Access Control Lists (ACLs) are one of Cisco's most powerful tools for traffic filtering, but their placement on the network can make or break your security policy. A perfectly crafted ACL applied in the wrong location will either fail to block what you intended or waste router CPU cycles filtering traffic that never needed to be filtered. For the CCNA 200-301 exam (objective 5.6), you must understand not just how to write ACLs, but where to place them for maximum efficiency and security. Misplacing an ACL is one of the most common mistakes that leads to security breaches or network outages — and it's a favorite topic for Cisco exam scenario questions.
Jump to a section
Imagine you are the security director for a large international airport. The airport has multiple terminals, each with its own entrance, and a central security checkpoint before the departure gates. Your job is to stop prohibited items (e.g., weapons) from reaching the aircraft. You have two types of security checkpoints: one at the terminal entrance (before passengers enter the terminal) and one at the gate (just before boarding). If you place a metal detector only at the gate, it will catch weapons right before boarding, but passengers have already roamed freely through the terminal, potentially causing harm or disrupting operations. If you place it only at the terminal entrance, you stop weapons early, but passengers then move unmonitored through shops and restaurants — a threat could still be smuggled later (e.g., from a shop). The optimal strategy is to place the strictest screening at the terminal entrance (closest to the source) to minimize risk early, and a lighter check at the gate (close to the destination) as a final verification. In networking terms, the terminal entrance is the inbound interface closest to the source, and the gate is the outbound interface closest to the destination. ACL placement follows the same principle: place extended ACLs as close to the source as possible to filter traffic early and reduce unnecessary bandwidth consumption, and place standard ACLs (which only check source IP) as close to the destination as possible because they cannot distinguish between types of traffic — applying them near the source might block legitimate traffic that is actually destined to a different service on the same source host. Cisco's placement rule for standard ACLs is: "Place standard ACLs as close to the destination as possible." For extended ACLs: "Place extended ACLs as close to the source as possible." This mirrors airport security: the more specific your screening (extended ACL), the earlier you apply it; the more generic (standard ACL), the later you apply it to avoid unintended blocking.
What Is ACL Placement and Why Does It Matter?
ACL placement refers to the decision of which router interface and direction (inbound or outbound) to apply an access control list to achieve the desired traffic filtering while minimizing impact on network performance and security. The CCNA 200-301 exam tests your ability to choose the correct placement for both standard and extended ACLs in a given topology. The placement decision is guided by two fundamental rules: (1) Extended ACLs should be placed as close to the source as possible. (2) Standard ACLs should be placed as close to the destination as possible. These rules are not arbitrary; they stem from the capabilities of each ACL type and the principle of filtering traffic early to conserve bandwidth and CPU.
How ACL Placement Works at the Packet Level
When a packet arrives at a router interface, the router checks whether an inbound ACL is applied on that interface. If an inbound ACL exists, the packet is processed against the ACL before any routing decision. If the packet is permitted, it is routed normally; if denied, it is dropped immediately, and no further processing occurs. If no inbound ACL is present, the router performs routing and then checks for an outbound ACL on the egress interface. An outbound ACL processes packets after the routing decision but before the packet is sent out the interface.
Consider a network where Host A (10.1.1.1) wants to reach Server B (192.168.1.100) via Router R1 (interface G0/0 connected to Host A) and Router R2 (interface G0/1 connected to Server B). If you apply an extended ACL on R1's inbound G0/0 that denies traffic from 10.1.1.1 to 192.168.1.100, the packet is dropped at R1 immediately — it never traverses the link to R2. This saves bandwidth and CPU on intermediate routers. If you applied the same ACL outbound on R2's G0/1, the packet would travel all the way to R2, be routed, and then be dropped just before reaching Server B — wasting resources.
For standard ACLs, which only look at source IP, placing them close to the source can cause problems. Suppose you have a standard ACL that permits only 10.1.1.0/24. If applied inbound on R1's G0/0 (close to source), it would permit all traffic from that subnet, including traffic destined to the Internet or other networks that you might not want to allow. Since standard ACLs cannot filter by destination, you cannot selectively block traffic to certain destinations. Therefore, standard ACLs are best placed outbound on the interface closest to the destination, so that only the final destination is affected.
Key States, Timers, and Defaults
ACLs themselves have no timers or states — they are static lists of permit/deny statements processed sequentially. However, the placement interacts with the router's forwarding process. A default ACL (implicit deny) exists at the end of every ACL: if a packet does not match any entry, it is denied. This implicit deny is invisible in the configuration but always present. When placing an ACL, you must always include at least one permit statement, or the ACL will block all traffic. On Cisco IOS, the default behavior for an interface with no ACL is to permit all traffic (no filtering). The moment you apply an ACL, the implicit deny kicks in.
IOS CLI Verification Commands with Real Example Output
To verify ACL placement and contents, use the following commands:
R1# show access-lists
Extended IP access list 101
10 permit tcp 10.1.1.0 0.0.0.255 any eq 80 (12 matches)
20 deny ip any any (5 matches)R1# show ip interface gigabitethernet 0/0
GigabitEthernet0/0 is up, line protocol is up
Internet address is 10.1.1.1/24
...
Inbound access list is 101
Outgoing access list is not setThe show ip interface command is critical for verifying which ACL is applied inbound or outbound on a specific interface.
How ACL Placement Interacts with Related Protocols
ACL placement interacts with routing protocols, NAT, and VPNs. For example, if you apply an ACL that blocks routing protocol traffic (e.g., OSPF on port 89), you can break routing adjacency. Therefore, ACLs must be placed carefully to avoid filtering control plane traffic. Also, when used with NAT, ACLs determine which traffic is translated. Placement of the ACL in the NAT context (inside/outside) is separate from interface ACLs but equally important. On the exam, you may be asked to place an ACL to filter traffic between two VLANs, requiring knowledge of both ACL placement and inter-VLAN routing.
Common Pitfalls
Applying a standard ACL inbound on a router's WAN interface to block traffic from a specific source — this will block all traffic from that source, including legitimate traffic to other destinations.
Applying an extended ACL outbound on the destination router's LAN interface — this works but is inefficient; better to place it inbound on the source router's interface.
Forgetting the implicit deny and wondering why all traffic is blocked after applying an ACL.
Placing an ACL on the wrong interface (e.g., applying it on the interface facing the destination instead of the source).
Identify Traffic to Filter
Determine the exact traffic you need to permit or deny. For example: 'Deny all traffic from 10.1.1.0/24 to 192.168.1.100, but allow everything else.' Write down the source IP, destination IP, protocol (TCP/UDP), and port numbers if applicable. This clarity will guide your ACL type and placement. On the exam, the scenario will describe the traffic flow; you must extract the source and destination networks.
Choose ACL Type: Standard or Extended
If you need to filter based on source AND destination (or protocol/port), use an extended ACL (numbered 100-199 or 2000-2699, or named). If you only need to filter by source IP, use a standard ACL (numbered 1-99 or 1300-1999, or named). On the CCNA exam, extended ACLs are far more common because they offer granularity. Remember: standard ACLs cannot filter by destination, so they are only useful for simple source-based restrictions.
Apply Placement Rule: Extended Close to Source
For extended ACLs, place them inbound on the interface closest to the source of the traffic you want to filter. This minimizes unnecessary traffic traversing the network. For example, to block traffic from 10.1.1.0/24 to 192.168.1.100, apply the ACL inbound on the router interface that connects to 10.1.1.0/24. Use the `ip access-group` command in interface configuration mode. Verify with `show ip interface`.
Apply Placement Rule: Standard Close to Destination
For standard ACLs, place them outbound on the interface closest to the destination. This avoids accidentally blocking traffic destined to other networks. For example, if you want to permit only 10.1.1.0/24 to access a server at 192.168.1.100, apply the standard ACL outbound on the router interface facing 192.168.1.100. The ACL will permit traffic from 10.1.1.0/24 and deny all else (implicit deny).
Configure ACL and Apply to Interface
Use global configuration mode to create the ACL. For extended: `access-list 101 permit tcp 10.1.1.0 0.0.0.255 host 192.168.1.100 eq 80`. Then enter interface configuration mode: `interface gigabitethernet 0/0` and apply: `ip access-group 101 in`. For standard: `access-list 1 permit 10.1.1.0 0.0.0.255` then `interface gigabitethernet 0/1` and `ip access-group 1 out`. Always remember the implicit deny — include a permit any any at the end if you want to allow other traffic.
Verify and Test ACL Placement
Use `show access-lists` to see match counts. Use `show ip interface <interface>` to confirm the ACL is applied in the correct direction. Ping or telnet from source to destination to test. If traffic is blocked unexpectedly, check the ACL order — entries are processed top-down. Also, ensure the ACL is applied on the correct interface and direction. A common mistake is applying the ACL outbound when it should be inbound, or vice versa.
In a typical enterprise, ACL placement is a daily consideration for network engineers. Consider a company with a remote branch office (192.168.1.0/24) that should only access the corporate file server (10.1.1.100) on port 445 (SMB) and nothing else on the corporate network. The correct placement is an extended ACL on the branch router's inbound interface (facing the branch LAN) that permits traffic from 192.168.1.0/24 to host 10.1.1.100 eq 445 and denies all else. This ensures that any malicious outbound traffic from the branch is dropped at the branch router, not consuming WAN bandwidth.
Another scenario: a data center has a management subnet (172.16.0.0/24) that should only be able to SSH (port 22) to the core switches. The network engineer applies an extended ACL inbound on the interface connecting to the management subnet, permitting only TCP port 22 to the core switch IPs. This prevents any other traffic (e.g., web browsing) from reaching the core switches, enforcing security policy.
At scale, ACL placement affects router CPU. If you apply a long ACL inbound on a high-traffic interface, every packet is checked against the ACL, which can cause performance degradation. Best practice is to place ACLs as close to the source as possible to reduce unnecessary processing on intermediate routers. Also, use object groups or named ACLs for easier management.
Misconfiguration is common. A junior engineer might apply a standard ACL inbound on the core router's interface facing the Internet to block a specific source IP — this would block all traffic from that source, including legitimate traffic to internal servers, causing a partial outage. The fix is to use an extended ACL and place it outbound on the interface facing the destination, or use a more specific standard ACL outbound on the destination interface. Another mistake is applying an ACL on the wrong interface (e.g., applying the ACL meant for the branch router on the corporate router), which either fails to filter or blocks unintended traffic. Always double-check interface IPs and directions.
The CCNA 200-301 exam objective 5.6 specifically tests your ability to configure and verify ACLs, including placement. Expect scenario-based questions where you are given a network diagram and must choose the correct interface and direction to apply an ACL. The most common wrong answers are:
Applying a standard ACL inbound on the source router. Candidates think 'close to source' applies to all ACLs, but standard ACLs should be close to destination.
Applying an extended ACL outbound on the destination router. While this works, it is less efficient than inbound on the source router. The exam expects the most efficient placement.
Confusing inbound and outbound directions. Remember: inbound applies to traffic entering the interface; outbound applies to traffic leaving the interface. Draw the traffic flow.
Forgetting the implicit deny and not including a permit statement for desired traffic, causing all traffic to be blocked.
Specific values: Standard ACL numbers 1-99 and 1300-1999; extended ACL numbers 100-199 and 2000-2699. Named ACLs are also valid. The wildcard mask is crucial — e.g., 0.0.0.255 matches the first 24 bits. On the exam, you may need to calculate the wildcard mask from a subnet mask (inverse).
Decision rule for placement questions: First, determine if the ACL needs to filter by destination or protocol/port. If yes, it must be an extended ACL placed as close to the source as possible (inbound on the source's interface). If only source IP matters, it's a standard ACL placed as close to the destination as possible (outbound on the destination's interface). Always draw the traffic flow and identify the nearest interface to the source or destination.
For troubleshooting, use show access-lists to check match counts — if matches are zero, the ACL might be applied on the wrong interface or direction, or the traffic doesn't match the criteria. show ip interface confirms the ACL binding.
Extended ACLs (100-199, 2000-2699) filter by source, destination, protocol, and port; place them as close to the source as possible (inbound on source-facing interface).
Standard ACLs (1-99, 1300-1999) filter only by source IP; place them as close to the destination as possible (outbound on destination-facing interface).
The implicit deny at the end of every ACL means you must include at least one permit statement or all traffic is blocked.
Use `show ip interface <interface>` to verify which ACL is applied inbound/outbound on an interface.
Use `show access-lists` to see match counts and verify ACL entries are being hit.
Inbound ACLs process packets before routing; outbound ACLs process after routing.
On the CCNA exam, always consider efficiency — extended ACLs inbound on source router is the most efficient placement.
These come up on the exam all the time. Here's how to tell them apart.
Standard ACL
Filters only by source IP address
Placed as close to destination as possible
Numbered 1-99 or 1300-1999
Less granular; cannot filter by destination or protocol
Simpler configuration
Extended ACL
Filters by source IP, destination IP, protocol, and port
Placed as close to source as possible
Numbered 100-199 or 2000-2699
More granular; allows precise traffic filtering
More complex configuration
Mistake
Standard ACLs should be placed as close to the source as possible, just like extended ACLs.
Correct
Standard ACLs should be placed as close to the destination as possible because they cannot filter by destination, so placing them near the source could block traffic to unintended destinations.
Candidates confuse the general 'filter early' principle with the specific limitation of standard ACLs.
Mistake
An ACL applied outbound on an interface filters traffic before routing.
Correct
Outbound ACLs are processed after the routing decision. Inbound ACLs are processed before routing.
The terms 'inbound' and 'outbound' can be misinterpreted; candidates think outbound means 'before leaving' but it is after routing.
Mistake
The implicit deny is optional and can be removed.
Correct
The implicit deny is always present at the end of every ACL and cannot be removed. You must add a 'permit ip any any' entry to override it.
Candidates may think they can delete the implicit deny by not including a deny statement, but it is built into the ACL processing logic.
Mistake
ACL placement does not affect performance; only the number of entries matters.
Correct
Placement significantly affects performance because filtering traffic early reduces bandwidth and CPU usage on intermediate routers. An ACL applied inbound on the source router filters before the packet traverses the network.
Candidates may focus only on ACL syntax and forget the operational impact of placement.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Inbound ACLs process packets as soon as they arrive on an interface, before the routing decision. Outbound ACLs process packets after the routing decision, just before they exit the interface. Inbound ACLs are more efficient for filtering traffic at the source because they drop unwanted packets early, saving bandwidth and CPU. Outbound ACLs are typically used for standard ACLs placed close to the destination. On the exam, remember: inbound = before routing, outbound = after routing.
Yes, you can apply one ACL inbound and one ACL outbound on the same interface. They operate independently: inbound ACL filters traffic entering the interface, outbound ACL filters traffic leaving the interface. This is useful when you need different filtering rules for traffic entering vs. leaving a network segment.
Standard ACLs only check the source IP address. If placed close to the source (e.g., inbound on the source router), they would filter all traffic from that source, including traffic destined to other networks. For example, a standard ACL permitting only 10.1.1.0/24 would allow that subnet to go anywhere, which may be too permissive. Placing it close to the destination ensures that only the intended destination is affected, and traffic to other networks is not inadvertently permitted or denied.
The implicit deny is an invisible final entry in every ACL that denies all traffic not explicitly permitted. It means that if your ACL does not include a permit statement for desired traffic, that traffic will be dropped. When placing an ACL, you must ensure that your permit entries cover all traffic you want to allow; otherwise, the implicit deny will block it. For example, if you create an ACL with only a deny entry, all traffic will be denied because no permit exists.
Use the command 'show ip interface <interface>' (e.g., 'show ip interface gigabitethernet 0/0'). The output will show 'Inbound access list is <name/number>' and 'Outgoing access list is <name/number>' if an ACL is applied. If no ACL is applied, it will say 'not set'. This command is essential for troubleshooting ACL placement issues.
Yes, named ACLs (using 'ip access-list extended NAME' or 'ip access-list standard NAME') work exactly like numbered ACLs. The placement rules are identical: extended named ACLs go close to source, standard named ACLs go close to destination. The only difference is that named ACLs allow you to delete individual entries, which is not possible with numbered ACLs. On the exam, both are acceptable.
If you apply an ACL on the wrong interface, the intended traffic might not be filtered, or unintended traffic might be blocked. For example, if you apply an ACL meant to block traffic from 10.1.1.0/24 on the interface facing 192.168.1.0/24, it will filter traffic from 192.168.1.0/24 instead. Always verify the interface IP addresses and the direction of traffic flow. Use 'show ip interface brief' to confirm interfaces.
You've just covered ACL Placement Rules — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?