5.4 Access Control Lists (ACLs)
Key Takeaways
- Standard ACLs (1-99, 1300-1999) match source IP only and belong close to the destination.
- Extended ACLs (100-199, 2000-2699) match source, destination, protocol, and port, and belong close to the source.
- ACLs are processed top-down, first-match-wins, with an invisible 'deny any' at the end — a list with no permit blocks everything.
- Wildcard masks are the inverse of subnet masks: 0 means must-match, 255 means don't-care.
- Apply with 'ip access-group {name|number} {in|out}'; only one ACL per interface, per direction, per protocol.
What an ACL Does
An Access Control List (ACL) is an ordered list of permit/deny rules a router (or switch) uses to filter packets. ACLs are heavily tested: you will be asked to read a list and state exactly what it permits or denies, and to place it correctly. Beyond filtering, ACLs also classify traffic for NAT, QoS, route maps, and VTY restriction.
Standard vs. Extended
| Attribute | Standard ACL | Extended ACL |
|---|---|---|
| Number ranges | 1-99, 1300-1999 | 100-199, 2000-2699 |
| Matches on | Source IP only | Source IP, destination IP, protocol, port |
| Granularity | Low | High |
| Place close to | Destination | Source |
The placement rule flows directly from what each can match. A standard ACL knows only the source, so placing it near the source would block that host from reaching every destination — put it near the destination. An extended ACL knows both ends, so placing it near the source drops unwanted traffic early and saves bandwidth across the path.
Processing Logic (the rules that trip people up)
- Top-down — rules are read in order from first to last.
- First-match wins — the first matching line acts (permit or deny) and evaluation stops; later lines never run.
- Implicit deny — an invisible
deny ip any anysits at the end. If nothing matches, the packet is dropped. - One per interface/direction/protocol — a single inbound and a single outbound ACL per interface for IPv4.
- Order matters — specific lines first, broad lines last.
Because of #3, a list containing only deny statements blocks literally everything; you must add a permit for traffic you want through.
Wildcard Masks
ACLs match addresses with wildcard masks, the bitwise inverse of subnet masks: a 0 bit means "must match," a 1 bit (255 in an octet) means "don't care."
| Subnet mask | Wildcard mask | Matches |
|---|---|---|
| 255.255.255.255 | 0.0.0.0 | One exact host |
| 255.255.255.0 | 0.0.0.255 | All hosts in a /24 |
| 255.255.255.192 | 0.0.0.63 | A /26 (64 addresses) |
| 255.255.0.0 | 0.0.255.255 | All hosts in a /16 |
| n/a | 255.255.255.255 | Any address (the any keyword) |
Shortcut: wildcard = 255.255.255.255 minus the subnet mask. The keyword host x.x.x.x equals x.x.x.x 0.0.0.0, and any equals 0.0.0.0 255.255.255.255.
Configuring a Standard ACL
Router(config)# ip access-list standard BLOCK-HOST
Router(config-std-nacl)# deny host 192.168.10.50
Router(config-std-nacl)# permit 192.168.10.0 0.0.0.255
Router(config)# interface GigabitEthernet0/1
Router(config-if)# ip access-group BLOCK-HOST out ! Near the destination
Configuring an Extended ACL
Router(config)# ip access-list extended WEB-FILTER
Router(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq 443 ! HTTPS
Router(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq 80 ! HTTP
Router(config-ext-nacl)# permit udp 192.168.10.0 0.0.0.255 any eq 53 ! DNS
Router(config-ext-nacl)# deny ip 192.168.10.0 0.0.0.255 any ! Block the rest
Router(config)# interface GigabitEthernet0/0
Router(config-if)# ip access-group WEB-FILTER in ! Near the source
Extended ACL Port Operators
| Keyword | Meaning |
|---|---|
eq 443 | Equal to port 443 |
gt 1023 | Greater than 1023 |
lt 1024 | Less than 1024 |
range 80 443 | Ports 80 through 443 inclusive |
Verification
Router# show access-lists ! All ACLs with per-line match counts
Router# show ip interface Gig0/0 ! Which ACLs are applied where
The per-line match counters are gold for troubleshooting — a permit line with zero hits when traffic should match it usually means a wildcard error or wrong placement.
Editing Named ACLs with Sequence Numbers
A major reason to prefer named ACLs over numbered ones is in-place editing. Each line gets a sequence number (10, 20, 30…), and you can insert or remove a single line without retyping the list:
Router(config)# ip access-list extended WEB-FILTER
Router(config-ext-nacl)# 15 permit tcp 192.168.10.0 0.0.0.255 any eq 22 ! Insert SSH between 10 and 20
Router(config-ext-nacl)# no 30 ! Remove the DNS line
With an old-style numbered ACL, removing one line with no access-list 100 ... historically deleted the entire list — a painful trap. Named ACLs avoid that.
Securing VTY Access with an ACL
A very common CCNA application is restricting who can SSH into the device, using a standard ACL applied with access-class (not ip access-group):
Router(config)# ip access-list standard MGMT-ONLY
Router(config-std-nacl)# permit 10.1.1.0 0.0.0.255
Router(config)# line vty 0 15
Router(config-line)# access-class MGMT-ONLY in
This permits management connections only from the 10.1.1.0/24 subnet; everything else hits the implicit deny and is refused. Note the keyword difference: ACLs on interfaces use ip access-group, while ACLs on VTY lines use access-class. Mixing these up is a classic wrong answer.
A Common Wildcard Trap
Watch for non-contiguous wildcard bits. A mask like 0.0.0.254 does not mean "254 hosts" — it matches all even host addresses (the last bit must be 0). The exam occasionally uses these to test whether you truly understand the bit-by-bit logic rather than memorizing the /24 and /16 shortcuts.
On the Exam: Read every line top-to-bottom and stop at the first match. Recall the implicit
deny any, the two number ranges, and the placement rule (standard near destination, extended near source). Watch for an ACL that filters its own VTY management traffic and locks you out.
An extended ACL ends with these two lines: 'deny ip 10.1.1.0 0.0.0.255 any' then 'permit ip any any'. A packet from 10.1.1.5 to a web server arrives. What happens?
You must filter traffic based on destination IP and TCP destination port. Which ACL type and placement is correct?
Which wildcard mask matches exactly all hosts in the 172.16.8.0/24 network?
An administrator builds an ACL containing only 'deny' statements and applies it inbound. What is the result for traffic that does not match any deny line?