Skip to main content
Your first session is free. Claim mine
PacketMentor logo
Open menu
Home
Training
Cisco Mentorship
CCNACCNP
Short Courses
Python for Network EngineersAI for Network OperationsDevNet Associate PrepInterview Sprint
Custom Training
Corporate Training
All training →
CCNA Library (74)
Browse all CCNA topics →
Network (13)
OSI Model & TCP/IPIPv4 AddressingTCP vs UDPSubnettingIPv6 BasicsARP — Address Resolution ProtocolICMP — Internet Control Message ProtocolTCP 3-Way HandshakeCabling & Media StandardsMTU & FragmentationWAN Connection TypesHierarchical Network DesignNetwork Virtualization & Containers
Device Operations (5)
Cisco IOS Device ManagementPower over Ethernet (PoE)Cisco IOS File SystemPassword Recovery & Configuration RegisterNetwork Troubleshooting Methodology
Network Access (12)
MAC Address TableVLANsTrunks & 802.1Q TaggingSpanning Tree Protocol (STP)EtherChannel (Link Aggregation)Switching OperationCDP & LLDP — Neighbor DiscoveryBPDU Guard & Root GuardCatalyst Boot ProcessVTP — VLAN Trunking ProtocolRapid STP & MSTPPrivate VLANs (PVLAN)
Wireless (6)
Wireless LAN BasicsWLAN Architectures — Autonomous, Centralized (WLC), Cloud, EmbeddedWi-Fi Security — WEP, WPA, WPA2, WPA3Wi-Fi 6, 6E, and 7 FeaturesWireless RF FundamentalsAccess Point Operating Modes
IP Connectivity (10)
Inter-VLAN RoutingStatic RoutingDefault RoutingRouting Decision ProcessFHRP — HSRP, VRRP & GLBPLayer-3 Switch & SVI RoutingOSPF Single-AreaRoute SummarizationIPv6 SLAAC & DHCPv6IPv6 Transition Mechanisms
IP Services (11)
HSRP vs VRRP vs GLBP — FHRP ComparedDHCP — Dynamic Host Configuration ProtocolNAT & PATDNS — Domain Name SystemNTP — Network Time ProtocolSyslogQoS BasicsSNMP — Simple Network Management ProtocolIGMP & IGMP SnoopingNTP Authentication & SecurityDHCP Relay & IP Helper
Security (10)
Access Control Lists (ACLs)Port SecurityDHCP SnoopingAAA · RADIUS & TACACS+802.1X — Port-Based Network Access ControlVPN Basics — IPsec & SSLDynamic ARP Inspection (DAI)IP Source Guard (IPSG)Encryption FundamentalsCybersecurity Threats & Mitigation
Automation (7)
REST APIs for Network EngineersAnsible for Network EngineersJSON, YAML & XML for Network EngineersNETCONF & YANGPython for Network EngineersSDN & Controller-Based NetworkingAI & ML in Network Operations
CCNP Library (15)
Browse all CCNP topics → SPAN, RSPAN & ERSPAN — Port MirroringGRE TunnelsEIGRPOSPF Multi-AreaIPv6 Routing — Static & OSPFv3BGP BasicsTCP Connection StatesCisco AnyConnect / Remote Access VPNCisco ISE BasicsNetFlow & Flow-Based MonitoringgRPC & gNMI — Streaming TelemetrySD-WAN ConceptsMPLS BasicsCisco DNA Center / Catalyst CenterVRF Basics — Virtual Routing and Forwarding
LabsPricing
Contact 📞 +1 (860) 556-3010 Book a Call
← CCNA Library Cheat sheet

Cisco ACL Cheat Sheet

Standard vs. extended, wildcard masks, implicit deny, the in-vs-out trap, and the "read it like a router" mental model — everything you need to read or write any CCNA®-level ACL in under a minute.

Updated 2026-05-25 · ~7 min read · Free

The four rules that solve 80% of ACL bugs

Rule 1

First match wins.

Router reads top-to-bottom. The moment a line matches, it permits or denies, and stops.

Rule 2

Implicit deny ip any any at the end.

You never type it. The router adds it. If nothing matches, the packet is dropped silently.

Rule 3

Wildcard = inverse of subnet mask.

A 0 bit means "must match." A 1 bit means "don't care."

Rule 4

Extended → close to source. Standard → close to destination.

Otherwise you waste bandwidth carrying packets you'll drop, or block traffic too late.

Standard vs Extended

Aspect Standard ACL Extended ACL
Filters onSource IP onlySource + destination + protocol + port
Numbered range1–99 or 1300–1999100–199 or 2000–2699
Apply whereClose to destinationClose to source
When to useBlock an entire subnet from reaching another subnetBlock a specific port or protocol between hosts
Modern preferenceNamed is preferred over numberedNamed is preferred — much easier to edit

Standard — example

! Block 10.1.1.0/24 from reaching anything beyond R1
ip access-list standard BLOCK-FINANCE
 deny   10.1.1.0 0.0.0.255
 permit any
!
interface GigabitEthernet0/1
 ip access-group BLOCK-FINANCE out

Extended — example

! Permit only HTTP + HTTPS from 10.0.0.0/24 to anywhere
ip access-list extended WEB-ONLY
 permit tcp 10.0.0.0 0.0.0.255 any eq 80
 permit tcp 10.0.0.0 0.0.0.255 any eq 443
 deny   ip  any any log
!
interface GigabitEthernet0/0
 ip access-group WEB-ONLY in

Wildcard masks — the 30-second version

Subnet masks say "these bits are network." Wildcard masks say "these bits I care about — the rest I don't." A 0 in the wildcard means "must match exactly." A 1 means "don't care, anything works."

Fastest conversion: subtract the subnet mask from 255.255.255.255.

CIDR Subnet mask Wildcard mask Hosts matched
/8255.0.0.00.255.255.25516,777,214
/16255.255.0.00.0.255.25565,534
/24255.255.255.00.0.0.255254
/25255.255.255.1280.0.0.127126
/26255.255.255.1920.0.0.6362
/27255.255.255.2240.0.0.3130
/28255.255.255.2400.0.0.1514
/29255.255.255.2480.0.0.76
/30255.255.255.2520.0.0.32
/32255.255.255.2550.0.0.01 (exact host)

Three special wildcards everyone should memorize

  • host 192.168.1.5 = 192.168.1.5 0.0.0.0 · exact single host
  • any = 0.0.0.0 255.255.255.255 · match anything
  • 0.0.0.255 = match a /24 subnet. Memorize this one — it covers ~70% of CCNA ACL questions.

How a router reads an ACL

Top to bottom. First match wins. No more processing. That's it. 

access-list 100 permit tcp any any eq 80     ← line 10
access-list 100 permit tcp any any eq 443    ← line 20
access-list 100 deny   ip  any any           ← line 30 (explicit deny)
                                              ← implicit deny lives here, invisibly

A packet to port 80 → matches line 10 → permit, done. No line 20 lookup, no line 30. A packet to port 22 → no match on 10, no match on 20, matches 30 → deny, done. The third line is technically redundant (the implicit deny would catch it anyway), but writing it explicitly makes intent obvious six months later.

The "read it like a router" trick

Train yourself to read any ACL in three passes:

  1. What's explicitly permitted? Skim the permit lines. That's the only traffic this ACL will allow through.
  2. What's explicitly denied? The deny lines name traffic important enough to call out (often with log).
  3. Everything else is implicitly denied. If a packet doesn't match anything above, it's silently dropped.

Shortcut for understanding what an ACL actually does in production: read it bottom-up. The last line is usually the most general. Work upwards finding the more specific exceptions. That's the policy intent in human terms.

In vs out — the single biggest trap

ip access-group X in

Filter packets arriving on this interface — before the routing decision is made.

ip access-group X out

Filter packets leaving this interface — after the routing decision, on the way out.

Half the real-world "ACL doesn't work" tickets are direction bugs, not rule bugs. If the rule looks right but traffic still fails, swap in for out (or vice versa) and re-test before changing the rules.

Common mistakes (in order of frequency)

  1. Forgetting the implicit deny. Your three permits don't help if every other packet is silently dropped. Test what you didn't intend to block.
  2. Wrong direction (in vs out). See the trap above. Always re-verify after editing.
  3. Wildcard mask backwards. Using 255.255.255.0 instead of 0.0.0.255 — a frequent CCNA exam trap.
  4. Too-general line above a too-specific line. First match wins. Put more-specific rules earlier.
  5. Applied to the wrong interface. Extended ACL belongs close to source. Standard close to destination. Reversed = wasted bandwidth or unintended filtering.
  6. Numbered ACL with no way to edit a single line. Use named ACLs in production — they support sequence numbers and line-level edits.
  7. Blocking return traffic. If you permit outbound TCP but block inbound TCP, return packets die. Use established or move to reflexive/zone-based for stateful filtering.

The one-page summary

Save / screenshot / print this block — it's everything above, condensed.

Cisco ACL · One-Page Cheat Sheet packetmentor.com

Reading order

  1. Top to bottom, first match wins
  2. Then the invisible deny ip any any
  3. permit lines = the only traffic allowed
  4. deny lines = explicit calls-out (often logged)

Wildcard masks

  • /24 → 0.0.0.255
  • /25 → 0.0.0.127
  • /30 → 0.0.0.3
  • host = 0.0.0.0 · any = 255.255.255.255

Where to apply

  • Standard → close to destination, out direction
  • Extended → close to source, in direction

Top 3 traps

  • Forgot implicit deny
  • Wrong direction (in vs out)
  • Wildcard mask written backwards

Where to go next

Deeper read

ACLs: The Mental Model That Makes Them Click

Long-form tutorial on the same topic, with a step-by-step lab to run tonight.

 Practice

Packet Tracer Labs

Free downloadable topologies — including an Extended ACL walk-through.

 1:1 help

Stuck on a real-world ACL?

Book a free first session. Bring your config — we'll debug it together.

More cheat sheets in your inbox

VLANs, OSPF, subnetting, DHCP snooping — one per fortnight. One-click unsubscribe.

We respect your inbox. One email per week, max. Unsubscribe any time.

Start typing — or browse popular topics below.

↑↓ navigate open Searches topics · labs · programs · pages