Learning hub

Access Control Lists (ACLs)

Access control lists (ACLs) are the ordered permit/deny rules Cisco IOS uses to filter IPv4 traffic and to identify traffic for other features. This hub ties together the standard, extended, named, and VTY access-class guides, the ACL command cheat sheet, and the hands-on graded labs so you can move from concept to a working, verified filter.

An ACL is an ordered list of permit and deny statements that the router evaluates top-down, stopping at the first match. Every ACL ends with an invisible implicit "deny any," so a list that permits nothing drops everything. ACLs earn their place on the CCNA because they are the foundation of IOS traffic filtering and because the same syntax reappears well beyond security: identifying "interesting traffic" for NAT, classifying packets for QoS, and locking down device management. Master the matching and placement logic here and you carry it into several other exam topics.

The central distinction is standard versus extended. A standard ACL matches the source IPv4 address only (numbered 1-99, with 1300-1999 as the expanded range), so it belongs as close to the destination as possible to avoid unintentionally blocking traffic the source should still reach. An extended ACL matches source and destination address plus protocol and port, giving surgical control, so it belongs as close to the source as possible to drop unwanted packets before they cross the network. The standard-ACL and extended-ACL guides walk each type end to end with worked examples; internalize the rule "standard near the destination, extended near the source" and a large share of exam questions answer themselves.

Two supporting ideas make ACLs practical. Wildcard masks control which address bits are checked: a 0 bit means "must match," a 1 bit means "ignore," and the shortcuts host (wildcard 0.0.0.0) and any (0.0.0.0 255.255.255.255) save typing and prevent mistakes. Named ACLs, covered in the named-ACL guide, replace bare numbers with descriptive names and, more importantly, let you edit by sequence number, inserting or removing a single line without deleting and retyping the whole list. That editing workflow is exactly what real maintenance looks like, and it is a common source of exam and lab errors when learners forget the list is still processed in sequence order.

An ACL does nothing until it is applied. On an interface you attach it with ip access-group in a chosen direction (in or out), and you can bind only one ACL per interface, per direction, per protocol. To protect the device itself rather than transit traffic, you apply an ACL to the VTY lines with access-class, which filters who may open a Telnet or SSH session to the router; the VTY access-class guide covers this management use case, where a short standard ACL of trusted source addresses is the usual pattern. Keeping the two application points separate in your mind, interface filtering versus VTY management filtering, prevents a lot of confusion.

Verification closes the loop. Commands like show access-lists and show ip access-lists display the rules with their per-line hit counters, which tell you whether traffic is actually landing on the statement you expect, and show ip interface confirms which ACL is applied in which direction. The cheat sheet keeps these commands, the number ranges, and the wildcard shortcuts in one place so you are not re-deriving syntax mid-task.

To master ACLs, work the three layers in order: first understand the concepts on this page and in the linked guides until the placement and matching logic feels obvious; then keep the ACL cheat sheet open as a quick reference while you configure; then build and grade the hands-on labs and the ACL bundle so an engine, not your own optimism, confirms the filter behaves. Reading about first-match order and implicit deny is not the same as watching a hit counter prove your rule fired, and that feedback is what makes the knowledge stick.

Step-by-step guides

Follow these to configure it yourself, command by command.

Command cheat sheet

Practice on real Cisco IOS

Build and grade hands-on Cisco Modeling Labs — the only way it sticks.

Frequently asked questions

What is the difference between a standard and an extended ACL?

A standard ACL filters on the source IP address only and uses the number ranges 1-99 or 1300-1999. An extended ACL filters on source and destination address plus protocol and port number, using the ranges 100-199 or 2000-2699, so it is far more specific. Because a standard ACL cannot tell one destination from another, you place it close to the destination; because an extended ACL can pinpoint exact traffic, you place it close to the source to drop unwanted packets early.

Where should I place a standard versus an extended ACL, and why?

Place a standard ACL as close to the destination as possible. Since it matches source only, placing it near the source would block that source's traffic to every destination, not just the one you meant to filter. Place an extended ACL as close to the source as possible, because it can match the exact source, destination, protocol, and port, so filtering early stops unwanted traffic before it consumes network resources. This placement rule is one of the most tested ACL concepts on the CCNA.

In what order should I study these ACL topics?

Start with standard ACLs to learn wildcard masks, first-match order, and the implicit deny. Move to extended ACLs to add destination, protocol, and port matching. Then learn named ACLs, which introduce sequence-number editing you will use for maintenance. Finish with the VTY access-class use case for securing management access. Keep the cheat sheet handy throughout, and reinforce each stage with the graded labs before moving on rather than reading all four topics first.

Study every CCNA topic this way

The CCNA Complete Path sequences all 17 lab bundles into one graded progression you own forever.