NetworkingCCNA

Access Control Lists (ACLs) Explained for CCNA

An access control list is the gatekeeper on a router interface. It reads every packet and either lets it through or drops it based on rules you define. Without ACLs, a router forwards everything it can route, with no regard for whether that traffic should be allowed. ACLs are how you filter traffic based on source IP, destination IP, and port numbers. The CCNA exam tests both the logic of how ACLs process packets and the practical question of where to place them on the network. Get the placement wrong and you will either block traffic you meant to allow or allow traffic you meant to block.

8 min

3 sections · 6 exam key points

5 practice questions

Standard and extended ACLs

Standard ACLs filter traffic based only on the source IP address. They are numbered 1 to 99 and 1300 to 1999. Because they only look at the source, they cannot distinguish between a web request and an FTP request from the same host. Standard ACLs should be placed close to the destination to avoid blocking traffic too broadly.

Extended ACLs filter on source IP, destination IP, protocol (TCP, UDP, ICMP), and source and destination port numbers. This granularity lets you allow SSH from one specific host to one specific server while blocking everything else. Extended ACLs are numbered 100 to 199 and 2000 to 2699. Place extended ACLs close to the source so that unwanted traffic is dropped before it uses bandwidth on the network.

Named ACLs use descriptive names instead of numbers and are otherwise functionally equivalent. Names make intent clear: PERMIT_WEB_SERVERS tells you what the list does. Named ACLs also allow you to delete individual entries without removing the whole list, which numbered ACLs do not support.

How ACLs process packets

ACLs process rules in order from top to bottom. The moment a packet matches a rule, the action (permit or deny) is taken and processing stops. No further rules are checked. This means rule order is critical: a broad permit rule early in the list will match packets you intended to catch with a deny rule later.

Every ACL ends with an implicit deny all. This is not a rule you can see in the configuration, but it is always there. If a packet does not match any rule in the ACL, it is dropped. This is why permit rules matter: if you forget to permit legitimate traffic, the implicit deny drops it silently.

ACLs are applied to interfaces in a direction: inbound (applied to packets entering the interface) or outbound (applied to packets leaving the interface). An interface can have one ACL in each direction. The direction matters for filtering logic because inbound ACLs check traffic before the router makes a routing decision, while outbound ACLs check after.

How to choose the correct answer

Standard ACL placement: close to the destination (since it only matches source IP, placing it near the source risks blocking all traffic from that source, not just what you intended).

Extended ACL placement: close to the source (stop unwanted traffic early, save bandwidth).

Rule order: more specific rules must come before more general ones. A deny for a single host must appear before a permit for the whole subnet that host belongs to.

Wildcard masks: the inverse of a subnet mask. 0 bits mean the IP bit must match; 1 bits mean the bit is ignored. A wildcard of 0.0.0.255 matches any host in the /24 network. The keyword host is shorthand for 0.0.0.0 wildcard (match exactly this address).

Implicit deny: if no rule matches, the packet is dropped. Always end with an explicit permit if you want to allow anything not covered by your deny rules.

Standard vs extended ACL comparison

Attribute	Standard ACL	Extended ACL
Matches on	Source IP only	Source IP, destination IP, protocol, port
Number range	1-99, 1300-1999	100-199, 2000-2699
Placement	Close to destination	Close to source
Granularity	Low	High
Use case	Block all traffic from a subnet	Allow HTTP only from specific hosts to specific servers

Key exam facts — CCNA

Standard ACL: source IP only. Place near destination. Numbers 1-99.
Extended ACL: source, destination, protocol, port. Place near source. Numbers 100-199.
ACL processing: top-down, first match wins, implicit deny all at the end.
Wildcard mask: 0 = must match, 1 = ignore. Inverse of subnet mask.
ACL applied to interface inbound or outbound. One ACL per direction per interface.
Named ACLs allow deletion of individual entries. Numbered ACLs require rewriting the whole list.

Common exam traps

ACLs are processed from bottom to top.

ACLs are processed top to bottom. The first matching rule is applied and processing stops. Order is critical: put specific rules before general ones.

If no ACL is applied to an interface, all traffic is blocked.

With no ACL, a router forwards all traffic it can route. ACLs only restrict traffic when applied to an interface. The implicit deny only applies within an ACL, not at the global router level.

A standard ACL placed near the source is fine because it still filters traffic.

Standard ACLs match only on source IP. Placing one near the source will block all traffic from that source, not just the traffic you wanted to block. Always place standard ACLs near the destination.

Practice questions — Access Control Lists

These questions are representative of what you will see on CCNA exams. The correct answer and explanation are shown immediately below each question.

Q1.A network administrator needs to block Telnet access (TCP port 23) from the 10.1.1.0/24 network to the server at 192.168.1.10 while permitting all other traffic. Which ACL type should be used and where should it be placed?

A.Standard ACL placed close to the destination server

B.Extended ACL placed close to the source network

C.Standard ACL placed close to the source network

D.Extended ACL placed close to the destination server

Explanation: Extended ACLs can filter on source IP, destination IP, and port (TCP 23) — giving the required granularity. They should be placed close to the source to stop unwanted traffic early and conserve bandwidth. A standard ACL can only filter on source IP, which would block all traffic from that subnet, not just Telnet.

Q2.A Cisco router has the following ACL entry: 'permit 192.168.1.0 0.0.0.255'. Which traffic does this permit?

A.Only traffic from the host 192.168.1.0

B.Traffic from any host in the 192.168.1.0/24 network

C.Traffic destined to the 192.168.1.0/24 network

D.All traffic, because the wildcard mask is all zeros

Explanation: In an ACL, 192.168.1.0 0.0.0.255 uses a wildcard mask where 0 means 'must match' and 1 means 'don't care'. The wildcard 0.0.0.255 means the last 8 bits can be anything — matching all 256 addresses in the 192.168.1.0/24 subnet. This permits traffic from any host in that /24.

Q3.An ACL is applied to a router interface as inbound. A packet arrives on that interface. When does the ACL process the packet relative to the routing decision?

A.After the routing decision, before forwarding out the exit interface

B.Before the routing decision is made

C.Only if the packet is destined for the router itself

D.After the packet exits the router

Explanation: An inbound ACL processes packets before the router makes a routing decision. If the ACL denies the packet, it is dropped immediately without wasting CPU on a routing table lookup. Outbound ACLs are evaluated after the routing decision, filtering traffic as it exits the interface.

Q4.A network administrator applies ACL 10 to interface Gi0/0 outbound. The ACL has one entry: 'deny host 10.1.1.1'. A packet from 10.1.1.1 arrives at the router. What happens?

A.The packet is denied immediately upon arrival

B.The packet is routed normally; the ACL denies it only when it exits Gi0/0

C.The packet is permitted because outbound ACLs do not apply to router-generated traffic

D.The packet is denied by the implicit permit at the end of the ACL

Explanation: The ACL is applied outbound on Gi0/0. The packet arriving on a different interface is routed normally. The ACL only processes the packet if and when it is about to exit through Gi0/0. The implicit deny at the end of any ACL (not a permit) drops the packet if no permit matches — but the deny host 10.1.1.1 matches first and drops it before exit.

Q5.Which wildcard mask would match only the host 172.16.5.25?

A.0.0.0.255

B.0.0.255.255

C.0.0.0.0

D.255.255.255.0

Explanation: A wildcard mask of 0.0.0.0 means all bits must match — every bit of the address is significant. Combined with 172.16.5.25, this matches only that exact host. The 'host' keyword in a Cisco ACL is shorthand for the same thing: 'host 172.16.5.25' equals '172.16.5.25 0.0.0.0'.

Frequently asked questions — Access Control Lists

What is the difference between a standard ACL and an extended ACL?

Standard ACLs (numbered 1-99 and 1300-1999) filter traffic based only on source IP address. Extended ACLs (100-199 and 2000-2699) can filter on source IP, destination IP, protocol (TCP/UDP/ICMP), and source/destination port numbers. Standard ACLs should be placed near the destination to avoid over-blocking. Extended ACLs should be placed near the source to stop unwanted traffic early.

What is an ACL wildcard mask?

A wildcard mask is the inverse of a subnet mask used in ACL statements. A 0 bit means 'this bit must match the address'; a 1 bit means 'this bit can be anything'. Wildcard 0.0.0.255 matches any host in a /24 (last 8 bits free). Wildcard 0.0.0.0 matches exactly one host. The keyword 'any' is shorthand for 0.0.0.0 255.255.255.255 (match everything). The keyword 'host' is shorthand for 0.0.0.0 wildcard.

What is the implicit deny at the end of every ACL?

Every ACL ends with an invisible 'deny any' rule. If a packet reaches the end of the ACL without matching any explicit permit statement, it is dropped silently. This is why ACLs can break connectivity unexpectedly — if you add deny rules but forget to add a final 'permit ip any any', all traffic not explicitly permitted will be dropped.

Where should I place standard vs extended ACLs?

Extended ACLs go as close to the source as possible. This stops unwanted traffic before it consumes bandwidth traversing the network. Standard ACLs go as close to the destination as possible. Since they only match source IP, placing them near the source would block ALL traffic from that source, not just the specific traffic you wanted to filter.

How are ACLs tested on the CCNA exam?

The CCNA tests ACL rule order (top-down, first match wins), wildcard mask interpretation, standard vs extended ACL selection, inbound vs outbound placement logic, implicit deny behavior, and troubleshooting connectivity issues caused by ACL misconfigurations. Expect scenario questions where you identify which traffic is permitted or denied by a given ACL, and questions where you choose the correct ACL type and placement.

Practice this topic

CCNApractice questions

Test yourself on Access Control Lists

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime