CCNA Cisco Access Lists: ACL Study Guide

Q: What is the difference between Standard and Extended ACLs?

Standard ACLs filter only on source IP address using numbered ranges 1-99. They're simpler but lack granularity. Extended ACLs filter on source IP, destination IP, protocol type (TCP, UDP, ICMP), and port numbers using ranges 100-199 or 2100-2199. Standard ACLs suit basic traffic control. Extended ACLs provide precise control for complex security requirements. Place standard ACLs near the destination since they can't distinguish between different destination networks. Place extended ACLs near the source to prevent unwanted traffic early. Named ACLs work for both types and offer significant advantages. They're more readable, easier to modify, and less prone to errors than numbered ACLs.

Q: How do wildcard masks work and how are they calculated?

Wildcard masks use 0 bits to indicate positions that must match exactly and 1 bits to indicate positions that can be any value. This is opposite to subnet masks. Calculate a wildcard mask by subtracting the subnet mask from 255.255.255.255. For example, subnet mask 255.255.255.0 becomes wildcard mask 0.0.0.255. The `any` keyword represents 0.0.0.0 255.255.255.255 and matches all addresses. The `host` keyword represents a single IP with wildcard 0.0.0.0. Understanding wildcard masks is essential for CCNA because they determine which IP addresses ACL rules apply to, directly affecting network security and traffic control.

Q: What does the 'established' keyword do in Extended ACLs?

The `established` keyword permits return traffic from established TCP connections without needing separate permit statements for every return packet. Example: `permit tcp any any eq 80 established` permits return traffic on port 80 from connections that originated from your network. The keyword works by checking the acknowledgment and reset flags in the TCP header to determine if a connection was previously established. Using `established` reduces the number of ACL statements needed while maintaining security. It ensures only legitimate return traffic from previously initiated connections gets permitted.

Q: How should I study ACLs effectively using flashcards?

Create flashcards focusing on wildcard mask conversions, protocol numbers, and port numbers commonly tested on CCNA. Use one side for CIDR notation and the other for wildcard masks. Test rapid conversion ability. Create scenario flashcards showing situations like "Block specific hosts" or "Permit HTTP but deny HTTPS" with configuration examples on the reverse. Include troubleshooting flashcards showing packet flow direction and asking whether traffic would be permitted or denied. Practice identifying correct ACL placement given network topology diagrams. Combine flashcard study with hands-on Cisco Packet Tracer simulations. This reinforces concepts through practical application.

By FluentFlash Research Team·Updated 2026-04-30

Access Control Lists (ACLs) are the backbone of Cisco network security. They filter and control traffic flow by defining rules that permit or deny packets based on specific criteria like source IP, destination IP, protocols, and ports.

ACLs are essential for the CCNA certification exam. You need to understand both the concepts and how to implement them in real networks. This guide covers standard ACLs, extended ACLs, wildcard masks, and practical placement strategies.

Whether you're studying for CCNA or managing network infrastructure, mastering ACLs will sharpen your ability to secure and control network traffic effectively.

Key Takeaways

•Standard ACLs (ranges 1-99) filter only source IP and go near the destination; Extended ACLs (ranges 100-199) filter source IP, destination IP, protocol, and ports and go near the source
•Wildcard masks use 0 bits for exact matches and 1 bits for any values; calculate them by subtracting subnet masks from 255.255.255.255; they determine which IP addresses ACL rules apply to
•ACL statements process sequentially from top to bottom with the first match determining the action; statement order is critical, and an implicit deny statement at the end blocks all unmatched traffic
•Named ACLs provide advantages over numbered ACLs by offering improved readability, easier modification of individual statements, and better documentation in large networks
•Proper ACL placement and configuration prevent security vulnerabilities by implementing default-deny security postures; the 'established' keyword optimizes ACL efficiency for TCP connections
•Mastering protocol numbers (TCP=6, UDP=17, ICMP=1) and port operators (eq, lt, gt, range, neq) is essential for writing effective Extended ACLs that meet specific security requirements

Understanding Access Control Lists and Their Purpose

Access Control Lists are ordered sets of permit or deny rules that filter network traffic. Each statement processes from top to bottom. The first matching statement determines whether the packet passes or gets blocked, then processing stops.

This sequential matching is critical. Put rules in the wrong order, and your ACL fails to work as intended.

Why ACLs Matter

ACLs serve multiple key functions:

Implement security policies and restrict network access
Control traffic flow between network segments
Optimize bandwidth usage by blocking unnecessary traffic

Standard vs. Extended ACLs

Standard ACLs filter traffic based only on source IP address. They're simple but lack granularity. Extended ACLs filter on source IP, destination IP, protocol type (TCP, UDP, ICMP), and port numbers. This gives you precise control.

Numbering and Naming

Each ACL needs an identifier. Numbered ACLs use ranges: standard ACLs use 1-99, extended ACLs use 100-199 (or 2000-2699 and 2700-2799 for newer ranges). Named ACLs use descriptive text like "BLOCK-TELNET" instead of numbers. Named ACLs are much easier to read and maintain in large networks.

Standard ACLs: Configuration and Application

Standard ACLs filter only on source IP address. The syntax is simple: [permit | deny] [host | source-ip] [wildcard-mask].

Example: permit 192.168.1.0 0.0.0.255 permits all traffic from the 192.168.1.0/24 network. Every ACL ends with an implicit deny statement. If no permit rule matches, traffic automatically gets blocked.

Understanding Wildcard Masks

Wildcard masks use 0 bits for exact matches and 1 bits for "any value." A mask of 0.0.0.255 means the first three octets must match exactly. The last octet can be anything. The keyword any equals 0.0.0.0 255.255.255.255 and matches all addresses.

Placement Strategy for Standard ACLs

Place standard ACLs close to the destination. Why? Because they only filter source IP. If you place them near the source, you block traffic for all destinations, not just your intended target. This wastes filtering resources.

Configuration Example

On a Cisco router, you'd configure: access-list 1 permit 192.168.1.0 0.0.0.255. Then apply it with: ip access-group 1 in or ip access-group 1 out on the appropriate interface.

Extended ACLs: Advanced Traffic Control

Extended ACLs give you granular control over network traffic. They filter on source IP, destination IP, protocol type, and port numbers. The syntax is more complex: [permit | deny] [protocol] [source-ip] [wildcard] [destination-ip] [wildcard] [options].

Example: permit tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq 80 permits TCP traffic from 192.168.1.0/24 to 10.0.0.0/24 on port 80 (HTTP).

Protocol and Port Operators

Specify protocols by name (TCP, UDP, ICMP) or number. Port operators control which ports match:

eq means equals
lt means less than
gt means greater than
range specifies between two values
neq means not equal

Extended ACL Numbering and Naming

Numbered extended ACLs use ranges 100-199 or 2100-2199. Create named extended ACLs with ip access-list extended [name]. Add permit and deny statements below. Named ACLs are much more readable than numbered ones.

Placement Strategy for Extended ACLs

Place extended ACLs close to the traffic source. They provide specific filtering, so stopping bad traffic early prevents it from wasting network resources. This is the opposite of standard ACL placement.

Wildcard Masks and CIDR Notation Conversion

Wildcard masks are essential for ACL configuration. Unlike subnet masks where 1 bits represent the network, wildcard masks use 0 bits for exact matches and 1 bits for "any value."

To calculate a wildcard mask, subtract the subnet mask from 255.255.255.255. A subnet mask of 255.255.255.0 becomes wildcard mask 0.0.0.255.

Common Wildcard Masks

0.0.0.0 matches one specific host
0.0.0.255 matches a /24 network (256 addresses)
0.0.255.255 matches a /16 network
255.255.255.255 matches any address

Converting CIDR to Wildcard

CIDR notation expresses networks as IP/prefix-length (example: 192.168.1.0/24). The prefix-length shows how many bits are the network portion.

A /24 network has 24 network bits and 8 host bits. The wildcard is 0.0.0.255.

A /25 network has 25 network bits and 7 host bits. The wildcard is 0.0.0.127.

A /16 network has 16 network bits and 16 host bits. The wildcard is 0.0.255.255.

Why This Matters for CCNA

Test questions require rapid conversion between CIDR and wildcard formats. Practice these conversions until they become automatic. Create flashcards with CIDR on one side and wildcard masks on the other. This builds the quick recognition you need for exam success.

ACL Placement Strategy and Best Practices

Proper ACL placement is critical for both security and network performance. The placement rule is straightforward but easy to forget.

Standard ACLs go close to the destination. Extended ACLs go close to the source.

Why? Standard ACLs only filter source address. If placed near the source, they block traffic to all destinations. Extended ACLs identify exact destinations and ports. Placing them at the source stops bad traffic before it consumes resources.

Inbound vs. Outbound

Use ip access-group [number/name] in for inbound traffic (filters packets as they arrive). Use ip access-group [number/name] out for outbound traffic (filters after routing decisions). Choose inbound or outbound based on your network's traffic flow and security goals.

Best Practices

End numbered ACLs with an explicit deny statement before the implicit deny
Use descriptive names for named ACLs to improve documentation
Regularly review and test ACLs to ensure they work as intended
Maintain clear documentation of ACL purpose and rules
Avoid overly permissive ACLs that defeat security objectives

Modification Considerations

Numbered ACLs are difficult to modify. You cannot delete individual statements, so you must recreate the entire ACL. Named ACLs allow you to modify individual statements using ip access-list extended [name] followed by deletion or insertion of specific lines. This flexibility makes named ACLs preferable in large networks.

Master Cisco ACLs with Flashcard Study

Ace the CCNA exam by creating custom flashcards for Access Lists. Our platform helps you memorize wildcard masks, ACL syntax, port numbers, and configuration best practices through active recall and spaced repetition. Study smarter, not harder.

Create Free Flashcards

Frequently Asked Questions

What is the difference between Standard and Extended ACLs?

Standard ACLs filter only on source IP address using numbered ranges 1-99. They're simpler but lack granularity. Extended ACLs filter on source IP, destination IP, protocol type (TCP, UDP, ICMP), and port numbers using ranges 100-199 or 2100-2199.

Standard ACLs suit basic traffic control. Extended ACLs provide precise control for complex security requirements. Place standard ACLs near the destination since they can't distinguish between different destination networks. Place extended ACLs near the source to prevent unwanted traffic early.

Named ACLs work for both types and offer significant advantages. They're more readable, easier to modify, and less prone to errors than numbered ACLs.

How do wildcard masks work and how are they calculated?

Wildcard masks use 0 bits to indicate positions that must match exactly and 1 bits to indicate positions that can be any value. This is opposite to subnet masks.

Calculate a wildcard mask by subtracting the subnet mask from 255.255.255.255. For example, subnet mask 255.255.255.0 becomes wildcard mask 0.0.0.255.

The any keyword represents 0.0.0.0 255.255.255.255 and matches all addresses. The host keyword represents a single IP with wildcard 0.0.0.0. Understanding wildcard masks is essential for CCNA because they determine which IP addresses ACL rules apply to, directly affecting network security and traffic control.

Why is ACL order and placement important for network security?

ACL statements process sequentially from top to bottom. The first matching statement determines the action, then processing stops. This makes order critically important for functionality.

Standard ACLs go near the destination because they only filter source IP. Extended ACLs go near the source to prevent unwanted traffic from consuming resources. The implicit deny at the end of every ACL means traffic not explicitly permitted gets automatically denied. This creates a default-deny security posture.

Poor placement results in either inadequate security or unnecessary traffic filtering that harms network performance.

What does the 'established' keyword do in Extended ACLs?

The established keyword permits return traffic from established TCP connections without needing separate permit statements for every return packet.

Example: permit tcp any any eq 80 established permits return traffic on port 80 from connections that originated from your network. The keyword works by checking the acknowledgment and reset flags in the TCP header to determine if a connection was previously established.

Using established reduces the number of ACL statements needed while maintaining security. It ensures only legitimate return traffic from previously initiated connections gets permitted.

How should I study ACLs effectively using flashcards?

Create flashcards focusing on wildcard mask conversions, protocol numbers, and port numbers commonly tested on CCNA.

Use one side for CIDR notation and the other for wildcard masks. Test rapid conversion ability. Create scenario flashcards showing situations like "Block specific hosts" or "Permit HTTP but deny HTTPS" with configuration examples on the reverse.

Include troubleshooting flashcards showing packet flow direction and asking whether traffic would be permitted or denied. Practice identifying correct ACL placement given network topology diagrams.

Combine flashcard study with hands-on Cisco Packet Tracer simulations. This reinforces concepts through practical application.