Named ACLs – Configuration, Sequence Numbers, and Management

1. What Are Named ACLs?

A Named ACL is an Access Control List identified by a descriptive text name — such as BLOCK_WEB or PERMIT_ADMIN — rather than a numeric identifier. Named ACLs were introduced in Cisco IOS 12.0 and are now the preferred approach for all ACL work on modern networks.

Named ACLs support both standard (filter on source IP only) and extended (filter on source IP, destination IP, protocol, and port) types, and add the critical ability to edit individual entries using sequence numbers — something numbered ACLs cannot do without deleting and recreating the entire list.

  Numbered ACL:          Named ACL:
  access-list 101 ...    ip access-list extended BLOCK_WEB
  access-list 101 ...     10 permit tcp any host 10.0.0.1 eq 80
                          20 deny   ip  any any
  Identified by: 101     Identified by: BLOCK_WEB
  Edit: delete & redo    Edit: change sequence 10 in place

2. Named ACL vs Numbered ACL — Full Comparison

Both types enforce the same packet filtering logic but differ significantly in how they are identified, created, and maintained. For any production or exam scenario, named ACLs are the preferred choice.

Feature	Numbered ACL	Named ACL
Identification	Numeric (standard: 1–99, 1300–1999; extended: 100–199, 2000–2699)	Descriptive text name (e.g., `BLOCK_HTTP`, `PERMIT_ADMIN`)
Configuration command	`access-list 101 permit tcp ...` (global config)	`ip access-list extended BLOCK_WEB` then entries in ACL submode
Editing individual entries	Not possible — to change any entry you must delete the entire ACL with `no access-list 101` and re-enter all rules from scratch	Delete or modify any single entry by its sequence number without touching the rest of the list
Sequence numbers	Not supported (some IOS versions auto-assign but cannot be used for editing)	Fully supported — assigned automatically (10, 20, 30…) or manually; used for insertion, deletion, and ordering
Insert a rule between existing entries	Impossible without full recreation	Assign any sequence number in the gap (e.g., seq 15 between seq 10 and seq 20)
Readability	Low — `101` gives no context	High — `BLOCK_TELNET_EXTERNAL` is self-documenting
Supports standard type	Yes (numbers 1–99, 1300–1999)	Yes — `ip access-list standard <name>`
Supports extended type	Yes (numbers 100–199, 2000–2699)	Yes — `ip access-list extended <name>`
Application command	`ip access-group 101 in`	`ip access-group BLOCK_WEB in`
Best used for	Simple legacy configs; automation scripts that generate ACLs programmatically	All production environments; complex, large, or frequently updated access policies

3. ACL Fundamentals — Standard vs Extended

Before configuring a named ACL, understand which type to use. The type determines what fields in the packet the ACL can match against, and where on the network it should be applied.

Feature	Standard Named ACL	Extended Named ACL
Matches on	Source IP address only	Source IP, destination IP, protocol (IP/TCP/UDP/ICMP), source port, destination port
Granularity	Coarse — permit or deny all traffic from a source	Fine — permit or deny specific applications, services, and flows
Recommended placement	As close to the destination as possible — because matching source-only may block the source from reaching other resources it needs	As close to the source as possible — drops unwanted traffic early, reducing wasted bandwidth
IOS command	`ip access-list standard <name>`	`ip access-list extended <name>`
Typical use	Restrict which hosts can use a VTY line or reach a specific subnet	Block specific services (HTTP, Telnet, FTP) between defined hosts or networks

See: Standard ACLs | Extended ACLs | Wildcard Masks | Applying ACLs

4. The Implicit Deny — Critical Behaviour

Every ACL — named or numbered, standard or extended — ends with an invisible implicit deny any statement. This rule is not shown in show access-lists output but is always present and always evaluated last. Any packet that does not match any explicit rule in the ACL is silently dropped.

