless of destination. Which ACL type is most efficient?' The answer is a standard ACL. But if the policy is 'Block only FTP traffic from 192.168.1.0/24 to the server at 10.0.0.100', an extended ACL is required.

Finally, some exam questions focus on placement. 'You have an extended ACL that blocks certain traffic from the Sales subnet. Where should you apply this ACL for maximum efficiency?' The correct answer is 'on the interface closest to the source (Sales) so that the unwanted traffic is dropped as early as possible.' These question patterns are consistent across CCNA, Network+, Security+, and cloud certifications.

Practise Extended ACL Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Imagine you are a network administrator for a small company called 'BrightPath Consulting'. The company has two main departments: Sales (network 192.168.1.0/24) and Engineering (network 192.168.2.0/24). There is a central file server at 10.0.0.50 that hosts both shared documents and sensitive engineering specifications. The company policy states that only Engineering employees should be able to access the file server using FTP (TCP port 21). Sales employees should be blocked from accessing it at all. However, both departments need access to the internet for email and web browsing.

To implement this policy, you apply an extended ACL on the router interface facing the Sales network. The ACL rules are: Rule 10: deny tcp 192.168.1.0 0.0.0.255 host 10.0.0.50 eq 21 (deny FTP traffic from Sales to the file server). Rule 20: permit ip 192.168.1.0 0.0.0.255 any (allow all other traffic from Sales to anywhere). Without Rule 20, all traffic from Sales would be implicitly denied. There is no rule for Engineering, so by default their traffic is also implicitly denied. To fix this, you also apply a permit rule for Engineering on their interface.

Now, when a Sales employee tries to connect to the file server using FTP, the router checks the packet. The source IP is 192.168.1.5, destination is 10.0.0.50, protocol is TCP, destination port is 21. The ACE at line 10 matches, and the packet is denied. When a Sales employee tries to browse the web, the packet is checked against line 10, which does not match because the destination port is 80, not 21. Then line 20 matches, and the packet is permitted. This simple scenario demonstrates how extended ACLs enforce specific, granular policies.

Common Mistakes

Confusing wildcard masks with subnet masks when configuring ACLs.

A wildcard mask uses 0 to mean 'must match' and 1 to mean 'don't care'. A subnet mask uses 1 for the network portion and 0 for the host portion. Using a subnet mask in an ACL will not filter the intended addresses.

Remember that a wildcard mask is the inverse of a subnet mask. For a /24 (255.255.255.0), the wildcard mask is 0.0.0.255.

Not including an explicit 'permit any' statement after deny rules, causing all traffic to be blocked.

All ACLs have an implicit deny at the end. If you only write deny rules, all other traffic is blocked. This can break network connectivity.

Always add a 'permit ip any any' (or more specific) rule at the end of your ACL, unless your goal is to block all non-specified traffic.

Applying an extended ACL in the wrong direction (ingress vs egress).

If you apply an inbound ACL on the wrong interface, you might block traffic that should be allowed, or allow traffic that should be blocked. Direction determines which packets are evaluated.

Draw the traffic flow. For traffic entering a network, apply the ACL inbound on the interface that receives the traffic. For traffic leaving a network, apply it outbound on the interface that sends the traffic.

Forgetting that ACL rules are processed top-down and the first match is applied.

If you place a broad 'permit any' rule before a specific 'deny' rule for malicious traffic, the malicious traffic will be permitted. Order matters significantly.

Always place the most specific rules first, and the broadest rules (like 'permit any') last. This ensures that specific denies are evaluated before general permits.

Using a standard ACL when an extended ACL is needed for port-based filtering.

Standard ACLs only filter on source IP. If you need to block only specific types of traffic (e.g., FTP but not HTTP) from a subnet, a standard ACL will block or allow all traffic from that subnet.

If the security policy involves ports or protocols, choose an extended ACL. For simple source-based blocking, use a standard ACL.

Misunderstanding the 'established' keyword for TCP filtering.

Some learners think 'established' allows all returning traffic. Actually, it only matches packets that have the ACK or RST bit set, which are part of an already established session. It does not match the initial SYN packet.

Use 'established' to allow return traffic from internal hosts to the internet, but remember that it does not open the connection; it only allows packets from the remote side after the internal host has initiated the connection.

Exam Trap — Don't Get Fooled

{"trap":"The exam question asks: 'Which of the following ACL configurations will block all traffic from subnet 192.168.1.0/24 to the server at 10.0.0.1 on port 23 (Telnet), while allowing all other traffic?'

One of the answer choices is a standard ACL that blocks 192.168.1.0/24 entirely. Another answer is an extended ACL with the correct syntax. Learners often choose the standard ACL because it seems simpler and also blocks the traffic."

,"why_learners_choose_it":"They see that a standard ACL can block all traffic from that subnet, which indeed stops Telnet. They miss the detail that it also blocks all other traffic (web, email, etc.), which violates the 'while allowing all other traffic' part of the question.

They focus only on the blocking requirement and overlook the permitting requirement.","how_to_avoid_it":"Read the question carefully. If the policy mentions a specific port or protocol, an extended ACL is required.

Standard ACLs cannot filter ports. If the policy says 'only block X traffic, but allow everything else,' you must explicitly permit the rest. Always check the 'implicit deny'-if you only write a deny rule, everything else is blocked.

You need a permit rule for the rest."

Step-by-Step Breakdown

1

Define the Security Policy

Before writing any ACL, you must clearly define what traffic should be permitted and what should be denied. For example, 'Allow only SSH (port 22) from the management network 10.0.0.0/24 to all routers and switches. Deny all other traffic to these devices.' This step is critical because it forms the basis for your ACL rules.

2

Determine the ACL Type

Based on the policy, decide if a standard or extended ACL is required. If the policy involves destination addresses, protocols, or ports, you must use an extended ACL. For simple source-based blocking, a standard ACL might suffice. This step ensures you are using the right tool for the job.

3

Choose a Location and Direction

Decide on which router interface and in which direction (inbound or outbound) you will apply the ACL. The best practice is to place extended ACLs as close to the source as possible. For inbound ACLs, the traffic is filtered before it enters the router. For outbound, the traffic is filtered before it leaves the interface. This step determines which packets are evaluated.

4

Write the ACL Rules in the Correct Order

Write the ACEs in the order you want them to be evaluated. Place the most specific rules (e.g., deny a specific host to a specific port) first, and more general rules (e.g., permit any) last. This is crucial because the first match wins. A poorly ordered ACL can accidentally allow malicious traffic or block legitimate traffic.

5

Configure the ACL on the Device

Using the device's command-line interface (e.g., Cisco IOS), enter global configuration mode and create the ACL using the appropriate syntax. For example: 'ip access-list extended ALLOW-SSH' then 'permit tcp 10.0.0.0 0.0.0.255 any eq 22' and 'deny ip any any'. You will create a named or numbered ACL.

6

Apply the ACL to the Interface

Enter interface configuration mode for the chosen interface and apply the ACL using the 'ip access-group [ACL-name] [in|out]' command. For example: 'interface GigabitEthernet 0/1' then 'ip access-group ALLOW-SSH in'. This step activates the ACL on the interface.

7

Verify and Test the ACL

Use commands like 'show access-lists' and 'show ip interface [interface]' to verify that the ACL is applied correctly. Then test the ACL by generating sample traffic from different sources and destinations to ensure the policy is enforced as intended. For example, try to SSH from the management network and from a non-management network. This step catches configuration errors.

8

Monitor and Maintain the ACL

ACLs are not static. Network changes, new threats, and evolving policies require ACL updates. Monitor logs for dropped packets that should be permitted, and review ACLs periodically to remove stale rules. This ongoing step ensures the ACL remains effective and efficient.

Practical Mini-Lesson

When working with extended ACLs in a real network, you need to think like a security engineer, not just a test-taker. The first rule is placement. You want to apply extended ACLs as close to the source of the traffic as possible. Why? Because if you are blocking unwanted traffic, you do not want it to waste bandwidth and processing power across the network. For example, if you need to block the HR department from accessing the finance server, apply the ACL inbound on the interface connected to the HR network. That way, the traffic is dropped immediately, before it even reaches the core router.

But placement is more nuanced than that. If you apply an inbound ACL on a router interface, you are filtering traffic before it enters the router. This means the router does not have to route the traffic, which is efficient. However, if the router has multiple ingress interfaces, you may need multiple ACLs. An outbound ACL filters traffic before it leaves a specific interface. This is useful when you want to control what leaves a network, but it means the traffic is already routed and uses router resources.

Another practical consideration is the 'implicit deny'. Many new administrators forget that an ACL without a permit statement at the end will block all traffic. For example, you might write an ACL that permits web traffic from the inside to the outside, but forget to add a permit for all other traffic. The result is that no other traffic (DNS, email, etc.) will work. Always include a 'permit ip any any' at the end if your policy is to allow everything not explicitly denied. But be careful: if your security policy is 'deny everything except what is explicitly allowed,' then do not add the permit any rule. This is a common design choice between a 'whitelist' model (deny all, permit specific) and a 'blacklist' model (permit all, deny specific). Which one you choose depends on the security requirements.

Port numbers are another area where mistakes happen. Remember that many services use both TCP and UDP. DNS uses UDP port 53 for queries and TCP port 53 for zone transfers. If you only permit UDP 53, DNS zone transfers will fail. Similarly, many applications use ephemeral ports for return traffic. When you permit outbound HTTP from an internal host, the return traffic from the web server will come to a random high port (above 1023) on the internal host. If your ACL only allows inbound traffic on specific ports, the return traffic may be blocked. That is why the 'established' keyword or a separate permit rule for return traffic (e.g., permit tcp any any established) is often used.

In a Cisco environment, you can also use 'object groups' to simplify extended ACLs, especially when there are many hosts or ports. Object groups allow you to define groups of IP addresses or services and reference them in the ACL, making the configuration cleaner and easier to manage. For example, you can create a group called 'WEB-SERVERS' containing the IP addresses of all your web servers, and then write one ACL rule that references that group instead of multiple rules.

Finally, always test your ACLs in a lab or on a non-production device before deploying them. A simple typo in a wildcard mask can block all traffic to a critical server. Use 'show access-lists' to see the number of matches on each rule, which helps you understand what traffic is being allowed or denied. Comprehensive logging can be enabled for specific rules to verify that they are working as intended. This practical knowledge is what separates an administrator who passed a test from one who can run a real network.

Memory Tip

ESPA: Extended ACL checks Everything from Source, Protocol, and Application (port).

Learn This Topic Fully

This glossary page explains what Extended ACL means. For a complete lesson with labs and practice, see the topic guide.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

N10-008N10-009(current version)
SY0-601SY0-701(current version)

Related Glossary Terms

Frequently Asked Questions

What is the main difference between a standard and an extended ACL?

A standard ACL only filters packets based on the source IP address. An extended ACL can filter based on source IP, destination IP, protocol type, and port numbers, providing much more granular control.

Why is the order of rules in an extended ACL so important?

ACLs are processed from top to bottom, and the first matching rule is applied. If you put a broad 'permit any' rule before a specific 'deny' rule, the deny rule will never be executed. Order directly affects the behavior of the ACL.

What is the 'implicit deny' in an ACL?

The implicit deny is an invisible rule at the end of every ACL that denies all traffic not explicitly permitted by any previous rule. This means if you do not include a 'permit' statement, all traffic will be blocked.

Where should I place an extended ACL on a router?

Generally, place extended ACLs as close to the source of the traffic as possible. This minimizes unnecessary traffic crossing the network. Apply the ACL inbound on the interface facing the source traffic for the most efficient filtering.

What is the 'established' keyword used for?

The 'established' keyword is used with TCP in an ACL to match packets that have the ACK or RST flag set, indicating they are part of an already established session. It is commonly used to allow return traffic from the internet to internal hosts without explicitly permitting all inbound traffic.

Can I edit an extended ACL without removing it from the interface?

In many implementations (like Cisco IOS), you cannot edit individual lines of a numbered ACL without removing it and re-applying it. However, named ACLs allow you to insert or delete lines dynamically. Always check the device's capabilities.

Do extended ACLs work with IPv6?

Yes, the concept applies to IPv6 as well. IPv6 ACLs work similarly but use different command syntax, such as 'ipv6 access-list' and 'permit tcp [source IPv6 prefix] [destination IPv6 prefix] eq [port]'.

How do I test if my extended ACL is working correctly?

Use a combination of simulated traffic (like ping, telnet, or curl from different hosts) and verification commands like 'show access-lists' to see packet counters. For specific rules, you can add a 'log' keyword to log matches.

What does the 'any' keyword mean in an ACL rule?

The 'any' keyword is a shorthand that matches any IP address. For example, 'permit tcp any any eq 80' permits all TCP traffic on port 80 from any source to any destination.

Can I use extended ACLs on a Layer 2 switch?

Extended ACLs are typically applied to Layer 3 interfaces (routed interfaces) on switches or routers. Some switches support VLAN ACLs (VACLs) which can filter traffic within a VLAN at Layer 2, but extended ACLs on physical switch ports are limited to Layer 2 features unless the port is a routed port (SVI).