Access Control Lists (ACLs) are the Swiss Army knife of Cisco IOS – they filter traffic, identify traffic for NAT and QoS, and secure management access. On the CCNA 200-301 exam, you must know ACL syntax inside out, including the difference between standard and extended ACLs, implicit deny, and where to apply them. Mastering ACL syntax is a non-negotiable skill for any network engineer, as misconfigurations can silently break connectivity or expose your network to threats.
Jump to a section
Imagine a nightclub with two entrances: one for VIPs (inbound traffic) and one for general admission (outbound traffic). The bouncer at each door has a list of rules printed on a clipboard. Each rule is a line on the clipboard, numbered from 1 to 99 (or 100 to 199 for the VIP list). The bouncer reads the rules from top to bottom. The first rule that matches a person trying to enter decides their fate: either they are let in (permit) or turned away (deny). If no rule matches, the bouncer has a final unwritten rule: 'If I haven't decided by now, you're not getting in.' That's the implicit deny – the default action is to deny all traffic.
Now, the VIP list (standard ACL) only looks at the person's name (source IP address). It doesn't care what they're wearing or what they want to do inside. The general admission list (extended ACL) checks the person's name, what they're wearing (protocol), and what they want to do (destination port). The bouncer applies the list to a specific door (interface) and direction (inbound or outbound). If you apply the VIP list to the general door, it won't work correctly – you must apply the right list to the right door. Also, if you add a new rule to the bottom of the clipboard, it won't affect people already inside; ACLs only check new arrivals. This is why you must be careful about the order of rules and where you apply them. Misconfigured ACLs can either lock everyone out or let everyone in – the bouncer is only as good as the list he follows.
What is an ACL?
An Access Control List (ACL) is a sequential set of permit or deny statements that filter packets based on criteria such as source IP, destination IP, protocol, and port numbers. ACLs are applied to interfaces inbound or outbound. They are a fundamental tool for security and traffic management.
Types of ACLs
Cisco IOS supports two main types of ACLs relevant to CCNA:
- Standard ACLs: Numbered 1-99 or 1300-1999 (extended range). They filter only on the source IP address. They are typically placed as close to the destination as possible to avoid unintended filtering. - Extended ACLs: Numbered 100-199 or 2000-2699. They filter on source IP, destination IP, protocol (IP, TCP, UDP, ICMP, etc.), and port numbers. They should be placed as close to the source as possible for efficiency.
Also, Named ACLs allow you to use a name instead of a number for both standard and extended ACLs, making configuration easier to read.
ACL Processing Logic
When a packet enters or leaves an interface, the router checks the ACL applied to that interface in that direction. The ACL is processed top-down. The first match determines the action (permit or deny). If no match is found, the implicit deny at the end denies the packet. This is crucial: if you don't have a permit statement for necessary traffic, it will be dropped.
Standard ACL Syntax
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 deny anyaccess-list 10 creates or adds to list 10.
permit or deny is the action.
192.168.1.0 is the network address.
0.0.0.255 is the wildcard mask (inverse of subnet mask).
any is shorthand for 0.0.0.0 255.255.255.255.
host 192.168.1.1 is shorthand for 192.168.1.1 0.0.0.0.
Extended ACL Syntax
access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 80
access-list 100 deny ip any anytcp specifies the protocol.
192.168.1.0 0.0.0.255 is source.
any is destination.
eq 80 matches destination port 80.
You can also use eq, gt, lt, neq, range.
Wildcard Masks
Wildcard masks are 32-bit numbers where 0 means 'match this bit exactly' and 1 means 'ignore this bit'. For example, 0.0.0.255 matches any host in a /24 network. Common wildcards:
/24 (255.255.255.0) -> wildcard 0.0.0.255
/16 (255.255.0.0) -> wildcard 0.0.255.255
/8 (255.0.0.0) -> wildcard 0.255.255.255
any -> wildcard 255.255.255.255
host -> wildcard 0.0.0.0
Applying ACLs to Interfaces
interface GigabitEthernet0/0
ip access-group 100 inin filters packets arriving on the interface.
out filters packets leaving the interface.
Verification Commands
show access-lists
show ip access-lists
show running-config | include access-list
show ip interface GigabitEthernet0/0Example output:
Router# show access-lists
Standard IP access list 10
10 permit 192.168.1.0, wildcard bits 0.0.0.255
20 deny any
Extended IP access list 100
10 permit tcp 192.168.1.0 0.0.0.255 any eq 80
20 deny ip any anyEvery ACL has an implicit deny any at the end. This is not shown in the output but is always present. To allow all other traffic, you must add a permit ip any any at the end.
Sequence Numbers
Modern IOS automatically assigns sequence numbers (starting at 10, increment by 10) to each entry. You can insert or delete entries by sequence number:
ip access-list standard 10
15 permit host 192.168.1.100
no 20Named ACLs
ip access-list extended BLOCK_WEB
deny tcp any any eq 80
deny tcp any any eq 443
permit ip any anyThen apply:
interface GigabitEthernet0/1
ip access-group BLOCK_WEB outImportant Rules and Traps
Standard ACLs should be placed close to the destination; extended ACLs close to the source.
Only one ACL per interface per direction is allowed.
The order of entries matters. Always add new entries carefully; they are added to the end by default unless you specify a sequence number.
any matches everything, so deny any at the end is redundant but harmless.
For extended ACLs, you must specify the protocol before source/destination.
The established keyword for TCP matches packets with the ACK or RST bit set (return traffic).
Interaction with Other Features
ACLs are used in many features beyond filtering: route maps for policy-based routing, NAT (identifying interesting traffic), QoS class maps, and VTY access lists for management access control. For example, a VTY ACL:
access-list 12 permit 192.168.1.0 0.0.0.255
line vty 0 4
access-class 12 inThis restricts telnet/SSH access to the router to only the 192.168.1.0/24 network.
Plan ACL Placement and Type
Determine whether you need a standard or extended ACL based on the filtering criteria. Standard ACLs only check source IP; extended ACLs check source, destination, protocol, and port. Place standard ACLs as close to the destination as possible to avoid blocking traffic unintentionally. Place extended ACLs as close to the source as possible to filter traffic early and save bandwidth. For example, to block a specific host from accessing a web server, use an extended ACL on the interface closest to the host.
Create the ACL with Correct Syntax
Use the `access-list` global configuration command for numbered ACLs or `ip access-list` for named ACLs. For extended ACLs, specify the protocol (e.g., tcp, udp, icmp, ip) followed by source and destination addresses with wildcard masks. Use `any` for all addresses or `host` for a single IP. For port matching, use operators like `eq`, `gt`, `lt`, `neq`, or `range`. Example: `access-list 100 permit tcp 10.1.1.0 0.0.0.255 host 192.168.1.100 eq 80`. Remember the implicit deny at the end; add a `permit ip any any` if needed.
Apply the ACL to an Interface
Enter interface configuration mode and use the `ip access-group` command to apply the ACL inbound or outbound. For example: `interface GigabitEthernet0/0` then `ip access-group 100 in`. Only one ACL per direction per interface is allowed. Verify with `show ip interface` to see which ACL is applied. Ensure the direction is correct: 'in' filters packets arriving, 'out' filters packets leaving.
Verify ACL Operation
Use `show access-lists` to view the ACL entries and match counts. The match count shows how many packets have matched each line. If the count is zero, the ACL may not be applied correctly or the traffic is not hitting it. Use `show ip access-lists` for IPv4 ACLs only. Also use `show running-config | include access-list` to see the ACL configuration. For troubleshooting, use `debug ip packet` with caution or `debug ip packet 100 detail` to see packets matching a specific ACL.
Edit and Sequence ACL Entries
Modern IOS supports sequence numbers for editing. Use `ip access-list extended 100` to enter ACL configuration mode, then insert a new entry with a sequence number (e.g., `15 permit tcp 10.0.0.0 0.255.255.255 any eq 443`). To delete an entry, use `no 15`. Without sequence numbers, you cannot easily insert lines in the middle; you would need to remove and recreate the ACL. Always verify the order after editing.
Apply ACL to VTY Lines for Management Access
To restrict remote management (SSH/Telnet) to the router, create a standard ACL and apply it to the VTY lines. Example: `access-list 12 permit 192.168.1.0 0.0.0.255` then `line vty 0 4` and `access-class 12 in`. This allows only the 192.168.1.0/24 network to connect to the router via VTY. Do not forget to include your own management IP in the ACL, or you will lock yourself out.
