Access Control Lists (ACLs) are a cornerstone of network security and traffic filtering, and the CCNA 200-301 exam tests your ability to configure and troubleshoot them with precision. However, many candidates stumble on the subtle details—wildcard masks, implicit deny, and the order of entries—that can make or break a production network. This chapter dives into the most common ACL gotchas, with a focus on wildcard masks and how they differ from subnet masks, to ensure you avoid the traps that even experienced engineers sometimes fall into. Exam objective 5.6 covers configuring and verifying ACLs, and mastering these gotchas is essential for both the exam and real-world deployment.
Jump to a section
Imagine you are the bouncer at an exclusive club called 'Network Nightclub.' Your job is to control who enters based on a list of rules written by the club owner. The list has specific instructions: 'Allow anyone whose ID number starts with 10.1.1.' But the owner writes the rule using a strange pattern: '10.1.1.0 0.0.0.255'—the zeros mean 'must match exactly,' and the 255 means 'don't care.' So, when someone shows an ID of 10.1.1.5, you check: the first three octets (10.1.1) must match exactly (because of the zeros), and the last octet can be anything (because of the 255). That's a wildcard mask, not a subnet mask. A common mistake is treating it like a subnet mask: '0.0.0.255' in subnet terms means only the first 24 bits are network, but here it means 'match the first 24 bits exactly.' Now, the owner adds another rule: 'Deny anyone whose ID starts with 192.168.1.' But he writes it as 'deny 192.168.1.0 0.0.0.255' and puts it after an 'allow any' rule. The bouncer checks the list in order, so the 'allow any' rule lets everyone in before he ever sees the deny rule. That's a classic ACL ordering trap. Also, if the owner forgets to add an 'allow any' at the end, the bouncer must deny everyone not explicitly allowed—that's the implicit deny. Finally, the owner might write 'deny 10.0.0.0 0.255.255.255' thinking it blocks all 10.x.x.x addresses, but that wildcard actually matches any address where the first octet is 10 and the rest are anything—which is correct, but only if he used the right mask. If he used '0.0.0.255' on 10.0.0.0, it would only block 10.0.0.0/24, not the entire 10.0.0.0/8. Understanding wildcards is like knowing whether to check the first three digits of an ID or just the first digit.
What Are ACLs and Why Do They Matter?
Access Control Lists (ACLs) are sequential lists of permit or deny statements that filter traffic based on criteria such as source/destination IP address, protocol, and port numbers. They are applied to interfaces in either the inbound or outbound direction. On the CCNA exam, you must be able to configure standard (numbered 1-99, 1300-1999) and extended (100-199, 2000-2699) ACLs, as well as named ACLs. The most common gotchas involve wildcard masks, the implicit deny all, and the order of entries.
Wildcard Masks: The Devil in the Details
A wildcard mask is a 32-bit number that tells the router which bits of an IP address to match (0 means must match, 1 means ignore). This is the opposite of a subnet mask, where 1s are the network portion. For example, to match the subnet 192.168.1.0/24, you use 192.168.1.0 0.0.0.255. The zeros in the first three octets mean those bits must match exactly; the 255 in the last octet means ignore all eight bits. A common trap is using a subnet mask instead: 192.168.1.0 255.255.255.0 would be interpreted as 'match any address where the first three octets are anything (because 255 means ignore) and the last octet must be 0'—effectively matching only 192.168.1.0/32.
Another trap: matching a single host. You use host 10.1.1.1 which is equivalent to 10.1.1.1 0.0.0.0. But some candidates write 10.1.1.1 255.255.255.255 which would match any address (since all bits are ignored).
To match any address, use any or 0.0.0.0 255.255.255.255. The exam loves to test the difference between 0.0.0.0 0.0.0.0 (matches only 0.0.0.0) and 0.0.0.0 255.255.255.255 (matches any).
Implicit Deny: The Silent Killer
Every ACL ends with an implicit deny any statement. This means if no explicit permit matches, the packet is dropped. Many candidates forget this and wonder why traffic stops after applying an ACL that only has permit statements for specific hosts. For example, an ACL that permits 10.1.1.1 and 10.1.1.2 will block all other traffic, including necessary routing protocols like OSPF (which uses multicast 224.0.0.5). Always add an explicit deny any log at the end to see what is being dropped.
Order of Entries: Sequence Matters
ACLs are processed top-down. Once a match is found, the packet is acted upon and no further entries are checked. This leads to two common mistakes:
Placing a specific permit after a broad deny, so the specific permit is never reached.
Placing a permit for a subset after a permit for a superset, making the subset entry useless.
For example, to allow only host 10.1.1.1 and deny all others, you must write:
access-list 1 permit host 10.1.1.1But if you write:
access-list 1 deny any
access-list 1 permit host 10.1.1.1the deny any will block everything, including 10.1.1.1, because it is checked first. The correct order is permit first, then the implicit deny takes care of the rest.
Standard vs. Extended ACLs
Standard ACLs (1-99, 1300-1999) filter only on source IP address. They are typically placed as close to the destination as possible to avoid blocking traffic unnecessarily. Extended ACLs (100-199, 2000-2699) can filter on source/destination IP, protocol (TCP, UDP, ICMP, etc.), and port numbers. They should be placed as close to the source as possible to conserve bandwidth. A common exam trap: using a standard ACL where an extended one is needed (e.g., to filter specific traffic like Telnet from a particular source).
Verification Commands
To see configured ACLs:
show access-listsExample output:
Standard IP access list 1
10 permit 10.1.1.1 (4 matches)
20 deny any (12 matches)Note the sequence numbers (10, 20) – you can insert entries between them using ip access-list standard 1 and then 10 permit... and 15 deny....
To see where ACLs are applied:
show ip interface GigabitEthernet0/0Look for lines like:
Inbound access list is 1
Outbound access list is not setInteraction with Routing Protocols
ACLs can filter routing protocol updates if applied with distribute-list. However, on the exam, remember that ACLs applied to interfaces do not filter routing updates unless the routing protocol uses the interface's IP address as the source. For example, OSPF uses multicast, so an ACL applied to the interface can block OSPF packets if it denies the multicast address 224.0.0.5/6. Always ensure that ACLs permit necessary routing protocol traffic.
Common Wildcard Mask Calculations
Match a subnet /24: 0.0.0.255
Match a subnet /16: 0.0.255.255
Match a subnet /8: 0.255.255.255
Match a range of subnets: e.g., 192.168.0.0 0.0.3.255 matches 192.168.0.0/24 through 192.168.3.0/24 (block of 4 /24s).
To calculate the wildcard for a range, subtract the subnet mask from 255.255.255.255. For a /26 mask (255.255.255.192), wildcard = 0.0.0.63.
A tricky exam question: 'Which wildcard mask matches 10.1.1.0 through 10.1.1.255?' Answer: 0.0.0.255. But if the question is 'match 10.1.1.0 through 10.1.2.255?', you need 0.0.1.255 because the third octet varies by 1 (from 1 to 2). The bits: 1 = 00000001, 2 = 00000010, so the differing bit is the second least significant bit. The wildcard mask for the third octet is 00000011 = 3, so 0.0.3.255.
Identify the traffic to filter
Determine exactly what traffic you need to permit or deny. Specify the source IP, destination IP, protocol (TCP, UDP, ICMP), and port numbers. For example, to allow HTTP traffic from the 192.168.1.0/24 network to a web server at 10.1.1.1, you need an extended ACL. Write down the parameters: source = 192.168.1.0/24, destination = 10.1.1.1, protocol = TCP, destination port = 80.
Choose the correct ACL type
Decide between standard and extended. Use standard (1-99) if filtering only on source IP. Use extended (100-199) if you need to filter on source/destination IP, protocol, or port. For the HTTP example, you need an extended ACL. Also decide between numbered and named. Named ACLs allow easier editing with sequence numbers. On the exam, you may be asked to choose the correct type for a given scenario.
Configure the ACL with correct wildcard mask
Enter global configuration mode and create the ACL. For the HTTP example: ``` ip access-list extended ALLOW_HTTP permit tcp 192.168.1.0 0.0.0.255 host 10.1.1.1 eq 80 ``` Note: `host 10.1.1.1` is equivalent to `10.1.1.1 0.0.0.0`. Do not use a subnet mask. Also, remember the implicit deny at the end. To log denied traffic, add: ``` deny ip any any log ``` But this is optional.
Apply the ACL to the correct interface and direction
Use the `ip access-group` command under the interface. For inbound filtering (traffic coming into the interface), use `ip access-group ALLOW_HTTP in`. For outbound, use `out`. Place extended ACLs close to the source to filter early. For the HTTP example, apply inbound on the interface facing the 192.168.1.0/24 network: ``` interface GigabitEthernet0/0 ip access-group ALLOW_HTTP in ``` Verify with `show ip interface GigabitEthernet0/0`.
Verify the ACL with show commands
Use `show access-lists` to see the ACL entries and match counts. Example: ``` show access-lists ALLOW_HTTP Extended IP access list ALLOW_HTTP 10 permit tcp 192.168.1.0 0.0.0.255 host 10.1.1.1 eq 80 (12 matches) ``` If matches are zero, check if the ACL is applied correctly or if the traffic is matching a different entry. Also use `show ip interface` to confirm application. For troubleshooting, `debug ip packet` can show ACL hits, but be cautious in production.
Test and adjust the ACL
Generate traffic from a source in the permitted range to the web server. Use `ping` or `telnet` to test. If the traffic is blocked, check the ACL order. For example, if you have a deny statement before the permit, reorder using sequence numbers. In named ACL, you can delete an entry with `no 10` and add a new one with a lower sequence number. Also, ensure that no other ACLs on the router are interfering. Finally, remember that ACLs do not filter traffic originated by the router itself.
In a typical enterprise, ACLs are used to segment network access, protect server farms, and enforce security policies. One common scenario is restricting management access to network devices. For example, a network engineer might configure an ACL on the VTY lines to allow SSH only from a specific management subnet (10.10.10.0/24):
access-list 10 permit 10.10.10.0 0.0.0.255
line vty 0 4
access-class 10 inA common mistake here is using access-group instead of access-class on VTY lines. Another scenario is protecting a web server farm. An extended ACL might permit HTTP/HTTPS from the internet to the server's public IP, but deny all other traffic. The ACL is applied inbound on the outside interface. However, if the ACL also blocks return traffic for established sessions, the engineer must configure reflexive ACLs or use the established keyword for TCP. For example:
permit tcp any host 10.1.1.1 eq 80
permit tcp host 10.1.1.1 any establishedThe established keyword matches TCP packets with the ACK or RST bit set, indicating an established session. But this is a security risk because an attacker can set the ACK bit. Modern practice uses stateful firewalls, but the exam still tests established.
Performance considerations: ACLs are processed in hardware on modern switches (Cisco Catalyst 9000 series) using TCAM, so they have minimal impact. On older routers, a long ACL can increase CPU load. Always place the most specific and most frequently matched entries at the top to optimize performance.
Misconfiguration consequences: A missing permit for routing protocol traffic can cause OSPF neighbors to drop, leading to network outages. Forgetting the implicit deny might allow unwanted traffic, but more often, engineers add a permit ip any any at the end to avoid blocking legitimate traffic, which defeats security. Always use logging to monitor denied traffic.
The CCNA 200-301 exam tests ACLs under objective 5.6 'Configure and verify ACLs.' Expect scenario-based questions where you must choose the correct ACL configuration or identify a misconfiguration. The most common wrong answers involve:
Using a subnet mask instead of a wildcard mask. Candidates see '255.255.255.0' and think it matches a /24, but it actually matches only the exact IP (if used as wildcard) or the opposite. The correct wildcard for /24 is 0.0.0.255.
Misordering entries. A 'deny any' before a specific permit will block everything. The exam may show an ACL with a deny any at the top and ask why traffic is blocked. Remember: order matters.
Applying an ACL in the wrong direction. For example, applying an ACL that filters source addresses outbound instead of inbound. The direction is relative to the interface: 'in' means traffic entering the router through that interface.
Forgetting the implicit deny. A question might show an ACL that permits only host 10.1.1.1 and then asks what happens to traffic from 10.1.1.2. The answer is 'denied' due to implicit deny.
Confusing standard and extended ACL placement. Standard ACLs should be placed close to the destination, extended close to the source. The exam may ask where to place an ACL to minimize unnecessary traffic.
Decision rule for scenario questions: First, identify the traffic to filter (source, destination, protocol, port). Then determine if you need a standard or extended ACL. Write the ACL with correct wildcard masks. Apply it to the correct interface and direction. Finally, check for any conflicting entries or implicit deny. For troubleshooting, use show access-lists to see match counts and show ip interface to verify application.
Wildcard mask: 0 = match, 1 = ignore. Opposite of subnet mask.
Implicit deny any at the end of every ACL. Always add explicit permit for needed traffic.
ACL entries are processed top-down; first match wins. Place specific entries before broad ones.
Standard ACLs (1-99) filter on source IP only; extended (100-199) filter on source, destination, protocol, and port.
Apply standard ACLs close to destination, extended ACLs close to source.
Use 'host' keyword for single IP: equivalent to 0.0.0.0 wildcard.
Use 'any' keyword for all IPs: equivalent to 0.0.0.0 255.255.255.255.
For VTY access, use 'access-class' not 'access-group'.
Verify ACLs with 'show access-lists' and 'show ip interface'.
These come up on the exam all the time. Here's how to tell them apart.
Standard ACL
Numbered 1-99 or 1300-1999
Filters only on source IP address
Placed close to destination to avoid blocking unintended traffic
Simpler configuration, less granular
Example: access-list 10 permit 192.168.1.0 0.0.0.255
Extended ACL
Numbered 100-199 or 2000-2699, or named
Filters on source/destination IP, protocol, and port
Placed close to source to filter traffic early
More complex, but provides granular control
Example: access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 10.1.1.1 eq 80
Mistake
Wildcard mask 0.0.0.255 matches the same as subnet mask 255.255.255.0.
Correct
Wildcard 0.0.0.255 means match the first 24 bits exactly, ignore the last 8. Subnet mask 255.255.255.0 defines network and host bits but is not used in ACLs. Using a subnet mask as a wildcard will match incorrectly.
Candidates confuse the two because both are dotted decimal, but they have opposite meanings.
Mistake
The order of ACL entries doesn't matter because the router will find the best match.
Correct
ACLs are sequential; the first matching entry is applied. If a deny any is placed before a permit, the permit is never reached. Order is critical.
Candidates think of routing tables where longest match wins, but ACLs don't work that way.
Mistake
An ACL with only permit statements will allow all traffic because there is no deny.
Correct
Every ACL has an implicit deny any at the end. Only traffic matching an explicit permit is allowed; all else is denied.
Candidates forget the implicit deny, especially when they see an ACL that permits some hosts and assume others are allowed by default.
Mistake
Standard ACLs can filter on destination IP if you use the 'destination' keyword.
Correct
Standard ACLs only filter on source IP address. There is no destination keyword. To filter on destination, you must use an extended ACL.
Candidates see 'access-list 10 deny host 10.1.1.1' and think it denies traffic to 10.1.1.1, but it denies traffic from that source.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A subnet mask uses 1s to indicate the network portion and 0s for the host portion. A wildcard mask is the inverse: 0 means the corresponding bit must match exactly, and 1 means ignore that bit. For example, subnet mask 255.255.255.0 has 24 ones and 8 zeros; its wildcard equivalent is 0.0.0.255 (24 zeros, 8 ones). On the CCNA exam, never use a subnet mask in an ACL; always use the correct wildcard mask. A common trap is writing 'access-list 10 permit 192.168.1.0 255.255.255.0' which would actually match any IP because the 255s mean 'ignore', so only the last octet (0) must match, effectively matching only 192.168.1.0/32? Actually, it matches any IP where the last octet is 0, so it's a very specific and incorrect entry.
Yes, if you use named ACLs or numbered ACLs with sequence numbers. In Cisco IOS, you can enter 'ip access-list extended MY_ACL' and then add entries with sequence numbers like '10 permit...' and '15 deny...'. You can delete a specific entry with 'no 10'. However, if you use the old-style 'access-list 100 permit...' without sequence numbers, you cannot insert or delete individual entries; you must remove the entire ACL and reapply it. For the exam, know that named ACLs support sequence numbers for easier editing.
OSPF uses multicast addresses 224.0.0.5 (all OSPF routers) and 224.0.0.6 (designated routers). If your ACL denies these multicast addresses, OSPF packets will be dropped. For example, a standard ACL that denies 224.0.0.5 will block OSPF hello packets. Also, if you apply an ACL inbound on an interface and it has an implicit deny, all OSPF traffic will be blocked unless you have an explicit permit for OSPF. To fix, add 'permit ospf any any' or 'permit ip any any' early in the ACL. Also, ensure that the ACL is not applied to the interface used for OSPF updates.
The 'established' keyword is used with TCP to match packets that are part of an established connection. It matches TCP packets with the ACK (Acknowledge) or RST (Reset) bit set. This allows return traffic for sessions initiated from inside a network. For example, 'permit tcp any host 10.1.1.1 established' allows TCP packets from any source to 10.1.1.1 only if they have the ACK bit set, indicating they are responses to connections initiated by 10.1.1.1. However, this is not a secure stateful filtering because an attacker can set the ACK bit. On the exam, know that 'established' is a simple mechanism for reflexive-like behavior but is not stateful.
Add the 'log' keyword at the end of a deny entry. For example, 'deny ip any any log' will log all denied packets. The log messages appear in the router's console or syslog server. You can also use 'deny ip any any log-input' to log the input interface. On the exam, you may be asked to identify which ACL entry generates log messages. Remember that the 'log' keyword only works on deny entries, not permit entries (though some IOS versions support it on permit as well).
You can apply only one ACL per direction per interface. That is, one inbound ACL and one outbound ACL per interface. If you need to filter multiple types of traffic, combine them into a single ACL with multiple entries. On the exam, a question might show two ACLs applied to the same interface in the same direction, which is invalid. The second application will overwrite the first, or if you try to apply a second, the router will reject it.
'ip access-group' is used on interfaces to filter IP traffic passing through the router. 'access-class' is used on VTY (virtual terminal) lines to filter incoming Telnet/SSH connections to the router itself. For example, to allow only management hosts to SSH to the router, you create a standard ACL and apply it with 'access-class 10 in' under line vty 0 4. Many candidates confuse the two and use 'ip access-group' on VTY lines, which does not work.
You've just covered Exam Trap: ACL Gotchas and Wildcards — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?