Skip to main content
Cisco CCNA Prep – Complete Beginner to Intermediate Guide
CHAPTER 15 Intermediate

Access Control Lists (ACLs)

Updated: May 16, 2026
30 min read

# CHAPTER 15

Access Control Lists (ACLs)

1. Introduction

While dedicated Firewalls provide the ultimate security at the edge of the network, internal Cisco Routers possess their own powerful, built-in filtering mechanism: Access Control Lists (ACLs). An ACL is essentially a list of "Permit" or "Deny" rules applied to a router's interface. It acts as a traffic filter, determining exactly which packets are allowed to cross between subnets. If you want to block the Guest Wi-Fi from reaching the Finance server, you write an ACL. In this chapter, we will master the logic of ACLs. We will learn how to read Wildcard Masks, differentiate between Standard and Extended ACLs, and understand the critical "Implicit Deny" rule that catches every beginner off guard.

2. Learning Objectives

By the end of this chapter, you will be able to:
  • Explain the sequential, top-down processing logic of an Access Control List.
  • Differentiate between a Standard ACL (1-99) and an Extended ACL (100-199).
  • Calculate a Wildcard Mask for a given subnet.
  • Write basic CLI syntax to permit or deny specific IP traffic.
  • Apply an ACL to a router interface in the correct direction (Inbound vs Outbound).

3. Beginner-friendly Explanations

The VIP Bouncer: An ACL is the bouncer at the door of a VIP club. The bouncer holds a clipboard with a list of rules.
  1. 1. Deny John Smith.
  1. 2. Permit anyone from the Marketing Department.
  1. 3. Deny everyone else.

When a packet arrives, the router (the bouncer) reads the ACL from top to bottom. As soon as it finds a rule that matches the packet, it takes action (Permit or Deny) and *stops reading the rest of the list*.

4. The "Implicit Deny" Rule

This is the most important concept in ACLs. At the very bottom of every Cisco ACL is an invisible, hidden rule: Deny Any. If a packet makes it all the way through your list of rules and does not match any of them, the router automatically drops the packet in the trash. *Rule of thumb:* Every ACL must contain at least one permit statement, otherwise, it will block 100% of all traffic!

5. Standard vs. Extended ACLs

Standard ACLs (Numbered 1-99):
  • *What they filter by:* ONLY the Source IP address.
  • *Example:* "Block traffic from PC A."
  • *Where to apply them:* As close to the Destination as possible. (Because they are dumb, if you place them too close to the source, you might accidentally block PC A from reaching *everything*).

Extended ACLs (Numbered 100-199):

  • *What they filter by:* Source IP, Destination IP, Protocol (TCP/UDP), and Port Number (e.g., 80, 443).
  • *Example:* "Block PC A from sending HTTP traffic (Port 80) to Server B, but allow ping traffic."
  • *Where to apply them:* As close to the Source as possible. (Because they are highly specific, block the bad traffic before it wastes bandwidth traveling across the network).

6. The Wildcard Mask (Inverse Subnet Mask)

When writing an ACL, routers do not use Subnet Masks (255.255.255.0). They use Wildcard Masks. A Wildcard mask is the mathematical opposite of a subnet mask.
  • Subnet Mask: 255.255.255.0
  • Wildcard Mask: 0.0.0.255
*The math:* Take 255.255.255.255 and subtract your subnet mask. The result is your wildcard mask. A 0 in a wildcard mask means "Check this number exactly." A 255 means "I don't care what this number is."

7. Writing and Applying an Extended ACL

Scenario: Block the 192.168.1.0/24 subnet from reaching the Web Server (10.0.0.5) on Port 80, but allow everything else.