  ip access-list extended BLOCK_WEB
   10 permit tcp 192.168.1.0 0.0.0.255 host 10.0.0.1 eq 80
   20 permit ip  192.168.1.0 0.0.0.255 any
   [implicit: deny ip any any]    ← always here, never shown

  A packet from 10.0.0.50 → 10.0.0.1:80 arrives:
  → Does NOT match seq 10 (wrong source subnet)
  → Does NOT match seq 20 (wrong source subnet)
  → Hits implicit deny → DROPPED ✗

  A packet from 192.168.1.10 → 8.8.8.8:443 arrives:
  → Does NOT match seq 10 (wrong port and destination)
  → MATCHES seq 20 (source is in 192.168.1.0/24, any dest) → PERMITTED ✓

Common mistake: Creating an ACL that only contains deny statements without at least one permit — the implicit deny means absolutely all traffic is blocked. Always include an explicit permit ip any any at the end if you only want to deny specific traffic and allow everything else.

5. Wildcard Masks — Quick Reference

ACL permit and deny statements use wildcard masks to match ranges of IP addresses. A wildcard mask is the inverse of a subnet mask: 0 bits must match, 1 bits are ignored ("wildcarded"). Two special shortcuts are also available.

To Match	Address	Wildcard Mask	Shortcut
A single host	`192.168.1.10`	`0.0.0.0`	`host 192.168.1.10`
An entire /24 subnet	`192.168.1.0`	`0.0.0.255`	—
An entire /16 subnet	`10.10.0.0`	`0.0.255.255`	—
Any IP address	`0.0.0.0`	`255.255.255.255`	`any`
Odd-numbered hosts only (e.g., x.x.x.1, x.x.x.3…)	`192.168.1.1`	`0.0.0.254`	—

See: Wildcard Masks Explained

6. Creating Named ACLs — Full Syntax

Named ACLs are configured in a dedicated ACL configuration submode. You enter the submode with the ip access-list {standard|extended} <name> command, then add entries one per line. Sequence numbers are optional but strongly recommended.

Standard Named ACL

  Router(config)# ip access-list standard PERMIT_SALES
  Router(config-std-nacl)# 10 permit 192.168.10.0 0.0.0.255
  Router(config-std-nacl)# 20 permit host 192.168.20.5
  Router(config-std-nacl)# 30 deny   any
  Router(config-std-nacl)# exit

  ! Effect: Permit the 192.168.10.0/24 subnet and host 192.168.20.5;
  !         deny all other sources.
  ! (The explicit "deny any" at seq 30 documents the implicit deny — good practice)

Extended Named ACL

  Router(config)# ip access-list extended BLOCK_WEB
  Router(config-ext-nacl)# 10 deny   tcp any host 10.0.0.1 eq 80
  Router(config-ext-nacl)# 20 deny   tcp any host 10.0.0.1 eq 443
  Router(config-ext-nacl)# 30 permit ip  any any
  Router(config-ext-nacl)# exit

  ! Effect: Block HTTP (80) and HTTPS (443) to server 10.0.0.1 from any source;
  !         permit all other traffic.

Extended ACL Entry Syntax — Field by Field

  [seq#] {permit|deny} {protocol} {src-addr} {src-wildcard} {dst-addr} {dst-wildcard} [eq {port}] [log]

  Example:
  10     deny     tcp      192.168.1.0 0.0.0.255  host 10.0.0.5  eq 23  log

  │      │         │        │                      │               │      │
  seq    action  protocol  source network          dest host      Telnet  log matches
  10     deny                                                      (23)

Field	Options / Notes
Protocol	`ip` (all), `tcp`, `udp`, `icmp`, `ospf`, `eigrp`
Source / Destination	`any`, `host <IP>`, or `<network> <wildcard>`
Port matching (TCP/UDP only)	`eq <port>` (equal), `neq` (not equal), `lt` (less than), `gt` (greater than), `range <low> <high>`
Established (TCP only)	`established` — matches TCP packets with ACK or RST set; permits return traffic for existing sessions without a stateful firewall
Log	`log` — logs first matched packet every 5 minutes with hit count; `log-input` also records the ingress interface and source MAC

7. Sequence Numbers — Insert, Delete, and Reorder

Sequence numbers are the defining advantage of named ACLs over numbered ACLs. They give every ACE a position in the list that can be explicitly controlled, allowing surgical editing without disrupting the rest of the policy.

Auto-assignment

If you add entries without specifying a sequence number, IOS auto-assigns them starting at 10 and incrementing by 10. This leaves room for insertion between existing entries later.

  Router(config)# ip access-list extended BLOCK_WEB
  Router(config-ext-nacl)# permit tcp any host 10.0.0.1 eq 80   ! gets seq 10
  Router(config-ext-nacl)# deny ip any any                       ! gets seq 20

Insert a new entry between existing ones

  ! Insert a rule between seq 10 and seq 20:
  Router(config)# ip access-list extended BLOCK_WEB
  Router(config-ext-nacl)# 15 permit icmp any host 10.0.0.1

  ! Result:
  !  10 permit tcp any host 10.0.0.1 eq 80
  !  15 permit icmp any host 10.0.0.1      ← newly inserted
  !  20 deny ip any any

Delete a specific entry by sequence number

  Router(config)# ip access-list extended BLOCK_WEB
  Router(config-ext-nacl)# no 15

  ! Seq 15 is removed; sequences 10 and 20 are unaffected.

Resequence an entire ACL

After many insertions and deletions, sequence numbers can become fragmented (e.g., 10, 11, 12, 15, 27…). Resequencing renumbers all entries cleanly without changing the order or logic:

  Router(config)# ip access-list resequence BLOCK_WEB 10 10
  ! Starts at 10, increments by 10:
  ! Old:  10, 11, 12, 15, 27  →  New: 10, 20, 30, 40, 50

Exam tip: In numbered ACLs, the only way to remove a single entry is to delete the entire ACL with no access-list <number> and re-enter everything. Named ACLs allow removal of a single entry with no <sequence-number> inside ACL submode — one of the most frequently tested distinctions.

8. Applying Named ACLs

A named ACL does nothing until it is applied somewhere. Cisco IOS supports several application points.

On a Router Interface (most common)

  Router(config)# interface GigabitEthernet0/1
  Router(config-if)# ip access-group BLOCK_WEB in

  ! "in"  = filters packets arriving ON this interface (inbound)
  ! "out" = filters packets leaving FROM this interface (outbound)
  ! One ACL per interface per direction (in and out can both be applied)

Direction decision: Apply in to filter traffic before it is processed by the router (most efficient — drops unwanted packets immediately). Apply out to filter traffic just before it exits the router toward a destination network.

  Inbound ACL:                      Outbound ACL:
  Packet arrives →                  Packet arrives →
  ACL checks →                      Routing decision →
  Routing decision →                ACL checks →
  Forward                           Forward / Drop

On a Layer 3 Switch SVI

  Switch(config)# interface vlan 10
  Switch(config-if)# ip access-group PERMIT_SALES in

On VTY Lines (restrict management access)

  ! Only allow 192.168.100.0/24 to SSH/Telnet into the router:
  Router(config)# ip access-list standard MGMT_ACCESS
  Router(config-std-nacl)# 10 permit 192.168.100.0 0.0.0.255
  Router(config-std-nacl)# exit

  Router(config)# line vty 0 4
  Router(config-line)# access-class MGMT_ACCESS in

  ! Note: VTY lines use "access-class" not "ip access-group"
  !       and standard ACLs only (source IP restriction)

In Route-Maps (for PBR or NAT)

  ! Named ACL used as a match condition in a route-map:
  Router(config)# ip access-list extended VOICE_TRAFFIC
  Router(config-ext-nacl)# 10 permit udp any any range 16384 32767
  Router(config-ext-nacl)# exit

  Router(config)# route-map PBR_VOICE permit 10
  Router(config-route-map)# match ip address VOICE_TRAFFIC
  Router(config-route-map)# set ip next-hop 10.0.0.254

Application Point	Command	ACL Type	Notes
Router/L3 switch interface	`ip access-group <name> {in\|out}`	Standard or Extended	One per direction per interface
VTY lines (SSH/Telnet)	`access-class <name> in`	Standard (source IP only)	Controls who can access the device CLI. See: SSH \| Telnet
Route-map match clause	`match ip address <name>`	Standard or Extended	Used with PBR, NAT, redistribution
NAT inside/outside	`ip nat inside source list <name> ...`	Standard	Defines which IPs are NATted

9. Viewing and Verifying Named ACLs

After creating and applying a named ACL, always verify it is correct and taking effect. The hit counters in show access-lists are one of the most powerful diagnostic tools available — they show exactly which rules are being matched.

  Router# show access-lists BLOCK_WEB
  Extended IP access list BLOCK_WEB
      10 deny tcp any host 10.0.0.1 eq 80 (47 matches)   ← 47 packets matched
      15 permit icmp any host 10.0.0.1 (0 matches)
      20 deny ip any any (12 matches)

  Router# show access-lists
  ! (shows ALL ACLs on the device)

  Router# show running-config | section ip access-list
  ! (shows ACL definitions in the running config)

  Router# show ip interface GigabitEthernet0/1
  ! Look for: "Inbound access list is BLOCK_WEB"
  !           "Outbound access list is not set"

Command	What It Shows	When to Use It
`show access-lists <name>`	All entries with sequence numbers, action, match criteria, and hit counters	Primary verification tool — check rules and confirm traffic is matching the intended entries
`show access-lists`	All ACLs on the device with hit counters	Overview of all active ACLs; spot unused or unexpected ACLs
`show ip interface <int>`	Confirms which ACL name is applied to the interface and in which direction	Verify the ACL is applied to the correct interface and correct direction (`in`/`out`)
`show running-config \| section ip access-list`	Full ACL definitions as stored in the running config, including sequence numbers	Confirm the saved ACL definition matches what you intended; copy for documentation
`clear ip access-list counters <name>`	Resets hit counters to zero without modifying the ACL	Before a controlled test — reset counters, generate specific traffic, then check counters to confirm which rules fired

See: show running-config | show interfaces | show ip interface brief

10. Complete Configuration Example — End-to-End

A network engineer needs to implement the following policy on Router R1's GigabitEthernet0/1 (connected to the internal 192.168.1.0/24 LAN):

Block Telnet (TCP/23) from any source to any destination.
Block HTTP (TCP/80) from the 192.168.1.0/24 subnet to the server at 10.10.10.10.
Permit all other traffic from 192.168.1.0/24.
Deny everything else (implicit, but explicitly documented).

  ! ─── Step 1: Create the named extended ACL ─────────────────────
  R1(config)# ip access-list extended INTERNAL_POLICY

  R1(config-ext-nacl)# 10 deny tcp any any eq 23
  ! Block Telnet from any source to any destination

  R1(config-ext-nacl)# 20 deny tcp 192.168.1.0 0.0.0.255 host 10.10.10.10 eq 80
  ! Block HTTP from 192.168.1.0/24 to server 10.10.10.10

  R1(config-ext-nacl)# 30 permit ip 192.168.1.0 0.0.0.255 any
  ! Permit all other traffic from 192.168.1.0/24

  R1(config-ext-nacl)# 40 deny ip any any
  ! Explicit deny (documents the implicit deny)

  R1(config-ext-nacl)# exit

  ! ─── Step 2: Apply inbound on the LAN-facing interface ─────────
  R1(config)# interface GigabitEthernet0/1
  R1(config-if)# ip access-group INTERNAL_POLICY in
  R1(config-if)# exit

  ! ─── Step 3: Restrict VTY access to admin subnet only ──────────
  R1(config)# ip access-list standard MGMT_ONLY
  R1(config-std-nacl)# 10 permit 192.168.100.0 0.0.0.255
  R1(config-std-nacl)# exit

  R1(config)# line vty 0 4
  R1(config-line)# access-class MGMT_ONLY in
  R1(config-line)# exit

  ! ─── Step 4: Verify ─────────────────────────────────────────────
  R1# show access-lists INTERNAL_POLICY
  R1# show ip interface GigabitEthernet0/1

Placement reasoning: The ACL is applied in on GigabitEthernet0/1 (the LAN interface). Inbound means the router checks traffic as it arrives from the LAN — before routing it onward. This is the extended ACL best-practice placement: close to the source, blocking unwanted traffic before it consumes router resources.

11. Troubleshooting Named ACLs

Symptom	Likely Cause	Diagnostic Steps
All traffic blocked — nothing gets through	ACL consists only of deny entries; implicit deny blocks everything not explicitly permitted	Run `show access-lists <name>` — check that at least one `permit` entry exists and that it is placed before any `deny any`
ACL rules have zero hit counters despite live traffic	ACL not applied to the correct interface or wrong direction; traffic is not traversing this interface	Run `show ip interface <int>` — confirm the ACL name appears as "Inbound access list" or "Outbound access list"; verify traffic path with `traceroute`
Expected-to-be-blocked traffic still passes	Deny rule is too broad or too specific; higher-sequence permit rule matches first; ACL applied in wrong direction (`in` vs `out`)	Check rule order with `show access-lists`; confirm sequence numbers; verify direction of application; add `log` keyword to the deny rule to confirm matches
Expected-to-be-permitted traffic is blocked	A deny rule with a lower sequence number matches before the permit; wildcard mask is incorrect; wrong interface direction	Trace the packet through the ACL manually top-down; verify wildcard masks; insert a more specific permit with a lower sequence number if needed
Cannot edit an ACL entry — changes not taking effect	Not in ACL submode; modifying a numbered ACL with named-ACL syntax; old entry still present with same sequence number	Enter `ip access-list extended <name>` to confirm you are in submode; use `no <seq>` to remove the old entry before re-adding
VTY access blocked from authorised admin workstation	Access-class ACL too restrictive or applied to the wrong VTY line range; admin IP not in the permitted range	`show line vty 0 4` to see applied ACL; verify admin subnet against permit entry wildcard mask; connect via console to correct without losing remote access

The log keyword: Adding log to a deny entry generates a syslog message the first time a packet matches that entry in each 5-minute interval, including the source IP and hit count. This is invaluable for real-time troubleshooting without running a full packet capture. See: Syslog

  ip access-list extended BLOCK_WEB
   10 deny tcp any host 10.0.0.1 eq 80 log
   20 permit ip any any

  ! When a packet hits seq 10:
  %SEC-6-IPACCESSLOGP: list BLOCK_WEB denied tcp 192.168.1.5(49281)
                         -> 10.0.0.1(80), 1 packet

See: Troubleshooting ACL Misconfigurations | debug ip packet | show logging | ping | traceroute

12. Limitations and Considerations

Consideration	Detail
IOS version requirement	Named ACLs require Cisco IOS 12.0(1) or later. All modern enterprise and home-lab platforms support them.
Case sensitivity	ACL names may be case-sensitive on some platforms. Be consistent — use all uppercase by convention to avoid ambiguity (e.g., `BLOCK_WEB` not `block_web`).
One ACL per interface per direction	You can apply one ACL inbound and one ACL outbound on the same interface — but not two ACLs inbound on the same interface. Combine rules into a single ACL if multiple policies are needed in the same direction.
Reflexive ACLs	Named extended ACLs support reflexive ACL entries (`reflect` / `evaluate` keywords) to dynamically permit return traffic — a stateless approximation of stateful inspection.
Time-based ACLs	Named ACLs support the `time-range` keyword to only apply a rule during specified time windows — useful for scheduled maintenance windows or business-hours policies.
Performance	ACLs are processed top-down for every matching packet. Place the most frequently matched entries near the top (lowest sequence numbers) to minimise CPU overhead on high-traffic interfaces.

13. Best Practices

Use descriptive UPPERCASE names with underscores: BLOCK_TELNET_EXTERNAL, PERMIT_ADMIN_SSH, DENY_ROGUE_HOSTS.
Always use sequence numbers — start at 10, increment by 10. Leave gaps for future insertions.
Place the most specific rules first (lowest sequence numbers) and the most general rules last. A broad permit ip any any at the top defeats the purpose of the ACL.
Include an explicit deny ip any any log as the last entry to document the implicit deny and generate logs when traffic hits it.
Test in a lab or at a low-traffic time before applying to production interfaces. An ACL error can silently drop legitimate traffic.
Always apply the ACL to the correct direction — inbound on the source-facing interface for extended ACLs; close to the destination for standard ACLs.
Use show access-lists and hit counters to validate your policy is matching the traffic you intend.
Document the business reason for each ACL using Cisco IOS remark entries: 10 remark Block Telnet per security policy SR-2024-01

14. Summary Reference Table

Topic	Named ACL Detail
Create standard named ACL	`ip access-list standard <name>`
Create extended named ACL	`ip access-list extended <name>`
Add an entry with sequence number	`10 permit tcp 192.168.1.0 0.0.0.255 any eq 80`
Insert between existing entries	Use a sequence number in the gap: `15 deny icmp any any`
Delete a specific entry	`no <sequence-number>` in ACL submode
Resequence all entries	`ip access-list resequence <name> <start> <increment>`
Apply to interface	`ip access-group <name> {in\|out}`
Apply to VTY lines	`access-class <name> in`
Verify rules and hits	`show access-lists <name>`
Verify interface application	`show ip interface <int>`
Reset hit counters	`clear ip access-list counters <name>`
Implicit deny	Always present at the end of every ACL — not shown in output; blocks all unmatched traffic

Named ACLs Quiz

1. What is the primary operational advantage of Named ACLs over Numbered ACLs?

A. They consume less CPU and memory on the router, improving performance B. They support only extended ACLs, which are more powerful than standard ACLs C. Individual entries can be added, deleted, or inserted using sequence numbers without deleting and recreating the entire ACL D. They do not require application to an interface — they take effect automatically when created

Correct answer is C. The defining advantage of named ACLs is incremental editing via sequence numbers. With a numbered ACL, if you need to insert a rule between entries 3 and 4, you must delete the entire ACL with no access-list <number> and re-enter every rule in the correct order — a disruptive and error-prone process, especially on a production interface. Named ACLs allow you to enter ACL submode and simply add an entry with a sequence number between the existing ones (e.g.,

15 deny
                  tcp any any eq 23

between seq 10 and seq 20). You can also remove a single entry with no 15 without touching anything else.

2. What is the correct IOS command to begin configuring a standard named ACL called "PERMIT_SALES"?

A. ip access-list extended PERMIT_SALES — this creates an extended ACL, not standard B. ip access-list standard PERMIT_SALES — enters standard named ACL submode where entries are added line by line C. access-list 10 permit PERMIT_SALES — this is numbered ACL syntax and does not create a named ACL D. access-list named standard PERMIT_SALES — not valid Cisco IOS syntax

Correct answer is B. Named ACLs use a two-step process: first the ip access-list {standard|extended} <name> command in global configuration mode creates the ACL and enters the ACL configuration submode (prompt changes to Router(config-std-nacl)#). Then individual permit and deny entries are entered one per line, optionally prefixed with sequence numbers. The old-style access-list <number> ... syntax creates numbered ACLs directly in global config mode and does not support submode editing.

3. An extended named ACL has entries at sequence numbers 10, 20, and 30. A network engineer needs to add a new permit rule that must be evaluated between the existing entries at 20 and 30. What is the correct approach?

A. Use the IOS command "insert rule between 20 and 30" to place it in the correct position B. Delete entry 30, add the new rule, then re-add entry 30 C. Add the new rule without a sequence number — IOS will automatically position it between 20 and 30 D. Enter ACL submode and add the rule with a sequence number in the gap, such as 25, which will be evaluated after seq 20 and before seq 30

Correct answer is D. Enter the named ACL submode with ip access-list extended <name> and add the new entry with any sequence number between 20 and 30, for example: 25 permit tcp 192.168.1.0 0.0.0.255 any eq 443. IOS maintains entries in sequence-number order, so seq 25 will be evaluated after seq 20 and before seq 30 automatically. Adding a rule without a sequence number (option C) would append it after seq 30 — not insert it between 20 and 30. This is the critical difference from numbered ACLs where options A and B would be the only approaches available.

4. Which command applies the named ACL "BLOCK_WEB" as an inbound filter on interface GigabitEthernet0/1?

A. ip access-group BLOCK_WEB in — the correct interface-level command with the in keyword for inbound direction B. ip access-list BLOCK_WEB in — this is used to create an ACL, not apply it to an interface C. access-list BLOCK_WEB in — not valid Cisco IOS interface syntax D. access-class BLOCK_WEB in — this syntax is for VTY line application, not router interfaces

Correct answer is A. To apply any ACL (named or numbered) to a router or Layer 3 switch interface, the command is ip access-group <name> {in|out} entered in interface configuration mode. The in keyword filters packets arriving on the interface (from the connected network toward the router); out filters packets leaving the interface (from the router toward the connected network). Importantly, option D uses access-class — which is correct syntax, but only for VTY line access control (SSH/Telnet), not for data traffic on a routed interface.

5. Inside a named ACL configuration, how do you remove the specific entry at sequence number 15?

A. delete 15 from ACL — not valid IOS syntax B. no access-list 15 — this would delete a numbered ACL numbered 15, not a sequence entry C. no 15 — entered in ACL configuration submode, this removes only the entry with sequence number 15 without affecting any other entries D. remove 15 — not valid IOS syntax

Correct answer is C. From within the named ACL submode (entered with ip access-list extended <name>), the command no <sequence-number> removes only that specific entry. For example: Router(config-ext-nacl)# no 15 deletes the entry at sequence 15 while leaving sequences 10, 20, 30 intact. This is the key surgical editing capability that makes named ACLs superior to numbered ACLs — with a numbered ACL, the only way to remove a single entry is no access-list <number>, which deletes the entire ACL.

6. Which command displays the entries, sequence numbers, and hit counters for a named ACL called BLOCK_WEB?

A. show running-config access-list BLOCK_WEB — not valid; use "show running-config | section ip access-list" instead B. show access-lists BLOCK_WEB — displays every entry with its sequence number, match criteria, and the number of packets that have matched each entry C. show ip interface BLOCK_WEB — this shows interface-level information, not ACL contents D. show ip access-group BLOCK_WEB — not valid IOS syntax

Correct answer is B.

show access-lists
                  <name>

is the primary ACL verification command. Its output shows each ACE with its sequence number, action (permit/deny), match criteria (protocol, source, destination, port), and the hit counter in parentheses — e.g., 10 deny tcp any host 10.0.0.1 eq 80 (47 matches). A zero hit counter on an entry you expect to be firing is a key troubleshooting signal that traffic is not reaching this ACL, the ACL is applied in the wrong direction, or a higher entry is matching first. Hit counters can be reset with clear ip access-list counters <name>.

7. Which of the following is NOT a genuine advantage of Named ACLs compared to Numbered ACLs?

A. Higher readability — a name like BLOCK_TELNET communicates intent immediately; a number like 101 does not B. Ability to edit individual rules using sequence numbers without affecting other entries C. Support for sequence numbers enabling precise insertion and reordering of ACEs D. Automatically optimising routing paths based on ACL traffic patterns

Correct answer is D. Named ACLs are packet filtering tools — they inspect packets and permit or deny them based on Layer 3 and Layer 4 header fields. They have no involvement in, and no effect on, routing path selection. Routing decisions are made by the routing table (built by static routes or dynamic routing protocols like OSPF, EIGRP, or BGP). ACLs and routing are entirely separate functions: an ACL can drop a packet destined for a network the router knows how to reach, but it cannot influence which interface or next-hop the router chooses for that network.

8. A named ACL has entries at seq 10 and seq 20. After many edits, the sequence numbers have become fragmented (10, 11, 12, 13, 20). Which command renumbers all entries cleanly starting at 10, incrementing by 10?

A. ip access-list resequence <name> 10 10 — renumbers all entries starting at 10 with an increment of 10, preserving the existing order and logic B. Delete entry 20 and re-add it — this changes content, not just sequence numbering C. access-list reorder <name> — not valid IOS syntax D. Add without sequence number; IOS auto-inserts in the correct position

Correct answer is A. The

ip access-list resequence <name> <starting-seq>
                  <increment>

command renumbers all entries in the named ACL without changing their order or match criteria. For example, ip access-list resequence BLOCK_WEB 10 10 takes entries at 10, 11, 12, 13, 20 and renumbers them to 10, 20, 30, 40, 50. The ACL behaviour is completely unchanged — only the sequence numbers are updated to restore clean spacing for future insertions. This is typically run after a series of edits that have compressed the available sequence number gaps.

9. A named ACL is applied to VTY lines 0–4. Which command applies the standard named ACL "MGMT_ACCESS" to restrict inbound SSH and Telnet access?

A. ip access-group MGMT_ACCESS in — this applies ACLs to routed interfaces, not VTY lines B. access-class MGMT_ACCESS in — the correct VTY line command; access-class is used for line-level access control using a standard ACL C. ip access-list MGMT_ACCESS vty — not valid IOS syntax D. ip access-group MGMT_ACCESS vty in — not valid IOS syntax

Correct answer is B. VTY line access control uses a completely different command from interface-level ACL application. Under line vty 0 4 configuration mode, the command is access-class <name> in. Only standard ACLs (matching on source IP) are supported for VTY access control. The in direction means the source IP of incoming SSH or Telnet sessions is checked against the ACL — if the source IP is not permitted, the connection is refused. This is critical for securing management access: without a VTY ACL, any IP address that can route to the router's management IP can attempt to log in.

10. An engineer creates a named extended ACL with only two deny statements and no permit statements, then applies it inbound on the WAN interface. What is the effect on traffic?

A. Only the two specifically denied traffic types are blocked; all other traffic passes normally B. The ACL has no effect until at least one permit statement is added C. All traffic is blocked — the two explicit deny entries match their specific traffic, and the invisible implicit "deny ip any any" at the end blocks everything else that was not explicitly permitted D. The router ignores ACLs that do not contain at least one permit statement and allows all traffic

Correct answer is C. Every ACL — named or numbered, standard or extended — ends with an implicit

deny ip any
                  any

that is invisible in show access-lists output but is always evaluated. An ACL containing only deny statements will block the specific traffic matched by those statements AND then block everything else via the implicit deny — effectively permitting nothing at all. This is one of the most dangerous and common ACL mistakes. The fix is to add an explicit permit ip any any at the end (a high sequence number) if the intent is only to block specific traffic and allow everything else. Always ask: "What does this ACL do to traffic that matches none of the explicit rules?" The answer is always: drops it silently.

← Back to Home