Back
Lesson 1 of 5

ACL Fundamentals

Lab Objectives

  • Understand what an Access Control List (ACL) is and how ACLs filter traffic.
  • Learn the difference between numbered and named standard ACLs.
  • Observe the implicit deny behavior and how to correctly permit needed traffic.

Lab Tasks (Try It Yourself First!)

Complete these tasks WITHOUT looking at the solution below. Use ? and show commands to figure it out.

Task 1: Create a numbered standard ACL

Create a numbered standard ACL (ACL 1) on R2 that denies any traffic originating from the Sales VLAN (192.168.1.0/24) and permits all other traffic.

Task 2: Observe the implicit deny

After creating the ACL in Task 1, explain what will happen to traffic sourced from 192.168.1.0/24 if you apply the ACL inbound on R2's interface toward the switches. Do not change the ACL; reason what the outcome will be.

Task 3: Create an equivalent named ACL

Create a named standard ACL called SALES_BLOCK on R2 with the same match logic as ACL 1 (deny 192.168.1.0/24, permit any). Verify the named ACL is present and equivalent.

Think About It: If you create an ACL that denies a subnet but forget to add an explicit permit for other traffic, why would hosts that should be allowed suddenly lose connectivity? How does the router treat traffic not matched by any ACL entry?

Topology (BASE LAB TOPOLOGY — exact router interface IPs shown)

                    [Internet]
                   203.0.113.1
                        |
                   R1 (Gateway)
                  Gi0/0: 10.10.10.1
                  Gi0/1: 10.10.20.1
                  Gi0/2: 10.10.30.1
                  /     |     \
               R2      R3      R4
   Gi0/0: 10.10.10.2   |   Gi0/0: 10.10.30.2
   Gi0/1: 10.10.40.1   |
              /  \      |
           S1    S2    S3
          /  \    |   /  \
        PC1  PC2 PC3 PC4  PC5

IP SCHEME:
- 10.10.10.0/24 — R1-R2 link
- 10.10.20.0/24 — R1-R3 link
- 10.10.30.0/24 — R1-R4 link
- 10.10.40.0/24 — R2-S1 link
- 192.168.1.0/24 — VLAN 10 (Sales)
- 192.168.2.0/24 — VLAN 20 (Engineering)
- 192.168.3.0/24 — VLAN 30 (Management)
- 203.0.113.0/24 — Public/Internet simulation

Tip: Think of an ACL like a bouncer at a club door — each line is a rule the bouncer checks in order. If no rule matches, the bouncer refuses entry (implicit deny).

Lab Solution

Task 1 Solution: Create a numbered standard ACL

What we are doing: We will create a numbered standard ACL (number 1) that explicitly denies traffic from the Sales subnet (192.168.1.0/24) and then permits all other traffic. This demonstrates how to write a minimal standard ACL and sets the stage to show the implicit deny behavior.

R2(config)# access-list 1 deny 192.168.1.0 0.0.0.255
R2(config)# access-list 1 permit any

What each command does and why it matters:

  • access-list 1 deny 192.168.1.0 0.0.0.255
    • What it does: Creates an entry in the numbered standard ACL 1 that denies packets whose source IP matches 192.168.1.0/24.
    • Why it matters: Standard ACLs evaluate only the source IP. This single line will block any packets from that Sales subnet when the ACL is applied.
  • access-list 1 permit any
    • What it does: Adds a permit entry that allows all other source IPs.
    • Why it matters: Without this permit, any traffic not matched by the deny would be dropped by the implicit deny at the end of the ACL. This explicit permit ensures non-Sales traffic is allowed.

Verify:

R2# show access-lists
Standard IP access list 1
    10 deny 192.168.1.0 0.0.0.255
    20 permit any


<div class="topology-diagram">
<img src="data:image/svg+xml;base64,PD9wbGFudHVtbCAxLjIwMjYuMT8+PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiBjb250ZW50U3R5bGVUeXBlPSJ0ZXh0L2NzcyIgZGF0YS1kaWFncmFtLXR5cGU9Ik5XRElBRyIgaGVpZ2h0PSIyNThweCIgcHJlc2VydmVBc3BlY3RSYXRpbz0ibm9uZSIgc3R5bGU9IndpZHRoOjM3MHB4O2hlaWdodDoyNThweDtiYWNrZ3JvdW5kOiNGRkZGRkY7IiB2ZXJzaW9uPSIxLjEiIHZpZXdCb3g9IjAgMCAzNzAgMjU4IiB3aWR0aD0iMzcwcHgiIHpvb21BbmRQYW49Im1hZ25pZnkiPjxkZWZzLz48Zz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMiIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI3OS4wNDg4IiB4PSIxNy43ODUyIiB5PSIxNi4xMzg3Ij5NYW5hZ2VtZW50PC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjkxLjgzNCIgeD0iNSIgeT0iMzAuMTA3NCI+MTkyLjE2OC4xLjAvMjQ8L3RleHQ+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iNzcuNzU5OCIgeD0iMTkuMDc0MiIgeT0iMTMyLjkxMjEiPkxhYl9OZXR3b3JrPC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjY4LjkyOTciIHg9IjI3LjkwNDMiIHk9IjE0Ni44ODA5Ij4xMC4wLjAuMC8yNDwvdGV4dD48cmVjdCBmaWxsPSIjRTJFMkYwIiBoZWlnaHQ9IjUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiIHdpZHRoPSIxMTAuMDcwMyIgeD0iMTAxLjgzNCIgeT0iMTYuNDY4OCIvPjxyZWN0IGZpbGw9IiNFMkUyRjAiIGhlaWdodD0iNSIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDoxOyIgd2lkdGg9IjI2MC40Mzc1IiB4PSIxMDEuODM0IiB5PSIxMzMuMjQyMiIvPjxwYXRoIGQ9Ik0xNTguODY5MSwyMS40Njg4IEwxNTguODY5MSw1Ny44NzExIiBmaWxsPSJub25lIiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjE7Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iNzMuNDc2NiIgeD0iMTIyLjEzMDkiIHk9IjQwLjk3OCI+MTkyLjE2OC4xLjEwPC90ZXh0PjxwYXRoIGQ9Ik0xNTQuODY5MSwxMzguMjQyMiBMMTU0Ljg2OTEsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIxMzIuMTI3OSIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4xPC90ZXh0PjxwYXRoIGQ9Ik0yNDguNDYyOSwxMzguMjQyMiBMMjQ4LjQ2MjksMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIyMjUuNzIxNyIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4yPC90ZXh0PjxwYXRoIGQ9Ik0zMjMuNjQ2NSwxMzguMjQyMiBMMzIzLjY0NjUsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI1Mi40ODEiIHg9IjI5Ny40MDYiIHk9IjE1Ny43NTE1Ij4xMC4wLjAuMTA8L3RleHQ+PHJlY3QgZmlsbD0iI0YxRjFGMSIgaGVpZ2h0PSIzMy45Njg4IiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjAuNTsiIHdpZHRoPSI4MC4wNzAzIiB4PSIxMTYuODM0IiB5PSI1Ny44NzExIi8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iNjAuMDcwMyIgeD0iMTI2LjgzNCIgeT0iNzkuMDA5OCI+QWRtaW5fUEM8L3RleHQ+PHJlY3QgZmlsbD0iI0YxRjFGMSIgaGVpZ2h0PSIzMy45Njg4IiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjAuNTsiIHdpZHRoPSIzNS45NzI3IiB4PSIxMzguODgyOCIgeT0iMTc0LjY0NDUiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMiIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSIxNS45NzI3IiB4PSIxNDguODgyOCIgeT0iMTk1Ljc4MzIiPlIxPC90ZXh0PjxyZWN0IGZpbGw9IiNGMUYxRjEiIGhlaWdodD0iMzMuOTY4OCIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDowLjU7IiB3aWR0aD0iNDcuMTE3MiIgeD0iMjI2LjkwNDMiIHk9IjE3NC42NDQ1Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMjcuMTE3MiIgeD0iMjM2LjkwNDMiIHk9IjE5NS43ODMyIj5TVzE8L3RleHQ+PHJlY3QgZmlsbD0iI0YxRjFGMSIgaGVpZ2h0PSIzMy45Njg4IiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjAuNTsiIHdpZHRoPSI0My4yNSIgeD0iMzA0LjAyMTUiIHk9IjE3NC42NDQ1Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMjMuMjUiIHg9IjMxNC4wMjE1IiB5PSIxOTUuNzgzMiI+UEMxPC90ZXh0Pjw/cGxhbnR1bWwtc3JjIG9vakZvS25DTHdaY0tiMzhJb3FmcG9fQUxsMURwNGpDSnlyRHBJaTEyb2llOUFRYTVBS001b2xPQVlXUE1YaGY2UGZQdzFkZzZVV1JjSVkxZkhySlNaRnB1V0VTNVFBbkFaR3FLOGdyMVlnaUhSQjI5cDRmdFdfQW5oSjNHMHlDdUhPNDZROFEzUDR0WDFZaGUxMFNaYk5VMjJPVnU4blRGem5UakcwMD8+PC9nPjwvc3ZnPg==" alt="Network Topology Diagram" style="max-width:100%;height:auto;background:#fff;padding:16px;border:1px solid #e5e7eb;border-radius:8px;" />
</div>

cisco
R2(config)# no access-list 1
R2(config)# access-list 1 deny 192.168.1.0 0.0.0.255

What just happened:

  • We recreated ACL 1 with a single deny entry. There is now no explicit permit line.

Why this matters — the implicit deny:

  • Every ACL on Cisco IOS has an implicit "deny all" at the end. If a packet doesn't match any explicit permit line, it is dropped. With only the deny line present, all traffic that is not explicitly matched (which is everything except sources in 192.168.1.0/24) will be denied by the implicit deny — effectively blocking all traffic through the interface where this ACL is applied.