In a typical enterprise network, ACLs are used for several critical functions:
1. Perimeter Security at the Internet Edge
At the border router, an extended ACL is applied inbound on the external interface to block known malicious traffic. For example, deny RFC 1918 private addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) from entering the internal network, deny packets with source IP equal to the internal network (spoofing), and permit only necessary services like HTTP, HTTPS, and SMTP to specific servers. This ACL is often hundreds of lines long and must be carefully maintained. A common mistake is forgetting the implicit deny – if you don't have a permit ip any any at the end, all traffic not explicitly permitted will be dropped, potentially breaking legitimate services.
2. Segmenting Internal Traffic
Inside the network, ACLs are used to enforce security policies between departments. For instance, the HR department's VLAN may be allowed to access the payroll server but not the IT server. An extended ACL is applied on the Layer 3 interface of the HR VLAN, filtering traffic leaving the HR subnet. This is often done on a firewall, but in smaller networks, a router with ACLs suffices. Performance is a consideration: hardware-switched platforms (like Cisco Catalyst switches) can apply ACLs in hardware, but software-based routers may experience CPU load with many ACL entries.
3. Controlling Management Access
Network engineers use ACLs to restrict SSH access to routers and switches to only specific management subnets. A standard ACL is applied to the VTY lines. If misconfigured – for example, if the engineer's own IP is not included – they can be locked out. Always have an out-of-band console connection to recover. Also, remember that ACLs on VTY lines do not affect console or auxiliary ports.
Scale and Performance: ACLs are processed sequentially, so large ACLs (hundreds of entries) can introduce latency. On high-end routers, ACLs are often implemented in hardware (TCAM) for wire-speed forwarding. On low-end routers, software processing can degrade performance. Best practice is to keep ACLs as short as possible and place more specific entries at the top to minimize processing.
Misconfiguration Consequences: A missing permit statement can break connectivity; a missing deny can expose the network. For example, if you intend to block only HTTP but forget to permit HTTPS, HTTPS traffic will be denied by the implicit deny. Always test ACLs in a lab or during a maintenance window.
The CCNA 200-301 exam explicitly tests ACL syntax, application, and interpretation under the 'Network Access' domain (objective 3.1: Configure and verify ACLs). Expect multiple-choice questions where you must identify correct syntax, predict the effect of an ACL, or choose the correct placement.
Common Wrong Answers and Why Candidates Choose Them:
Using subnet masks instead of wildcard masks. Candidates often write access-list 10 permit 192.168.1.0 255.255.255.0 instead of 0.0.0.255. The exam will include distractors with subnet masks. Remember: ACLs use wildcard masks, which are the inverse of subnet masks.
Placing a standard ACL close to the source. Standard ACLs only check source IP, so if placed close to the source, they can block traffic that should be allowed to other destinations. The correct placement is close to the destination.
Forgetting the implicit deny. Candidates may assume that if no deny entry exists, all traffic is permitted. The implicit deny at the end denies everything not explicitly permitted. Always add a permit ip any any if you want to allow all other traffic.
Applying an extended ACL with wrong direction. For example, applying an ACL inbound on an interface when the traffic is actually coming from the opposite direction. The exam may give a topology and ask where to apply the ACL.
Specific Values and Commands:
Standard ACL numbers: 1-99, 1300-1999
Extended ACL numbers: 100-199, 2000-2699
Wildcard mask for host: host 10.1.1.1 or 10.1.1.1 0.0.0.0
Wildcard mask for any: any or 0.0.0.0 255.255.255.255
Sequence numbers: default increments by 10
show access-lists shows match counts
show ip interface shows applied ACL
Decision Rule for Scenario Questions:
Identify what traffic needs to be filtered (source, destination, protocol, port).
Choose standard ACL if only source IP matters; otherwise extended.
Determine placement: standard near destination, extended near source.
Write the ACL entry with wildcard mask, not subnet mask.
Remember implicit deny – add a permit all if needed.
Apply to the correct interface and direction.
Trap: The `established` keyword. On the exam, you may see an ACL that uses established to allow return traffic. This matches TCP packets with ACK or RST bits set. It is used for stateful filtering without a stateful firewall. Know that established only works for TCP, not UDP.
ACLs use wildcard masks (inverse of subnet masks); e.g., 0.0.0.255 for /24.
Standard ACL numbers: 1-99, 1300-1999; Extended: 100-199, 2000-2699.
Implicit deny any at the end of every ACL; must add permit ip any any to allow all other traffic.
Only one ACL per interface per direction (in or out).
Standard ACLs placed close to destination; extended ACLs close to source.
Sequence numbers allow insertion/deletion of entries; default increment 10.
Named ACLs use ip access-list standard/extended <name> command.
VTY access uses access-class command, not ip access-group.
These come up on the exam all the time. Here's how to tell them apart.
Standard ACL
Filters only on source IP address.
Number range: 1-99, 1300-1999.
Place close to destination.
Less granular; cannot filter by protocol or port.
Simpler to configure but less flexible.
Extended ACL
Filters on source IP, destination IP, protocol, and port.
Number range: 100-199, 2000-2699.
Place close to source.
Granular control; can filter specific applications.
More complex but more powerful.
Mistake
ACLs use subnet masks for matching.
Correct
ACLs use wildcard masks where 0 means match exactly, 1 means ignore. For a /24 network, wildcard is 0.0.0.255.
Candidates are familiar with subnet masks from IP addressing and assume ACLs use the same format.
Mistake
Standard ACLs should be placed close to the source.
Correct
Standard ACLs only filter on source IP, so placing them close to the source can block traffic to all destinations. They should be placed close to the destination.
Candidates may think 'filter as early as possible' applies to all ACLs, but standard ACLs lack destination awareness.
Mistake
If an ACL has no deny statements, all traffic is permitted.
Correct
Every ACL has an implicit deny any at the end. Without a permit all statement, all unmatched traffic is denied.
The implicit deny is not visible in the configuration, so candidates forget it exists.
Mistake
You can have multiple ACLs on the same interface in the same direction.
Correct
Only one ACL per interface per direction is allowed. To combine rules, add multiple entries to a single ACL.
Some candidates think you can chain ACLs like firewall rules, but IOS limits to one per direction.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
An inbound ACL filters packets as they arrive on the interface, before the routing decision. An outbound ACL filters packets as they leave the interface, after the routing decision. You apply an ACL inbound or outbound using the `ip access-group` command. Only one ACL per direction is allowed. The direction is critical: if you want to block traffic coming from outside, use inbound; if you want to block traffic leaving your network, use outbound.
If your IOS supports sequence numbers (most modern IOS does), enter ACL configuration mode using `ip access-list extended <name or number>`. Then add the entry with a sequence number between the existing numbers. For example, if entries are numbered 10 and 20, you can add entry 15. Without sequence numbers, you must remove the ACL and recreate it with the correct order. Always plan your ACL order before configuring.
The `established` keyword matches TCP packets that have the ACK or RST bit set. This is used to allow return traffic for outbound connections. For example, `permit tcp any any established` permits TCP responses (like HTTP responses) while blocking new inbound connections. It does not work for UDP. This is a simple stateful filtering mechanism without a firewall.
No, standard and extended ACLs work at Layer 3 and Layer 4. For MAC address filtering, you need a MAC ACL, which is configured with `mac access-list extended` and applied to a Layer 2 interface. This is less common on CCNA but appears in some switching contexts. MAC ACLs are used for port security or filtering non-IP traffic.
Every ACL has an implicit `deny any` at the end, which is not shown in the configuration. To allow all traffic not explicitly denied, you must add a `permit ip any any` as the last entry. For example, if you have an ACL that permits HTTP, you need a permit any at the end to allow other traffic; otherwise, it will be denied.
Use `show ip interface <interface>` or `show running-config interface <interface>`. The output includes `Inbound access list is ...` or `Outbound access list is ...`. For example: `show ip interface GigabitEthernet0/0` shows the applied ACL and direction. Also, `show access-lists` shows the ACL entries and match counters.
A /26 network has subnet mask 255.255.255.192. The wildcard mask is the inverse: 0.0.0.63. To calculate, subtract each octet from 255: 255-255=0, 255-255=0, 255-255=0, 255-192=63. So wildcard is 0.0.0.63. For example, `access-list 10 permit 192.168.1.0 0.0.0.63` matches addresses 192.168.1.0 to 192.168.1.63.
You've just covered Cisco IOS ACL Syntax Reference — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?