Named ACLs give you the power to control traffic with names instead of numbers, making your configurations readable and maintainable. On the CCNA 200-301 exam (Objective 5.6), you must understand how to configure, edit, and apply both standard and extended named ACLs. In real networks, named ACLs are the standard because they allow you to insert, delete, and reorder entries without rewriting the entire list—a critical feature for dynamic environments.
Jump to a section
Imagine you're the head of security at a high-end club. You have a guest list—a numbered list (numbered ACL) where each line is a rule. If you need to add a VIP between lines 5 and 6, you'd have to rewrite the entire list from scratch. That's a numbered ACL. Now, instead of a numbered list, you have a clipboard with a named guest list called 'VIPs'. You can write 'VIPs' at the top, then list names. If you need to insert a new VIP between 'Alice' and 'Bob', you simply write 'Charlie' on a new line and tape it in—no need to recopy the whole list. That's a named ACL. The club also has different policies for different entrances: one for the main door (inbound) and one for the fire exit (outbound). With named ACLs, you can label each policy descriptively, like 'MainDoorRules' and 'FireExitRules', making it easy for the next security shift to understand. Plus, if you need to remove 'Charlie' later, you just cross him out—you don't have to renumber the list. Named ACLs give you that flexibility: you can edit individual entries by sequence number, which is a huge win in production. The bouncer (the router) checks each person (packet) against the list in order, and the first match wins—just like a real bouncer following the list from top to bottom.
What Are Named ACLs and Why Do They Exist?
Named ACLs are access control lists that use an alphanumeric name instead of a number (1-99 for standard, 100-199 for extended). They were introduced in Cisco IOS to overcome the limitations of numbered ACLs. With numbered ACLs, you cannot delete a single line; you must delete the entire ACL and re-enter it. Named ACLs allow you to add, delete, or reorder individual entries using sequence numbers. This makes them far more practical in production environments where ACLs evolve over time.
Named ACLs come in two flavors: standard and extended. Standard named ACLs filter based on source IP address only. Extended named ACLs filter based on source/destination IP, protocol, and port numbers. The syntax is similar to numbered ACLs, but you use the ip access-list command to create or edit the ACL.
How Named ACLs Work at the Packet Level
When a packet arrives on an interface where an ACL is applied, the router examines the packet against the ACL entries in order from top to bottom (lowest sequence number to highest). Each entry has an implicit sequence number (starting at 10, incrementing by 10) unless you specify one. The first match determines the action—permit or deny. If no match is found, the implicit deny any at the end drops the packet.
Named ACLs support two modes: standard and extended. Standard named ACLs check only the source IP address. Extended named ACLs check source/destination IP, protocol (e.g., TCP, UDP, ICMP), and port numbers. The router uses the same logic as numbered ACLs: it checks layer 3 and layer 4 headers.
Key Features: Sequence Numbers and Editing
The magic of named ACLs is sequence numbers. Each entry gets a sequence number (1-2147483647). By default, the first entry gets 10, the next 20, etc. You can specify a sequence number when configuring, allowing you to insert entries anywhere. To delete a single entry, use no <sequence> under the ACL configuration mode. To reorder, you can resequence the entire ACL using ip access-list resequence <name> <start> <increment>.
IOS CLI Configuration and Verification
To create a standard named ACL:
R1(config)# ip access-list standard BLOCK_HR
R1(config-std-nacl)# deny 10.1.1.0 0.0.0.255
R1(config-std-nacl)# permit any
R1(config-std-nacl)# exit
R1(config)# interface gigabitethernet0/0
R1(config-if)# ip access-group BLOCK_HR inTo create an extended named ACL:
R1(config)# ip access-list extended WEB_ONLY
R1(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any eq 80
R1(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any eq 443
R1(config-ext-nacl)# deny ip any any
R1(config-ext-nacl)# exit
R1(config)# interface gigabitethernet0/1
R1(config-if)# ip access-group WEB_ONLY outTo verify:
R1# show ip access-list
Standard IP access list BLOCK_HR
10 deny 10.1.1.0, wildcard bits 0.0.0.255
20 permit any
Extended IP access list WEB_ONLY
10 permit tcp 192.168.1.0 0.0.0.255 any eq www
20 permit tcp 192.168.1.0 0.0.0.255 any eq 443
30 deny ip any anyTo delete a specific entry:
R1(config)# ip access-list extended WEB_ONLY
R1(config-ext-nacl)# no 20To insert an entry between existing ones, specify a sequence number:
R1(config-ext-nacl)# 15 permit tcp 192.168.1.0 0.0.0.255 any eq 22Interaction with Other Features
Named ACLs can be used with ip access-group on interfaces, with vty lines for SSH/telnet access control, and with route maps for policy-based routing. They work identically to numbered ACLs in terms of processing order and implicit deny. The only difference is the naming and sequence number editing.
Defaults and Limits
By default, the first entry gets sequence 10, then 20, 30, etc.
Maximum number of ACL entries is hardware-dependent but typically thousands.
Implicit deny any is always present at the end.
Named ACLs support both IPv4 and IPv6 (using ipv6 access-list).
Plan the ACL purpose and direction
Before configuring, decide what traffic you want to permit or deny. For standard ACLs, place them as close to the destination as possible because they only check source IP. For extended ACLs, place them as close to the source as possible to filter traffic early. Determine the interface and direction (in or out). For example, to block HR subnet from accessing servers, apply a standard ACL inbound on the server-facing interface.
Create the named ACL
Use the global command `ip access-list standard <name>` or `ip access-list extended <name>`. This enters ACL configuration mode. For standard, use `deny` or `permit` followed by source IP and wildcard. For extended, specify protocol, source, destination, and optional ports. Example: `ip access-list extended BLOCK_SMTP` then `deny tcp any any eq 25`.
Add entries with optional sequence numbers
By default, entries get sequence numbers in increments of 10. To insert an entry between existing ones, specify a sequence number. For example, `15 permit ip any any` inserts as sequence 15. This allows reordering without deleting the entire list. If you omit the sequence number, the router assigns the next multiple of 10.
Apply the ACL to an interface
Enter interface configuration mode (`interface <type> <number>`). Use `ip access-group <name> <in|out>` to apply the ACL. Only one ACL per direction per interface is allowed. Verify with `show ip access-group` and `show ip interface <interface>`.
Verify and test the ACL
Use `show ip access-list <name>` to see all entries with sequence numbers and match counts. Use `show ip interface <interface>` to confirm the ACL is applied. Test by generating traffic from a source and checking if it's permitted or denied. The match count increments on the matching entry. If it doesn't, the implicit deny may be dropping traffic.
Edit the ACL by adding or removing entries
To remove a single entry, enter ACL configuration mode and use `no <sequence>`. To add a new entry, specify a sequence number or let the router assign one. To resequence, use `ip access-list resequence <name> <start> <increment>`. For example, `ip access-list resequence BLOCK_SMTP 10 10` resets all sequences to 10,20,30,...
In a typical enterprise network, named ACLs are used to enforce security policies between departments. For example, the HR subnet (10.1.1.0/24) should not access the finance server (10.2.2.100). A network engineer would create a standard named ACL 'BLOCK_HR_TO_FINANCE' with a deny statement for 10.1.1.0/24 and a permit any, then apply it inbound on the finance server's interface. This is more readable than a numbered ACL like '10'.
Another scenario: A company wants to allow only web traffic (HTTP/HTTPS) from the internal network to the DMZ web servers. The engineer creates an extended named ACL 'WEB_ACCESS' with permit statements for TCP ports 80 and 443 from the internal subnet to the DMZ subnet, and a deny ip any any at the end. Applied outbound on the DMZ interface, this ensures only web traffic leaves the internal network toward the DMZ.
Performance considerations: ACLs are processed in hardware on most modern switches and routers, but large ACLs (thousands of entries) can impact forwarding performance. Named ACLs do not inherently add overhead compared to numbered ACLs.
Misconfiguration: A common mistake is forgetting the implicit deny. If you only configure permit statements, all other traffic is denied. Another mistake is applying a standard ACL in the wrong direction or too far from the source, causing unintended filtering. For example, applying a standard ACL inbound on a router that connects to multiple subnets could block traffic from unintended sources.
In production, named ACLs are preferred because they can be edited without disrupting traffic. If a rule needs to be added, you simply insert a new sequence number. With numbered ACLs, you'd have to remove and reapply the entire ACL, causing a brief window of no filtering.
On the CCNA 200-301 exam, Objective 5.6 tests your ability to configure and verify named ACLs. Expect scenario-based questions where you must choose the correct ACL configuration or identify the effect of a given ACL. Key points:
Know the syntax for standard vs extended named ACLs. Standard uses ip access-list standard <name>, extended uses ip access-list extended <name>.
Remember that standard ACLs filter only on source IP; extended ACLs filter on source/destination IP, protocol, and port.
Sequence numbers are critical: you can insert and delete individual entries.
The implicit deny any is always at the end. If an ACL only has permit statements, all other traffic is denied.
ACLs are applied per interface, per direction with ip access-group.
Common wrong answers: 1. "Standard named ACLs can filter on destination IP." — Wrong. Only extended can filter destination. 2. "Named ACLs cannot be edited; you must delete and recreate." — Wrong. Sequence numbers allow editing. 3. "ACLs are processed from bottom to top." — Wrong. Top to bottom (lowest sequence first). 4. "The implicit permit any allows all traffic if no match." — Wrong. It's implicit deny.
Exam traps: You may be asked to identify the correct command to insert a new entry. For example, ip access-list extended MYACL then 15 permit tcp any any eq 80. The sequence number 15 places it between 10 and 20. Another trap: applying a standard ACL inbound on a router interface that connects to multiple subnets. The ACL will filter based on source IP, which may unintentionally block traffic from other subnets.
Decision rule: For scenario questions, first determine if the ACL needs to check destination (extended) or only source (standard). Then decide direction: inbound ACL filters traffic entering the interface; outbound filters traffic leaving. Finally, remember that ACLs have an implicit deny at the end.
Named ACLs use a name instead of a number: `ip access-list standard <name>` or `ip access-list extended <name>`.
Sequence numbers allow insertion and deletion of individual entries without recreating the entire ACL.
Default sequence numbers start at 10 and increment by 10.
Standard named ACLs filter only on source IP; extended filter on source/destination IP, protocol, and port.
Apply ACLs with `ip access-group <name> <in|out>` under interface configuration.
Implicit deny any is always present at the end of every ACL.
Use `show ip access-list` to view entries and match counts.
These come up on the exam all the time. Here's how to tell them apart.
Standard Named ACL
Filters only on source IP address
Uses `ip access-list standard <name>`
Place as close to destination as possible
Cannot filter on destination, protocol, or port
Simpler configuration, fewer options
Extended Named ACL
Filters on source/destination IP, protocol, and port
Uses `ip access-list extended <name>`
Place as close to source as possible
Can filter on TCP/UDP ports, ICMP types, etc.
More granular control, but more complex
Mistake
Named ACLs cannot filter on destination IP addresses.
Correct
Extended named ACLs can filter on both source and destination IP addresses, as well as protocol and port.
Candidates often confuse standard (source-only) with extended (source+destination).
Mistake
Named ACLs are processed from bottom to top.
Correct
ACLs are always processed from top to bottom (lowest sequence number first). The first match applies.
Some mistakenly think the last entry is checked first because of the implicit deny at the end.
Mistake
You cannot edit a named ACL once it is applied; you must remove and recreate it.
Correct
Named ACLs support editing via sequence numbers. You can add, delete, or reorder entries without removing the ACL from the interface.
This was true for numbered ACLs, but named ACLs were designed to overcome that limitation.
Mistake
The implicit deny at the end of an ACL can be overridden by adding a permit any statement.
Correct
Adding a permit any statement explicitly permits all traffic that hasn't matched earlier entries. The implicit deny remains but is never reached if permit any is present.
Candidates may think the implicit deny is removed, but it's always there; the explicit permit any just catches all remaining traffic.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Numbered ACLs use a number (1-99 standard, 100-199 extended) and cannot be edited by removing individual entries; you must delete the entire ACL and re-enter it. Named ACLs use an alphanumeric name and support sequence numbers, allowing you to add, delete, or reorder entries individually. Named ACLs are more flexible and easier to maintain in production.
No, the name must be unique across all ACL types on a router. You cannot have both a standard and an extended ACL with the same name. The router will reject the second configuration.
Enter ACL configuration mode (`ip access-list extended <name>`) and specify a sequence number that falls between the existing numbers. For example, if you have entries at 10 and 20, use `15 permit ...` to insert between them. The router will place it accordingly.
The first entry gets sequence number 10 by default. Subsequent entries get 20, 30, etc., incrementing by 10. You can override this by specifying a sequence number explicitly.
Yes, you can apply a named ACL to VTY lines using `access-class <name> in` under line configuration. This works the same as numbered ACLs. For example, `line vty 0 4` then `access-class BLOCK_SSH in`.
Use `show ip interface <interface>` to see the applied ACL names per direction. Also use `show ip access-group` to list all interfaces with applied ACLs. For example, `show ip interface gigabitethernet0/0` shows 'Inbound access list is BLOCK_HR'.
The router will accept the `ip access-group` command but the ACL will be empty, meaning the implicit deny any will drop all traffic. Always create the ACL before applying it to avoid unintended blocking.
You've just covered Named ACLs — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?