IP services and securityIntermediate38 min read

What Is Numbered ACL? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

A numbered ACL is a set of rules on a network device that controls which traffic is allowed or blocked. Each list is identified by a specific number, like 1 or 100, which tells the device what kind of traffic to filter. For example, a numbered ACL can block all traffic from a certain IP address or allow only web traffic to a server. It is a simple way to secure a network without using names.

Common Commands & Configuration

access-list 10 permit host 192.168.1.10

Creates a standard numbered ACL (number 10) that permits traffic from host 192.168.1.10 only, using the keyword host to specify a single source.

This is a common CCNA question: you must create a standard ACL to allow only a specific host's traffic. The 'host' keyword is tested because it's simpler than using a wildcard mask of 0.0.0.0.

access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 10.0.0.1 eq 80

Creates an extended numbered ACL (number 100) that permits TCP traffic from subnet 192.168.1.0/24 to destination host 10.0.0.1 on port 80 (HTTP).

Extended ACLs are tested for their ability to filter on source, destination, and port. This exact syntax appears in CCNA simulations where you configure web server access.

interface gigabitethernet0/0 ip access-group 100 in

Applies the previously created extended ACL 100 to the inbound direction of interface GigabitEthernet0/0, filtering traffic entering that interface.

Direction is critical. Exams love to ask: 'Which direction should you apply this ACL?' Inbound means traffic coming into the router from that interface.

access-list 10 remark Allow only management station

Adds a remark to standard ACL 10 to document its purpose; the remark appears in the configuration but does not affect filtering logic.

Remarks are tested in CCNA as a way to document ACLs, since numbered ACLs cannot be edited easily. They help understand the configuration during troubleshooting.

show ip access-lists 100

Displays the details of ACL 100, including each statement and the hit count, which shows how many packets have matched each line.

no access-list 10

Removes the entire standard ACL 10 from the configuration, requiring it to be recreated if needed.

This emphasizes that numbered ACLs cannot have individual lines removed; the whole ACL must be deleted and re-entered, a key difference from named ACLs.

Must Know for Exams

Numbered ACLs are a core topic in several certification exams, particularly Cisco CCNA, CompTIA Network+, and CompTIA Security+. In the CCNA exam (200-301), ACLs are part of the network access domain. Candidates must know how to configure standard and extended numbered ACLs, apply them to interfaces, and interpret ACL output. Exam questions often present a scenario where a network is having connectivity issues, and the candidate must identify that a misconfigured ACL is the culprit. For example, a router might have a numbered ACL applied inbound that accidentally blocks necessary routing protocol traffic. The candidate must recognize that the ACL order or the wildcard mask is wrong.

In CompTIA Network+ (N10-008), ACLs are covered under network security and troubleshooting. The exam expects you to understand the difference between standard and extended ACLs, the concept of implicit deny, and how to read ACL entries. Questions might ask you to choose the correct ACL number range for a given filtering requirement. For instance, an extended ACL would be needed to filter by destination port, while a standard ACL would be used to filter by source network only. Security+ (SY0-601) includes ACLs as part of access control and identity management. The focus is on the security implications of ACLs, such as why implicit deny is important and how ACLs enforce the principle of least privilege.

For AWS SAA (AWS Certified Solutions Architect – Associate), numbered ACLs are not directly tested, but the concept of network ACLs (NACLs) in AWS VPC is derived from the same principle. AWS NACLs are stateless and use numbered rules, similar to traditional numbered ACLs. Understanding how numbered ACLs work on a Cisco router helps you grasp AWS NACLs faster. Similarly, for Azure AZ-104, network security groups (NSGs) are stateful, but the rule ordering concept is analogous. Google ACE also tests VPC firewall rules, which are stateful but use priority numbers similar to ACL rule order. Thus, even in cloud certifications, the foundational knowledge of numbered ACLs provides a solid base.

In exam questions, you might see a configuration snippet like "access-list 101 permit tcp 10.0.0.0 0.255.255.255 any eq 23" and be asked what traffic is allowed. You must know that 10.0.0.0 with wildcard mask 0.255.255.255 matches any host in the 10.0.0.0/8 network, and eq 23 refers to Telnet. Another common question type involves troubleshooting: given an ACL configuration and a description of traffic failing, which ACE is causing the problem? The answer often involves understanding that a more specific rule must come before a general deny. Another trap is remembering that standard ACLs cannot filter by port, so using a standard ACL to block web traffic would not work.

Overall, numbered ACLs appear in multiple exam objectives, from configuration to troubleshooting to security policy. Candidates should practice writing ACL commands, calculating wildcard masks, and analyzing ACL effects on traffic flow. The emphasis on order and implicit deny is a recurring theme.

