How ACLs Work: Access Control Lists Explained
An Access Control List (ACL) is an ordered list of permit/deny rules a router or switch checks against each packet. It reads top to bottom, stops at the first match, and applies that rule — and anything not explicitly permitted is dropped by an invisible implicit deny at the end.
The two rules that govern every ACL
- Top-down, first match wins. Order matters enormously — a broad permit above a specific deny makes the deny unreachable.
- Implicit deny all. Every ACL ends with an invisible
deny any. If nothing matches, the packet is dropped — so an ACL with only deny statements blocks everything.
Standard vs extended
Standard ACLs (numbered 1–99) filter on source IP only — blunt, so place them close to the destination to avoid over-blocking. Extended ACLs (100–199) filter on source, destination, protocol and port — precise, so place them close to the source to drop unwanted traffic early. Compare hands-on in the standard and extended ACL labs.
Standard: access-list 10 permit 192.168.1.0 0.0.0.255 Extended: access-list 110 permit tcp 192.168.1.0 0.0.0.255 any eq 443
Wildcard masks — the ACL's way of matching ranges
ACLs match address ranges with a wildcard mask, the inverse of a subnet mask: 0 = must match, 1 = don't care. So 0.0.0.255 matches a whole /24. Getting this wrong is the #1 ACL error — a mask of 0.0.0.0 matches one host, 255.255.255.255 matches everything.
Inbound vs outbound, and where to apply
An ACL does nothing until applied to an interface in a direction. Inbound filters as packets enter (before routing — more efficient); outbound filters as they leave (after routing). Choosing wrong is a classic mistake — full breakdown in inbound vs outbound ACLs. The old rule of thumb: standard close to destination, extended close to source.
Reading an ACL like the router does
Trace a packet through the list line by line until a match, apply permit or deny, done. If you reach the end with no match, the implicit deny drops it. This exact mental model is what configuring ACLs and troubleshooting them depends on — and a favourite CCNA/CCNP exam and interview scenario.
Frequently asked questions
What is the implicit deny in an ACL?
An invisible deny any statement at the end of every ACL. Any packet that matches none of the permit rules is dropped — which is why an ACL containing only deny statements blocks all traffic.
What is the difference between standard and extended ACLs?
Standard ACLs (1–99) filter on source IP only and are placed near the destination. Extended ACLs (100–199) filter on source, destination, protocol and port, and are placed near the source to drop traffic early.
Why does ACL order matter?
ACLs are read top to bottom and stop at the first match. A broad permit placed above a specific deny makes the deny unreachable, so more specific rules must come first.
What is a wildcard mask in an ACL?
The inverse of a subnet mask, where 0 means the bit must match and 1 means don't care. 0.0.0.255 matches a whole /24 network; 0.0.0.0 matches a single host.
What is the difference between inbound and outbound ACLs?
Inbound ACLs filter packets as they enter an interface, before routing. Outbound ACLs filter after routing, as packets leave. Inbound is more efficient because denied traffic is dropped before being processed.
Related articles
Want hands-on training?
Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.