Standard and Extended ACLs – Detailed Explanation

1. What Is an Access Control List (ACL)?

An Access Control List (ACL) is an ordered set of rules applied to a router or switch interface that controls whether packets are permitted or denied as they pass through the device. ACLs are one of the most fundamental security tools in Cisco IOS and appear throughout the CCNA exam.

  • Purpose: Filter traffic to enhance security, restrict access to resources, limit unwanted traffic, and enforce network policies
  • Applied to: Physical interfaces (inbound or outbound), VTY lines (for management access control), NAT translations, route redistribution filters, and more
  Packet arrives at Router Interface
           |
           v
  [ACL Applied Inbound?] --YES--> Check Rule 1
           |                          |
           NO                     Match? --> Apply (permit/deny)
           |                          |
           v                     No match --> Check Rule 2
  Routing/Forwarding                 |
                                No match --> ... --> Implicit Deny All

Related pages: Applying ACLs | Named ACLs | Wildcard Masks | Firewalls | Static NAT | ACL Overview | show running-config | show ip interface brief | SSH | Telnet | Step-by-Step: Standard ACL Config | Step-by-Step: Extended ACL Config

2. How ACLs Process Traffic

Understanding ACL processing logic is critical for both the exam and correct deployment:

  • Packets are checked sequentially against each rule from top to bottom
  • The first matching rule is applied — the router stops checking further rules for that packet
  • If no rule matches, the implicit deny any any at the end of every ACL drops the packet silently
  • The implicit deny is invisible in the configuration but always present — you must explicitly permit traffic you want to allow
  • Order matters: more specific rules must precede broader rules or the broader rule will match first

⚠️ Common Mistake: If you add a deny rule but forget a permit any at the end, all other traffic will be blocked by the implicit deny — even traffic you didn't intend to affect.

3. Standard ACLs

Standard ACLs are the simplest form of ACL — they filter traffic based only on the source IP address.

  • Filter criteria: Source IP address only — cannot filter by destination, protocol, or port
  • Use when: You need to block or allow entire subnets or specific hosts, regardless of where they're going or what protocol they're using
  • Placement rule: Place standard ACLs close to the destination — because they only filter on source IP, placing them near the source would block traffic to all destinations, not just the one you want to restrict
Number Ranges: 1–99 and 1300–1999
Named format: ip access-list standard <name>

4. Extended ACLs

Extended ACLs provide granular, multi-criteria filtering on source IP, destination IP, protocol (IP, TCP, UDP, ICMP), and source/destination port numbers.

  • Filter criteria: Source IP, destination IP, protocol, source port, destination port — any combination
  • Use when: You need to allow or block specific types of traffic between specific hosts or subnets (e.g., allow HTTP to a web server but block Telnet)
  • Placement rule: Place extended ACLs close to the source — this stops unwanted traffic early and prevents it from consuming bandwidth through the network
Number Ranges: 100–199 and 2000–2699
Named format: ip access-list extended <name>

5. ACL Numbering and Naming

TypeNumber RangeExample
Standard1–99 and 1300–1999access-list 10 permit 192.168.1.0 0.0.0.255
Extended100–199 and 2000–2699access-list 110 permit tcp any any eq 80
Named StandardN/A — use nameip access-list standard BLOCK_HOST
Named ExtendedN/A — use nameip access-list extended ALLOW_HTTP_ONLY

Named ACLs are strongly preferred in modern deployments because they allow individual entries to be added or removed by sequence number without recreating the entire ACL.

6. Wildcard Masks

Wildcard masks specify which bits of an IP address to match. They are the inverse of subnet masks:

  • 0 bit = must match exactly (this bit is checked)
  • 1 bit = don't care (this bit is ignored)
Subnet MaskWildcard MaskMatchesACL Example
255.255.255.2550.0.0.0Exact host matchpermit 192.168.1.10 0.0.0.0 (or use host)
255.255.255.00.0.0.255All hosts in a /24permit 192.168.1.0 0.0.0.255
255.255.0.00.0.255.255All hosts in a /16permit 10.10.0.0 0.0.255.255
0.0.0.0255.255.255.255Any IP addresspermit any (shorthand)
Shorthand keywords:
host 192.168.1.10 = 192.168.1.10 0.0.0.0 (exact match)
any = 0.0.0.0 255.255.255.255 (matches everything)

For more detail, see Wildcard Masks.

7. ACL Placement and Direction

ACL TypeIdeal PlacementDirectionWhy
Standard ACL Close to the destination Inbound on destination-facing interface Filters only on source IP — placing near source would block traffic to all destinations, not just the one you want to restrict
Extended ACL Close to the source Inbound on source-facing interface Can filter precisely — stops unwanted traffic at entry point, saving bandwidth across the rest of the network

Each interface can have one inbound and one outbound ACL per IP protocol. Inbound ACLs are evaluated before the routing decision; outbound ACLs are evaluated after. See Applying ACLs for full placement guidance.

8. ACL Configuration Examples

Standard ACL — Block a Single Host

! Block host 192.168.1.100, permit everything else
Router(config)# access-list 10 deny host 192.168.1.100
Router(config)# access-list 10 permit any
Router(config)# interface GigabitEthernet0/1
Router(config-if)# ip access-group 10 out

Extended ACL — Allow HTTP Only from a Subnet

! Allow HTTP (port 80) from 192.168.1.0/24 to anywhere; block everything else
Router(config)# access-list 110 permit tcp 192.168.1.0 0.0.0.255 any eq 80
Router(config)# access-list 110 deny ip any any
Router(config)# interface GigabitEthernet0/0
Router(config-if)# ip access-group 110 in

Named Extended ACL — Block Telnet Network-Wide

Router(config)# ip access-list extended BLOCK_TELNET
Router(config-ext-nacl)# deny tcp any any eq 23
Router(config-ext-nacl)# permit ip any any
Router(config-ext-nacl)# exit
Router(config)# interface GigabitEthernet0/1
Router(config-if)# ip access-group BLOCK_TELNET in

Allow SSH from Management Subnet to a Server Only

Router(config)# access-list 120 permit tcp 10.0.0.0 0.0.0.255 host 192.168.2.100 eq 22
Router(config)# access-list 120 deny ip any any
Router(config)# interface GigabitEthernet0/0
Router(config-if)# ip access-group 120 in

9. Protocols and Ports in Extended ACLs

Protocol KeywordCommon Ports / UseExample
tcpHTTP (80), HTTPS (443), SSH (22), Telnet (23), FTP (20/21)permit tcp any any eq 443
udpDNS (53), DHCP (67/68), SNMP (161/162), TFTP (69)permit udp any any eq 53
icmpPing (echo/echo-reply), traceroute (time-exceeded)permit icmp any any echo
ipAll IP traffic (any protocol)permit ip any any

Port operators: eq (equals), gt (greater than), lt (less than), neq (not equal), range (port range)

! Permit only HTTPS
access-list 130 permit tcp any any eq 443

! Permit a range of ports (e.g., passive FTP data)
access-list 130 permit tcp any any range 1024 65535

10. Verifying ACLs

Router# show access-lists           ! All ACLs with match counters
Router# show access-lists 10        ! Specific ACL by number
Router# show ip interface Gi0/0     ! Shows which ACL is applied to interface and direction
Router# show running-config | include access  ! ACL lines in running config

The show access-lists command shows match counters — how many packets have matched each rule. These are invaluable for verifying that rules are working correctly and for identifying which rules are being hit in production. Also use show running-config and show ip interface brief to confirm ACL application on interfaces.

11. ACL Best Practices

  • Order rules carefully: Specific rules before broad rules — once a broad rule matches, specific rules below it are never reached
  • Always end with explicit permit or deny: Rely on the implicit deny only deliberately; add deny ip any any log to log dropped packets for troubleshooting
  • Use named ACLs for all complex or frequently edited lists — allows adding/removing entries by sequence number
  • Document each entry with remarks: access-list 110 remark Allow HTTP from Sales VLAN
  • Test in a lab before deploying to production — an incorrect ACL can lock you out of a device
  • Review regularly as network requirements change — obsolete rules are a source of security risk and troubleshooting confusion
  • Remove unused ACLs — leave no deny any any without a corresponding permit
  • Log denied traffic with deny ip any any log and review via syslog or show logging

12. Advanced ACL Types

TypeWhat It DoesUse Case
Reflexive ACLAutomatically creates temporary inbound permit entries matching return traffic for sessions initiated from insideStateful-like filtering when a stateful firewall is not available
Time-Based ACLEnforces permit/deny rules only during specified time rangesBlock social media during business hours; restrict maintenance windows. See NTP for accurate time
Dynamic ACL (Lock and Key)Grants temporary access after a user authenticates (Telnet + auth)Remote access without a VPN for legacy environments

13. Summary Table

AspectStandard ACLExtended ACLNamed ACL
Filter CriteriaSource IP onlySrc/Dst IP, protocol, portEither type — same criteria
Number Range1–99, 1300–1999100–199, 2000–2699N/A (uses name)
PlacementClose to destinationClose to sourceDepends on logic
Common UseBlock a subnet or host broadlyPrecise per-service controlLarge/frequently edited lists
Edit FlexibilityMust delete and recreateMust delete and recreateEdit individual entries by sequence number
Implicit DenyAll unmatched traffic is silently blocked — always present
Verificationshow access-lists, show ip interface

Standard and Extended ACLs Quiz

1. What is the primary purpose of an Access Control List (ACL)?

Correct answer is C. ACLs are ordered rule sets applied to router interfaces (or VTY lines, NAT, etc.) that control whether packets are permitted or denied. They are a fundamental security and traffic management tool, used for everything from management access restriction to network segmentation.

2. What does a standard ACL filter on?

Correct answer is D. Standard ACLs filter traffic solely based on the source IP address. They cannot filter by destination IP, protocol type, or port number. This limitation is why they should be placed close to the destination — to avoid accidentally blocking traffic to unintended destinations.

3. What is the key functional difference between standard and extended ACLs?

Correct answer is A. Extended ACLs match on source IP, destination IP, IP protocol (TCP/UDP/ICMP/IP), source port, and destination port — enabling precise per-service control. Standard ACLs match only on source IP. Both types can be numbered or named. Both support logging with the log keyword.

4. Which number ranges are used for standard ACLs?

Correct answer is B. Standard ACLs use the number ranges 1–99 and 1300–1999. Extended ACLs use 100–199 and 2000–2699. Cisco IOS determines the ACL type from the number — so using 10 automatically creates a standard ACL, while using 110 creates an extended ACL.

5. What does a wildcard mask of 0.0.0.255 mean when used in an ACL?

Correct answer is D. In wildcard masks, 0 = must match, 1 = don't care. The mask 0.0.0.255 means: match the first three octets exactly (0.0.0 = check these bits), and ignore the last octet (255 = don't care). So 192.168.1.0 0.0.0.255 matches all hosts in 192.168.1.0/24.

6. Where should standard ACLs ideally be placed in the network?

Correct answer is C. Standard ACLs filter only on source IP. If placed near the source, they would block the source from reaching all destinations, not just the intended one. Placing them near the destination ensures only the specific destination is protected while the source can still reach other network resources.

7. Which command shows all configured ACLs and their packet match counters?

Correct answer is A. show access-lists displays all ACLs with the number of packets that have matched each rule (hit counts). This is essential for verifying that ACLs are working correctly. Use show ip interface <int> to see which ACL is applied to a specific interface and in which direction.

8. Which ACL type can filter by both source/destination IP AND protocol and port numbers?

Correct answer is B. Extended ACLs provide granular control matching on source IP, destination IP, IP protocol (TCP/UDP/ICMP/IP), source port, and destination port. This allows policies like "permit TCP from 10.0.0.0/24 to host 192.168.1.100 port 443 only" — precise enough for real enterprise security policies.

9. What happens to a packet that does not match any rule in an ACL?

Correct answer is D. Every ACL in Cisco IOS has an invisible, implicit deny any any as its final rule. Any packet that does not match any explicit rule is silently dropped — no ICMP unreachable is sent back. This is why forgetting to add permit any or permit ip any any at the end of an ACL can accidentally block all traffic.

10. What is the best practice for ordering ACL statements?

Correct answer is C. ACLs use first-match processing. If a broad rule (e.g., permit ip any any) appears before a specific deny rule, the broad rule will match first and the specific deny will never be reached. Specific rules must precede the general rules they are exceptions to. For example: deny a specific host first, then permit the subnet.

Related Topics & Step-by-Step Tutorials

Continue your studies with these closely related pages:

← Back to Home