Simple Meaning

Imagine you are the security guard at the entrance of a large office building. You have a list of rules written on a clipboard that tells you who can enter and who must stay outside. Some rules say, let in anyone with a badge from floor 5, but block anyone from floor 2. Other rules say, allow deliveries only between 9 AM and 5 PM. This clipboard is like a numbered ACL. The number on the clipboard, say rulebook number 1, tells everyone which rulebook you are using. If there are multiple rulebooks, each has a different number, like rulebook 10 for VIP access or rulebook 110 for blocking dangerous visitors.

In networking, a numbered ACL works the same way. A router or firewall has a list of rules, each identified by a number, that decides what to do with data packets trying to enter or leave the network. These rules look at things like the source IP address where the packet came from, the destination IP address where it wants to go, and sometimes the port number which tells what kind of service is being used, like web traffic on port 80 or email on port 25. The device checks the packet against each rule in order until it finds a match. If a rule says permit, the packet is allowed through. If it says deny, the packet is dropped.

There are two main types of numbered ACLs: standard and extended. A standard numbered ACL uses numbers from 1 to 99 or 1300 to 1999, and it only looks at the source IP address. It is simple but not very precise, like a guard who only checks where a person came from, not who they are or why they are visiting. An extended numbered ACL uses numbers from 100 to 199 or 2000 to 2699, and it can look at source IP, destination IP, port numbers, and protocols like TCP or UDP. This is like having a guard who checks the visitor's ID, their purpose, the floor they are going to, and the time of day. Extended ACLs are much more powerful and commonly used in real networks.

Numbered ACLs are important because they are easy to configure and troubleshoot. Network engineers can quickly add or remove rules by referring to the list number. However, they have a limitation: once a numbered ACL is applied to an interface, you cannot insert a new rule in the middle of the list. You must either remove the whole ACL and re-create it or use sequence numbers if the device supports it. This is why many modern networks use named ACLs instead, but numbered ACLs still appear in many certification exams and legacy systems.

Full Technical Definition

A numbered ACL is a sequential collection of permit or deny statements, also called access control entries (ACEs), that are grouped under a numerical identifier. The number determines the type of ACL and the range of features it supports. The Internet Engineering Task Force (IETF) standards for ACLs are defined in RFCs such as RFC 1108 for IP options and various Cisco IOS implementation documents. Numbered ACLs are processed top-down, meaning the first matching ACE determines the action taken on the packet. If no match is found, an implicit deny rule at the end drops all remaining traffic. This implicit deny is a fundamental security principle that ensures only explicitly permitted traffic is allowed.

Standard numbered ACLs use number ranges 1–99 and 1300–1999. These ACLs filter traffic based solely on the source IP address. They are typically placed close to the destination to avoid blocking necessary traffic that may originate from a legitimate source but needs to go through multiple hops. For example, a standard ACL might allow traffic from the 192.168.1.0/24 network and deny all others. Because they lack granularity, they are less commonly used in modern networks but are still taught for foundational understanding. Standard ACLs are identified by the IOS command "access-list 1 permit 192.168.1.0 0.0.0.255" where the wildcard mask 0.0.0.255 indicates the bits that must match.

Extended numbered ACLs use number ranges 100–199 and 2000–2699. They can filter based on source IP, destination IP, protocol (such as IP, TCP, UDP, ICMP), source and destination port numbers, and other parameters like established connections or DSCP values. Extended ACLs are more precise and are placed as close to the source as possible to block unwanted traffic early. An example command is "access-list 100 permit tcp 10.0.0.0 0.255.255.255 any eq 80" which allows HTTP traffic from the 10.0.0.0/8 network to any destination. Extended ACLs can also filter based on IP precedence, TTL, and fragment types, making them suitable for complex security policies.

The order of ACEs is critical. When a packet arrives, the device compares it against the first ACE. If there is a match, the permit or deny action is executed and no further ACEs are processed. This means that more specific rules must be placed before more general ones. For instance, if you want to allow a specific host but deny the rest of the subnet, the permit statement for the host must come first. A common mistake is placing a broad deny rule at the top, which accidentally blocks traffic that should be allowed. Also, after the last ACE, an invisible "deny any" automatically exists, so any traffic not explicitly permitted is dropped.

Numbered ACLs can be applied to router interfaces in the inbound or outbound direction. An inbound ACL filters packets before they are routed, meaning the router checks the packet against the ACL before making a routing decision. An outbound ACL filters packets after they are routed but before they leave the interface. The placement affects performance and security. Generally, inbound ACLs are more efficient because they drop unwanted traffic early, reducing CPU load. However, outbound ACLs are sometimes needed for traffic that must be routed internally first.

Modern Cisco IOS versions support object groups and named ACLs, which offer more flexibility and easier management. However, numbered ACLs remain in the CCNA, Network+, and Security+ exam objectives because they form the conceptual foundation. In exam scenarios, you may be asked to identify the correct ACL number range for a given situation or to interpret an existing numbered ACL configuration. Understanding wildcard masks is also essential, as they are used to match IP address patterns. A wildcard mask of 0.0.0.255 matches the first three octets exactly and allows any value in the last octet, which is the inverse of a subnet mask.

Troubleshooting numbered ACLs involves using commands like "show access-lists" to view the ACEs and their hit counts. The hit counts indicate how many packets have matched each ACE. If a hit count is zero for an expected match, the order might be wrong, or the ACL might not be applied to the correct interface. Another command is "show ip interface" to verify if an ACL is applied inbound or outbound. ACLs can be modified by removing the entire list and re-entering it, or by using sequence numbers in some IOS versions. This limitation is a key reason why careful planning is required before applying an ACL.

numbered ACLs are a basic but powerful tool for network security. They teach the concept of sequential rule processing, the importance of rule order, and the use of wildcard masks. Candidates for exams like CCNA, Network+, and Security+ must be comfortable with configuring, applying, and troubleshooting numbered ACLs. Real-world implementations often use named ACLs or firewall policies, but the logic remains identical.

Real-Life Example

Imagine you are the bouncer at a popular nightclub. The club has a strict policy about who can enter. You have a list of rules written on a numbered card. The card is labeled number 1, and it contains specific instructions. Rule one says, allow anyone who is on the VIP list from the company that rented the private room. Rule two says, block anyone wearing red shoes because that was a problem last week. Rule three says, allow everyone else unless they are wearing a rival team jersey. You check each person against the rules in order. If someone is on the VIP list, they get in immediately, even if they are wearing red shoes. The order matters because the first matching rule decides the outcome. If there is no matching rule for a person, they are denied entry by default.

Now, suppose the club has multiple entrances. The main entrance uses list number 1, but the back entrance for employees uses list number 10. List number 10 has different rules, like allow anyone with an employee badge and permit deliveries between 6 PM and 8 PM. In this analogy, the list number tells you which rulebook applies to which door. In networking, each interface on a router can have a numbered ACL applied, and each ACL has its own set of rules. The bouncer, like the router, checks each person (packet) against the rules in sequence.

If the club manager decides to change the rules, they must rewrite the entire list because the card is numbered and the rules are in a fixed order. They cannot insert a new rule between existing ones without starting over. This is exactly the limitation of a numbered ACL. If you need to add a rule in the middle, you must delete the entire ACL and re-enter all rules in the correct order. This is why some clubs use a digital tablet with a named list where rules can be inserted anywhere. In networking, named ACLs allow this flexibility. But for the purpose of learning and exams, the numbered ACL is the classic example.

Another real-life parallel is airport security. Each security lane has a set of procedures posted on a numbered sign. Lane 1 might be for passengers with first-class tickets only. Lane 2 might be for families with children. The rules are followed in order. If you are a first-class passenger, you go to lane 1 and are allowed through even if you have a large bag that would normally be checked. The numbered ACL works similarly: the first matching rule wins. This is why correct rule order is emphasized in all networking certifications.

Why This Term Matters

Numbered ACLs are a foundational security tool in networking. They allow network administrators to control traffic flow, protect sensitive resources, and enforce security policies. Without ACLs, any device on the network could potentially reach any other device, leading to unauthorized access, data breaches, or network congestion. For example, a company might use a numbered ACL to block all inbound SSH traffic except from a specific management workstation. This prevents attackers from trying to log into the router remotely.

In practical IT environments, ACLs are used on routers, firewalls, and sometimes switches to segment traffic. They are essential for implementing the principle of least privilege, where only necessary traffic is allowed. A common use case is to block traffic from untrusted networks, like the internet, from reaching internal servers except for specific services like web or email. Numbered ACLs, although older, are still found in many production networks because they are simple and reliable. Understanding them helps IT professionals troubleshoot connectivity issues, as misconfigured ACLs are a common cause of network problems.

numbered ACLs teach important networking concepts like wildcard masks, rule ordering, and directionality. These concepts are critical for more advanced security features like firewall policies, VPNs, and network access control. For IT certification seekers, mastering numbered ACLs is a stepping stone to understanding more complex access control mechanisms. They appear in almost every major network and security certification, making them a must-know topic.

How It Appears in Exam Questions

Numbered ACL questions typically fall into several patterns. The most common is the scenario-based multiple-choice question. For example, a network administrator needs to allow HTTP traffic from the 172.16.0.0/16 network to the server at 192.168.1.10, but block all other traffic. The question gives four ACL configurations and asks which one accomplishes the goal. You must identify the correct ACL number range (extended for port filtering), the correct source and destination addresses with proper wildcard masks, and the correct action (permit) with the appropriate protocol (tcp) and port (eq 80). Incorrect options may use standard ACLs (which cannot specify ports), have incorrect wildcard masks like 0.0.0.0 for a network, or have the permit and deny rules in the wrong order.

Another pattern is troubleshooting connectivity. The question provides a diagram showing two routers with ACLs applied. One PC cannot reach a server, and the ACL configuration is displayed. You must identify which ACE is blocking the traffic. For instance, an extended ACL might deny traffic from the PC's subnet before permitting it, or the wildcard mask might be too inclusive. Often, the trick is that the implicit deny catches traffic that was not explicitly permitted. In these questions, you need to mentally trace the traffic through the ACL rules in order.

Standard ACL placement questions are also common. A standard ACL can only filter on the source IP, so it should be placed close to the destination to avoid blocking legitimate traffic. For example, if you want to block traffic from subnet A to subnet B, but allow it to subnet C, a standard ACL applied at the destination interface of subnet B would work, but if applied at the source interface, it would block all traffic from subnet A to any destination. Extended ACLs, on the other hand, should be placed close to the source to prevent unwanted traffic from traversing the network.

Finally, some questions ask you to interpret the output of "show access-lists" to see the match counts. If a particular ACE has zero matches but should have seen traffic, the order might be wrong, or the ACL might not be applied to the correct interface. These questions test your ability to diagnose ACL issues in a live network.

Practise Numbered ACL Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A company has two networks: the sales department network 10.1.1.0/24 and the human resources network 10.1.2.0/24. The HR server is at 10.1.2.10 and runs a web application on port 443 (HTTPS). The IT policy states that only the sales department should be allowed to access the HR web application. All other traffic from sales to HR should be blocked. The network administrator decides to use a numbered extended ACL on the router interface connecting to the HR network.

The administrator configures ACL 110 with the following rules: permit tcp 10.1.1.0 0.0.0.255 host 10.1.2.10 eq 443. This allows only traffic from the sales network to the HR server on port 443. Since there is an implicit deny at the end, all other traffic from sales to any destination in the HR network is blocked. The administrator applies ACL 110 inbound on the router interface that connects to the sales network. This is because extended ACLs should be placed close to the source to block unwanted traffic early.

After applying the ACL, a sales employee tries to browse to the HR web page and it works. Another employee tries to ping the HR server, and the ping fails because ICMP is not permitted by the ACL. This is expected. Later, a user from the HR network tries to access the sales network file share. Since the ACL is applied inbound on the interface connected to sales, it only filters traffic coming from sales into the HR network. Traffic going from HR to sales is not affected. This scenario demonstrates how numbered ACLs can be used to enforce access control between departments.

Common Mistakes

Using a standard ACL when an extended ACL is needed because you need to filter by destination port.

Standard ACLs only look at the source IP address and cannot filter by port number, so they cannot block specific services like web or email.

Use an extended ACL (numbers 100-199 or 2000-2699) and include the protocol and port in the ACE.

Placing a standard ACL too close to the source, which blocks all traffic from the source to any destination, not just the intended destination.

Standard ACLs filter only on source IP. If placed at the source interface, they will block that source from reaching any network, including those not intended.

Place standard ACLs as close to the destination as possible so that only traffic intended for that destination is filtered.

Putting a broad deny rule before a specific permit rule, causing the permit rule to never be evaluated.

ACLs are processed top-down, and the first match determines the action. If a deny any is first, all traffic is denied and later permit rules are ignored.

Place more specific rules before more general rules. Always put explicit permits before any broad denys.

Forgetting the implicit deny at the end of the ACL, which causes unintended traffic to be blocked.

Many learners assume that if no rule matches, traffic is allowed, but the opposite is true. The implicit deny drops everything not explicitly permitted.

Always add an explicit permit ip any any at the end if you want to allow all traffic that isn't explicitly denied. But be cautious with this in production.

Using an incorrect wildcard mask, such as using a subnet mask instead of a wildcard mask.

Wildcard masks are the inverse of subnet masks. 0.0.0.255 matches the first three octets exactly, while 255.255.255.0 would not match as intended.

Memorize the wildcard mask pattern: 0 means match exactly, 255 means ignore. For a /24 network, use 0.0.0.255.

Applying an ACL to the wrong interface or the wrong direction (inbound vs outbound).

An ACL applied inbound filters traffic before it is routed, while outbound filters after routing. Applying it incorrectly can cause traffic to be filtered at the wrong point.

Check the traffic flow: if you want to filter traffic coming into an interface, use in; if you want to filter traffic leaving an interface, use out.

Attempting to modify a numbered ACL by inserting a new ACE in the middle without removing the entire list.

Traditional numbered ACLs do not support insertion; you must remove the entire ACL and re-enter all ACEs in the correct order.

Use sequence numbers if the IOS supports it (for named ACLs) or plan the ACL order carefully before applying it.

Exam Trap — Don't Get Fooled

{"trap":"In a question, a standard numbered ACL is applied to an interface in the outbound direction to filter traffic based on destination IP address. The trap is that standard ACLs can only filter on source IP, not destination IP, so the ACL will not work as intended.","why_learners_choose_it":"Learners may think that an ACL applied outbound filters destination addresses because the traffic is leaving the interface, but the ACL itself looks at the source field regardless of direction."

,"how_to_avoid_it":"Remember that the direction (in/out) refers to traffic flow relative to the interface, but the ACL matching fields (source/destination) are defined by the ACE. Standard ACLs always check the source IP. If you need to filter by destination, use an extended ACL."

Commonly Confused With

Numbered ACLvsNamed ACL

A named ACL uses an alphanumeric name instead of a number and allows you to insert or delete individual ACEs using sequence numbers. Numbered ACLs require deleting the entire list to change the order. Named ACLs are more flexible and preferred in modern networks.

Instead of access-list 100 permit tcp..., you would use ip access-list extended MyACL and then permit tcp... inside it.

Numbered ACLvsIPv6 ACL

IPv6 ACLs are used for IPv6 traffic and have a different syntax, such as using ipv6 access-list instead of access-list. Numbered ACLs are primarily for IPv4. IPv6 ACLs are named and support additional options like flow label.

An IPv6 ACL would be configured with ipv6 access-list BlockTelnet and then permit tcp 2001:db8::/32 any eq 23.

Numbered ACLvsReflexive ACL

A reflexive ACL dynamically creates temporary permit entries to allow return traffic for outbound sessions. Numbered ACLs are static and do not track connection state. Reflexive ACLs are used for basic stateful filtering.

A reflexive ACL would allow outbound web traffic and automatically permit the returning web traffic without an explicit ACE.

Numbered ACLvsVLAN ACL

A VLAN ACL (VACL) filters traffic within a VLAN on a switch, rather than on a router interface. Numbered ACLs are applied to router interfaces. VACLs are configured using the vlan access-map command.

A VACL could block traffic between two hosts in the same VLAN, which a router-based ACL cannot do because traffic does not leave the VLAN.

Numbered ACLvsZone-Based Firewall

ZBF is a more sophisticated security feature on Cisco routers that uses security zones and policies instead of ACLs. It is stateful and can inspect application layer traffic. Numbered ACLs are stateless and only filter based on headers.

A ZBF policy can allow HTTP traffic only if it matches a specific application signature, whereas a numbered ACL can only allow TCP port 80.

Numbered ACLvsNetwork ACL (AWS)

AWS NACL is a stateless firewall for VPC subnets, and it uses numbered rules with a similar concept of order and implicit deny. However, it is cloud-based and has a different configuration method via the AWS console or CLI.

An AWS NACL rule with number 100 allows inbound HTTP traffic from 0.0.0.0/0 to port 80, while rule 200 denies all traffic from a specific IP.

Step-by-Step Breakdown

1

Determine the traffic filtering requirement

Identify what traffic needs to be allowed or denied. For example, you may want to allow HTTP traffic from the 192.168.1.0/24 network to the server at 10.0.0.10, and deny all other traffic. This decides whether you need a standard or extended ACL.

2

Choose the ACL type and number

Standard ACLs use numbers 1-99 or 1300-1999. Extended ACLs use 100-199 or 2000-2699. Based on the filtering requirement, select the correct number. For the example, you need an extended ACL because you are filtering by destination port.

3

Write the ACEs in the correct order

Place the most specific permit statements first. In our example, permit tcp 192.168.1.0 0.0.0.255 host 10.0.0.10 eq 80 comes first. If you have a deny statement for a specific host, put it after the permit. Remember the implicit deny at the end.

4

Apply the ACL to an interface

Use the command ip access-group [ACL-number] [in|out] on the desired interface. For extended ACLs, apply it inbound on the interface closest to the source. For standard ACLs, apply it closest to the destination.

5

Verify the ACL configuration

Use show access-lists to view the ACL and check hit counts. Use show ip interface [interface] to confirm the ACL is applied. Test traffic from a source device to ensure the ACL behaves as expected.

6

Troubleshoot if necessary

If traffic is not being filtered correctly, check the ACE order. Use the hit counts to see which ACE is matching. If an expected permit has zero hits, a preceding deny might be catching the traffic. Also confirm the wildcard masks and port numbers.

7

Update or remove the ACL if needed

To modify a numbered ACL, you must remove it with no access-list [number] and re-enter all ACEs. Alternatively, use a named ACL for easier modification. After changes, verify again.

8

Document the ACL

In a production environment, document the purpose of each ACL, the date of implementation, and any changes. This helps with future troubleshooting and audits.

Practical Mini-Lesson

Numbered ACLs are one of the first security tools that network engineers learn, and they remain relevant in many legacy and exam scenarios. Let us walk through a practical configuration from start to finish, including common pitfalls and how to avoid them. Suppose you are a network engineer for a small company. You have a branch office network 192.168.10.0/24 that connects to the internet through a router. The company wants to allow internal users to browse the web and send email, but block all inbound traffic from the internet except for a specific remote access server that needs to be reachable on port 443. This is a classic extended ACL use case.

First, you need to create an extended ACL. You decide to use number 110. You enter global configuration mode on the router. The first rule should permit established traffic. In Cisco ACLs, the established keyword matches TCP segments with the ACK or RST bit set, which are responses to connections initiated from inside. This allows return traffic for web and email. So you write: access-list 110 permit tcp any any established. Next, you want to allow outbound web traffic. Since you are filtering inbound on the outside interface, you need to permit the return traffic of outbound connections, but the established rule already does that for TCP. However, if you want to allow outbound DNS, you need to permit UDP responses. You can add: access-list 110 permit udp any any eq 53 (for DNS responses) or use a more general approach. But the established rule is sufficient for TCP.

Now, you need to allow inbound connections to the remote access server at an internal IP, say 192.168.10.100, on port 443. You add: access-list 110 permit tcp any host 192.168.10.100 eq 443. Finally, you deny all other traffic implicitly. To be safe, you could add an explicit deny ip any any at the end, but it is optional. You then apply ACL 110 inbound on the router's outside interface (the one connected to the internet) with the command ip access-group 110 in. Now, test. Users can browse the web because their outbound connections generate return traffic that matches the established rule. The remote access server is reachable from the internet on port 443. All other inbound traffic is dropped.

A common mistake here is forgetting the established rule, which would cause outbound web traffic to fail because the inbound responses would be dropped. Another mistake is placing the permit for the remote server before the established rule, which may still work but is less efficient because established traffic would be checked against the permit rule first. However, order matters less in this case because the established rule is broad. The real problem arises if you accidentally put a deny any before any of the permit rules-then all traffic is blocked. Also, people often misconfigure the wildcard mask for the host. Using host keyword simplifies it: instead of writing permit tcp any 192.168.10.100 0.0.0.0 eq 443, you can use host 192.168.10.100. This is a best practice.

Another practical scenario is using standard ACLs for restricting remote access to the router itself. For example, you want only the management workstation at 10.0.0.5 to be able to SSH into the router. You create a standard ACL: access-list 5 permit host 10.0.0.5. Then apply it to the vty lines with access-class 5 in. This ensures that only traffic from that specific IP can access the router's SSH service. Note that standard ACL here is appropriate because you only care about the source IP. This is a common exam scenario. Look out for questions where a VTY access-class is mentioned; it always uses a standard ACL.

In real-world networking, you will often migrate from numbered ACLs to named ACLs. But understanding the numbered version gives you a deep appreciation for rule order and the use of wildcard masks. Always test ACL changes in a lab environment before applying to production. Also, monitor the hit counts periodically to ensure the ACL is working as expected. If you see a rule with zero hits and it should have hits, the rule order or the wildcard mask might be off. For instance, if you use a wildcard mask of 0.0.0.255 for a subnet /24, but you mistakenly used 0.0.0.128, only half the subnet would match. These are the kinds of details that matter both in exams and in real jobs.

Numbered ACL Fundamentals and Exam Relevance

Numbered Access Control Lists (ACLs) are a foundational concept in network security and IP services, tested heavily in certifications like CCNA, Network+, Security+, and AWS SAA. A numbered ACL is a sequential list of permit or deny statements that filter traffic based on source and destination IP addresses, protocols, and port numbers. Unlike named ACLs, numbered ACLs rely on a numerical range to identify the type and application.

Standard numbered ACLs use numbers 1-99 and 1300-1999, filtering only on source IP address. Extended numbered ACLs use numbers 100-199 and 2000-2699, providing granularity with source, destination, protocol, and port. In the CCNA exam, candidates must master the configuration of numbered ACLs to control traffic on Cisco routers, often applying them to interfaces with the ip access-group command in the inbound or outbound direction.

The implicit deny all at the end of every ACL is a critical concept: if traffic does not match any explicit statement, it is dropped. This explicit deny is a security feature that prevents unauthorized access. In the Network+ and Security+ exams, numbered ACLs are discussed as stateless firewall filters, meaning each packet is evaluated independently without regard to connection state.

For AWS SAA, numbered ACLs are not directly used; instead, Network Access Control Lists (NACLs) are stateless and function similarly but use rule numbers instead of a single sequence. The exam tests understanding of how numbered ACLs are ordered, the importance of sequence numbers (added automatically in classic numbered ACLs), and the fact that the router processes statements top-down until a match. Misconfiguration often leads to connectivity issues, as the implicit deny may block legitimate traffic.

Recalling that standard ACLs should be placed closest to the destination to avoid unintended filtering, while extended ACLs go closest to the source for efficiency, is a classic exam question. Understanding these fundamentals is essential for troubleshooting and design in real-world networks and for passing vendor-neutral and vendor-specific exams.

Numbered ACL Configuration and Syntax

Configuring a numbered ACL involves entering global configuration mode and using the access-list command followed by the number, permit or deny, and the matching criteria. For a standard numbered ACL, the syntax is: access-list <1-99> <permit|deny> <source> [wildcard mask]. The wildcard mask is the inverse of the subnet mask; for example, 0.

0.0.0 matches the exact host, while 255.255.255.255 matches any host. A common exam scenario is to permit a single host: access-list 10 permit host 192.168.1.10. To deny all other traffic, you rely on the implicit deny, but some configurations add an explicit deny any for clarity: access-list 10 deny any.

Extended numbered ACLs have more detailed syntax: access-list <100-199> <permit|deny> <protocol> <source> <source-wildcard> <destination> <destination-wildcard> [eq <port>]. For example, to allow HTTP traffic from a specific subnet to a web server: access-list 100 permit tcp 192.168.

1.0 0.0.0.255 host 10.0.0.1 eq 80. The protocol can be tcp, udp, icmp, ip, or others. In the CCNA exam, candidates must remember that extended ACLs can filter on source and destination, making them more precise.

After creating the ACL, it must be applied to an interface using the ip access-group command in interface configuration mode: ip access-group 100 in or ip access-group 100 out. The direction is critical: inbound filters traffic coming into the interface, outbound filters traffic leaving the interface. A common mistake is applying the ACL in the wrong direction, leading to unintended blocking.

For instance, applying an inbound ACL to the internal interface may block internal users from accessing resources if the destination is not properly allowed. The AZ-104 exam for Azure may not use numbered ACLs directly, but similar concepts apply to Network Security Groups (NSGs) with rule priorities. The Google ACE exam also touches on VPC firewall rules, which are stateful but use priority numbers.

Understanding the syntax variations and the importance of exact sequence is tested through configuration scenarios where you must choose the correct ACL number and statement to achieve a specific security policy.

Numbered ACL Location and Design Best Practices

The placement of numbered ACLs within a network topology is a key design principle tested in certification exams. Standard ACLs, which only check source IP, should be placed as close to the destination as possible to avoid blocking traffic unnecessarily. For example, if you want to deny traffic from a specific host to a server, placing the standard ACL on the server's inbound interface works well.

Placing it close to the source could inadvertently block traffic to other destinations that are permitted. Extended ACLs, because they can filter on source and destination, should be placed as close to the source as possible. This conserves bandwidth by dropping unwanted traffic early, before it traverses the network.

In the CCNA exam, this is a classic 'choose the best location' question. Another best practice is to use extended ACLs for outbound traffic control on the boundary router to the internet, but careful ordering is needed to avoid bypassing the implicit deny. Always add the most specific statements first, as ACLs are processed top-down.

For example, if you have two statements: permit ip any any and deny ip host 10.0.0.1 any, the first statement will match and permit all traffic, rendering the deny ineffective. So order matters.

In the Security+ exam, this is related to the principle of least privilege and rule placement. For AWS SAA, while Network ACLs are numbered (1-32766) and rules are evaluated in ascending order, the best practice is to add rules with gaps in rule numbers (e.g.

, 100, 200, 300) to allow easy insertion of new rules without renumbering. This is analogous to using sequence numbers in extended named ACLs on Cisco. In the real world, numbered ACLs are often replaced by named ACLs for easier editing, but the numbering concept persists.

Exams test the ability to interpret existing numbered configurations and identify misconfigurations, such as a standard ACL placed too close to the source or an extended ACL placed too far from the source. Also, remember that numbered ACLs cannot be edited individually; to change a line, you must remove the entire ACL and re-enter it, which is why they are less flexible than named ACLs. This design limitation is a frequent exam point, especially in CCNA troubleshooting questions.

Numbered ACL Troubleshooting and Common Pitfalls

Troubleshooting numbered ACLs is a critical skill for network professionals and a frequent topic in performance-based exam questions. The most common issue is the implicit deny all at the end of the ACL, which silently drops traffic that does not match any explicit statement. For example, if you create a standard ACL only permitting a single host, all other traffic is denied by default, which can cause unexpected outages.

The symptom is that traffic from hosts not in the permit list fails to reach the destination, but the destination interface is up, and routing is correct. The solution is to add a permit any any statement at the end, but this may reduce security. Another common pitfall is applying the ACL to the wrong interface or direction.

For instance, if you apply an inbound ACL to the external interface to block incoming web traffic, but the web server is inside, you must apply it as inbound on the external interface or outbound on the internal interface. Getting the direction wrong is a classic CCNA simulation issue. A third pitfall is incorrect wildcard mask usage.

For a subnet 192.168.1.0/24, the correct wildcard mask is 0.0.0.255. Using 0.0.0.0 matches only the exact 192.168.1.0 address, which is the network address, not the whole subnet. This leads to traffic from hosts in the subnet being blocked or permitted incorrectly.

Another troubleshooting clue is that extended ACLs require full syntax; omitting the protocol or port can cause the ACL to not filter as intended. For example, if you forget to specify eq 80, the ACL may match all TCP traffic to the destination, not just HTTP. In exams, you may be given a show access-lists output that shows no matches for a specific line even though traffic should be hitting it.

This often indicates that a previous permit or deny statement matches the traffic first, or that the ACL is not applied to the correct interface. A useful command is show ip access-lists which displays the ACLs configured and hit counts. Another is show running-config | include access-list to verify the configuration.

For the Network+ and Security+ exams, understanding that numbered ACLs are stateless means that return traffic must be explicitly permitted if you filter inbound. For example, if you permit outbound traffic to a web server, you must also permit inbound return traffic (established connections in extended ACLs can help). In Azure AZ-104, NSGs are stateful, so you don't need to worry about return traffic, but in GCP ACE, VPC firewall rules are stateful as well.

The key exam clue is that numbered ACLs in traditional Cisco environments require explicit return traffic rules unless using reflexive or extended ACLs with established keyword. Recognizing these pitfalls and knowing how to fix them is essential for passing certification exams and operating real networks.

Troubleshooting Clues

Traffic from a permitted host is still blocked

Symptom: Host 192.168.1.10 is allowed in ACL 10, but cannot reach the destination server.

The ACL is likely applied to the wrong interface or direction. For example, if ACL 10 is applied inbound on the destination interface, it filters traffic coming into that interface. But if the server is on a different subnet, the ACL may be applied on an interface that the traffic never passes through.

Exam clue: Exams often present a scenario where a standard ACL is placed on an interface that doesn't align with the traffic flow. You must identify the need to apply the ACL to the correct inbound interface of the destination network.

Implicit deny blocks all traffic unexpectedly

Symptom: After applying ACL 100 with only a permit statement, all other traffic to the destination fails.

The implicit deny all at the end of an ACL drops any traffic that does not match an explicit permit. Without a permit any any statement, all non-matching traffic is dropped.

Exam clue: A classic CCNA question: 'After configuring an ACL, users cannot access a server even though you permitted a specific subnet. What is the most likely cause?' Answer: implicit deny.

Incorrect wildcard mask causes ACL to not match subnet

Symptom: ACL 100 with source 192.168.1.0 0.0.0.0 does not allow traffic from hosts in the 192.168.1.0/24 subnet.

Wildcard mask 0.0.0.0 matches only the exact address 192.168.1.0 (the network address), not the full range. To match all hosts in the subnet, the mask should be 0.0.0.255.

Exam clue: Exams frequently test wildcard mask syntax by giving an incorrect mask in a multiple-choice or simulation, expecting you to correct it.

ACL line order causes permit override by earlier deny

Symptom: A permit line exists for host 10.0.0.1, but traffic from that host is dropped.

If an earlier deny statement matches the traffic (e.g., deny ip any any), it is processed first, and the permit is never evaluated because the list is processed top-down.

Exam clue: Order matters in ACLs. In exams, you may be given a list of statements and asked which traffic is permitted or denied, requiring you to evaluate top-down.

Extended ACL missing port specification

Symptom: ACL 100 permits tcp any any, but web traffic to port 80 is blocked.

If the ACL statement does not include 'eq 80', it matches all TCP traffic, which may be permitted, but if later there is an explicit deny or the implicit deny, it might be an ordering issue. More commonly, if the ACL is meant to permit only HTTP but omits the port, it opens all TCP, causing security issues.

Exam clue: Exams test attention to detail: a missing port parameter in an extended ACL can make the rule too permissive or too restrictive, and you must spot the omission.

No match count on ACL line even though traffic should match

Symptom: show ip access-lists shows zero hits on the permit line for a known traffic flow.

The ACL may not be applied to the correct interface, or the packet may be matching an earlier line in the ACL (overlap). Also, the ACL could be applied in the wrong direction.

Exam clue: This is a common troubleshooting question where you must check the interface and direction using show running-config or show ip interface.

Standard ACL placed too close to source blocking unintended traffic

Symptom: Standard ACL applied inbound on the source router blocks traffic from permitted host to other destinations.

Standard ACLs only filter on source IP, so if placed near the source, they can filter traffic going anywhere. For example, if you deny a host, that host cannot reach any destination behind that router.

Exam clue: Best practice question: 'Why should standard ACLs be placed near the destination?' This exact scenario is tested.

Memory Tip

Standard ACLs: check the source only, use numbers 1-99 or 1300-1999, and place them close to the destination. Extended ACLs: allow source, destination, port, and protocol, use numbers 100-199 or 2000-2699, and place them close to the source.

Learn This Topic Fully

This glossary page explains what Numbered ACL means. For a complete lesson with labs and practice, see the topic guide.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

N10-008N10-009(current version)
SY0-601SY0-701(current version)

Related Glossary Terms

Quick Knowledge Check

1.A network administrator configures a standard numbered ACL with access-list 10 permit host 192.168.1.10 and applies it inbound on interface Gi0/0. Which of the following is true?

2.Which of the following commands would correctly create an extended ACL to permit SSH traffic from network 10.0.0.0/24 to server 192.168.1.100?

3.An administrator applies extended ACL 101 outbound on interface Fa0/0. Which traffic does this ACL filter?

4.What is the effect of the implicit deny at the end of a numbered ACL?

5.A numbered ACL with access-list 20 deny host 10.0.0.1 followed by access-list 20 permit any will have what net effect?