Step 1: Write the ACL Rules (Global Config Mode)

bash
12345 
# Create Extended ACL number 100
access-list 100 deny tcp 192.168.1.0 0.0.0.255 host 10.0.0.5 eq 80

# Add the mandatory permit rule to override the Implicit Deny!
access-list 100 permit ip any any

Step 2: Apply it to the Interface You must tell the router *where* to enforce the bouncer. We apply it Inbound on the interface facing the 192.168.1.0 network.

bash
12 
interface GigabitEthernet0/0
ip access-group 100 in

8. Best Practices

  • Top-Down Logic: Always put your most specific rules at the very top of the ACL, and your broad, general rules at the bottom. If rule #1 says permit ip any any, the router will instantly permit every packet, and rules #2 through #10 will never be read.

9. Common Mistakes

  • Applying in the Wrong Direction: You write a perfect ACL to stop hackers on the internet from reaching your internal server. You apply it to the Internet-facing interface, but you apply it out instead of in. The ACL completely fails because it is checking traffic *leaving* the router to the internet, not traffic *entering* from the internet. Directionality is critical.

10. Mini Project: Evaluate ACL Logic

Look at this ACL applied inbound on a router:
  1. 1. access-list 10 deny host 192.168.1.5
  1. 2. access-list 10 permit 192.168.1.0 0.0.0.255
  1. 3. access-list 10 deny host 192.168.1.10

*Question:* PC 192.168.1.10 tries to send a packet. Does it pass? *Answer:* Yes, it passes! The router reads Rule 1 (No match). It reads Rule 2. Does .10 belong to the 192.168.1.0 subnet? Yes! The router matches Rule 2, Permits the packet, and STOPS READING. Rule 3 is completely ignored. This is why rule order is vital.

11. Practice Exercises

  1. 1. Explain the mechanism of the "Implicit Deny" at the end of every Cisco ACL. Why must an administrator explicitly configure a permit statement?
  1. 2. Contrast the filtering capabilities of a Standard ACL versus an Extended ACL. Which one can filter traffic based on a specific TCP port number?

12. MCQs with Answers

Question 1

A network engineer wants to write an ACL to affect the 10.5.5.0 /24 subnet. What is the correct Wildcard Mask required for the ACL configuration syntax?

Question 2

According to Cisco best practices, where should an Extended Access Control List be applied within the network topology to maximize bandwidth efficiency?

13. Interview Questions

  • Q: You configure an ACL with three deny statements targeting specific hostile IP addresses and apply it to your WAN interface. Instantly, all legitimate internet traffic stops working. What structural rule of ACLs did you forget to account for?
  • Q: Explain the mathematical relationship between a Subnet Mask and a Wildcard Mask. How do you convert a /26 subnet mask into a wildcard mask?
  • Q: Why does rule order absolutely matter when constructing an Access Control List? Provide a theoretical example where poor rule placement breaks the intended security policy.

14. FAQs

Q: Can I edit a specific line in an ACL later? A: In modern Cisco IOS, yes! You can use "Named ACLs" or "Sequence Numbers." If you type show access-lists, you will see numbers next to your rules (e.g., 10, 20, 30). You can insert a new rule exactly between them by specifying sequence number 15, preventing you from having to delete and rewrite the entire list.

15. Summary

In Chapter 15, we weaponized the router to perform traffic filtering using Access Control Lists. We learned the strict, top-down processing logic of the router, understanding that the first matched rule dictates the action, and that an invisible "Implicit Deny" lurks at the bottom of every list. We calculated inverse Wildcard Masks, and we delineated the blunt, source-only filtering of Standard ACLs against the highly granular, port-specific filtering of Extended ACLs. By applying these lists to interfaces in specific directions, we can mathematically enforce corporate security policies.

16. Next Chapter Recommendation

You have built the network and secured it. But eventually, a user will call and say, "It's broken." You need your diagnostic tools. Proceed to Chapter 16: Network Troubleshooting Tools.

Finish this Chapter

Save your progress on your learning path and prepare for coding interview challenges.

Previous Chapter Network Security Fundamentals
Next Chapter Network Troubleshooting Tools

Discussion

Join the discussion

Log in or create a free account to participate.

Sort: ·

Explore More

📖 Related Tutorials 4

🗺️ Related Roadmaps 1