SecurityNetwork+

ACL Fundamentals for CompTIA Network+ N10-009

Access Control Lists (ACLs) are rule-based traffic filters applied to router and firewall interfaces to permit or deny traffic based on defined criteria. CompTIA Network+ N10-009 tests ACL concepts — how rules are processed, what they filter, and how to identify the correct rule for a given scenario. ACLs are fundamental to network security and appear in both security and implementation domains.

7 min

2 sections · 7 exam key points

1 practice questions

How ACLs Work

An ACL is a sequential list of permit or deny rules. When traffic arrives, the device checks each rule top-to-bottom until a match is found — it either permits or denies the traffic based on the matching rule and stops processing. The implicit deny all at the end: if no rule matches, traffic is denied. This is critical — any traffic not explicitly permitted by a rule is blocked by default.

ACL criteria: source IP address, destination IP address, protocol (TCP, UDP, ICMP), source port, destination port, and direction of traffic (inbound or outbound on an interface). Standard ACLs filter only by source IP. Extended ACLs filter by source/destination IP, protocol, and port — far more granular.

ACL placement: standard ACLs (source IP only) should be placed close to the destination — to avoid blocking traffic from the source to other destinations. Extended ACLs (source + destination + protocol) should be placed close to the source — to block traffic early and avoid wasting bandwidth.

ACL Applications

Perimeter security: ACLs on router interfaces facing the internet block known malicious traffic and restrict inbound connections to only allowed ports (anti-spoofing, deny RFC 1918 inbound from internet). Inter-VLAN access control: ACLs on Layer 3 switch SVIs or router subinterfaces control which VLANs can communicate with each other.

Best practices: most specific rules first (specific hosts before networks before any). Document each rule. Avoid 'permit any any' which allows all traffic. Keep ACLs as short as possible — long ACLs consume processor cycles for each packet. Test ACLs before applying to production — a mistake can block critical traffic.

Key exam facts — Network+

ACL rules process top-to-bottom; first match wins
Implicit deny at end: traffic not matching any rule is denied
Standard ACL: filters by source IP only; Extended ACL: source + destination + port + protocol
Standard ACL placement: near destination; Extended ACL placement: near source
Anti-spoofing: block RFC 1918 addresses arriving on external interfaces
Most specific rules should appear before broader rules
A single misplaced rule can deny all traffic — test carefully

Common exam traps

ACLs process all rules even after finding a match

ACL processing stops at the first matching rule — subsequent rules are not evaluated. Rule order is critical: if 'deny 10.0.0.0/8' appears before 'permit 10.1.1.1/32', the permit rule never takes effect for that host

An empty ACL allows all traffic

An ACL with no permit rules only has the implicit deny all — it blocks all traffic. An empty ACL (no ACL applied) allows all traffic. The distinction is whether an ACL is applied or not

Practice questions — ACL Fundamentals

These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.

Q1.An ACL on a router has the following rules in order: (1) permit 10.1.1.0/24, (2) deny 10.1.1.100/32. A packet arrives from 10.1.1.100. What happens?

A.The packet is denied by rule 2

B.The packet is permitted by rule 1

C.Both rules match, so the packet is denied

D.The implicit deny blocks the packet

Explanation: ACL processing is top-to-bottom, first match wins. The packet from 10.1.1.100 matches rule 1 (permit 10.1.1.0/24 — the host is in this subnet) and is permitted. Rule 2 is never evaluated. To deny 10.1.1.100 specifically while permitting the rest of the subnet, rule 2 must appear BEFORE rule 1.

Frequently asked questions — ACL Fundamentals

What is the implicit deny at the end of an ACL?

Every ACL has an invisible 'deny any any' as its final rule. If traffic does not match any explicit permit or deny rule in the ACL, this implicit deny blocks it. This is a security-first design: unknown traffic is blocked, not allowed. The implicit deny is why you must explicitly permit all traffic you want to allow — any traffic not covered by a permit rule will be dropped.

Practice this topic

Network+practice questions

Test yourself on ACL Fundamentals

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime