Networking Tutorials

Access Control Lists Explained: Standard vs Extended

An ACL (Access Control List) is an ordered set of permit/deny rules a router uses to filter traffic. Standard ACLs match source IP only; extended ACLs match source, destination, protocol and ports. Every ACL ends with an invisible implicit deny any.

Standard vs extended, and where to place them

  • Standard (1–99): filter by source IP only. Because they're imprecise, place them close to the destination to avoid blocking too much.
  • Extended (100–199): filter by source, destination, protocol and port. Being precise, place them close to the source to drop unwanted traffic early.

Wildcard masks and implicit deny

ACLs use wildcard masks (inverse of a subnet mask): 0.0.0.255 means "match the first three octets, any last octet". And remember the implicit deny any at the end — if no line matches, the packet is dropped. Forgetting this is the number-one ACL mistake. Practise wildcard masks with our tools.

Frequently asked questions

What is the difference between standard and extended ACLs?

Standard ACLs (1–99) filter by source IP only; extended ACLs (100–199) filter by source, destination, protocol and port for precise control.

Where should you place a standard ACL?

Close to the destination — because it only matches source IP, placing it near the source could unintentionally block legitimate traffic.

What is the implicit deny in an ACL?

An invisible 'deny any' at the end of every ACL — any traffic not explicitly permitted is dropped.

VS
Vipul Sir — Lead Instructor, Attila Technologies20+ years in Cisco networking. Teaching CCNA, CCNP, CCIE & CyberOps in Ahmedabad since 2004.

Want hands-on training?

Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.

Start your networking career with Attila Technologies

Hands-on Cisco training, real lab devices and placement support in Ahmedabad.