Verify (what you'll see if you list the ACL):

R2# show access-lists
Standard IP access list 1
    10 deny 192.168.1.0 0.0.0.255


<div class="topology-diagram">
<img src="data:image/svg+xml;base64,PD9wbGFudHVtbCAxLjIwMjYuMT8+PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiBjb250ZW50U3R5bGVUeXBlPSJ0ZXh0L2NzcyIgZGF0YS1kaWFncmFtLXR5cGU9Ik5XRElBRyIgaGVpZ2h0PSIyNThweCIgcHJlc2VydmVBc3BlY3RSYXRpbz0ibm9uZSIgc3R5bGU9IndpZHRoOjM3MHB4O2hlaWdodDoyNThweDtiYWNrZ3JvdW5kOiNGRkZGRkY7IiB2ZXJzaW9uPSIxLjEiIHZpZXdCb3g9IjAgMCAzNzAgMjU4IiB3aWR0aD0iMzcwcHgiIHpvb21BbmRQYW49Im1hZ25pZnkiPjxkZWZzLz48Zz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMiIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI3OS4wNDg4IiB4PSIxNy43ODUyIiB5PSIxNi4xMzg3Ij5NYW5hZ2VtZW50PC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjkxLjgzNCIgeD0iNSIgeT0iMzAuMTA3NCI+MTkyLjE2OC4xLjAvMjQ8L3RleHQ+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iNzcuNzU5OCIgeD0iMTkuMDc0MiIgeT0iMTMyLjkxMjEiPkxhYl9OZXR3b3JrPC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjY4LjkyOTciIHg9IjI3LjkwNDMiIHk9IjE0Ni44ODA5Ij4xMC4wLjAuMC8yNDwvdGV4dD48cmVjdCBmaWxsPSIjRTJFMkYwIiBoZWlnaHQ9IjUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiIHdpZHRoPSIxMTAuMDcwMyIgeD0iMTAxLjgzNCIgeT0iMTYuNDY4OCIvPjxyZWN0IGZpbGw9IiNFMkUyRjAiIGhlaWdodD0iNSIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDoxOyIgd2lkdGg9IjI2MC40Mzc1IiB4PSIxMDEuODM0IiB5PSIxMzMuMjQyMiIvPjxwYXRoIGQ9Ik0xNTguODY5MSwyMS40Njg4IEwxNTguODY5MSw1Ny44NzExIiBmaWxsPSJub25lIiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjE7Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iNzMuNDc2NiIgeD0iMTIyLjEzMDkiIHk9IjQwLjk3OCI+MTkyLjE2OC4xLjEwPC90ZXh0PjxwYXRoIGQ9Ik0xNTQuODY5MSwxMzguMjQyMiBMMTU0Ljg2OTEsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIxMzIuMTI3OSIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4xPC90ZXh0PjxwYXRoIGQ9Ik0yNDguNDYyOSwxMzguMjQyMiBMMjQ4LjQ2MjksMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIyMjUuNzIxNyIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4yPC90ZXh0PjxwYXRoIGQ9Ik0zMjMuNjQ2NSwxMzguMjQyMiBMMzIzLjY0NjUsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI1Mi40ODEiIHg9IjI5Ny40MDYiIHk9IjE1Ny43NTE1Ij4xMC4wLjAuMTA8L3RleHQ+PHJlY3QgZmlsbD0iI0YxRjFGMSIgaGVpZ2h0PSIzMy45Njg4IiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjAuNTsiIHdpZHRoPSI4MC4wNzAzIiB4PSIxMTYuODM0IiB5PSI1Ny44NzExIi8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iNjAuMDcwMyIgeD0iMTI2LjgzNCIgeT0iNzkuMDA5OCI+QWRtaW5fUEM8L3RleHQ+PHJlY3QgZmlsbD0iI0YxRjFGMSIgaGVpZ2h0PSIzMy45Njg4IiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjAuNTsiIHdpZHRoPSIzNS45NzI3IiB4PSIxMzguODgyOCIgeT0iMTc0LjY0NDUiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMiIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSIxNS45NzI3IiB4PSIxNDguODgyOCIgeT0iMTk1Ljc4MzIiPlIxPC90ZXh0PjxyZWN0IGZpbGw9IiNGMUYxRjEiIGhlaWdodD0iMzMuOTY4OCIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDowLjU7IiB3aWR0aD0iNDcuMTE3MiIgeD0iMjI2LjkwNDMiIHk9IjE3NC42NDQ1Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMjcuMTE3MiIgeD0iMjM2LjkwNDMiIHk9IjE5NS43ODMyIj5TVzE8L3RleHQ+PHJlY3QgZmlsbD0iI0YxRjFGMSIgaGVpZ2h0PSIzMy45Njg4IiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjAuNTsiIHdpZHRoPSI0My4yNSIgeD0iMzA0LjAyMTUiIHk9IjE3NC42NDQ1Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMjMuMjUiIHg9IjMxNC4wMjE1IiB5PSIxOTUuNzgzMiI+UEMxPC90ZXh0Pjw/cGxhbnR1bWwtc3JjIG9vakZvS25DTHdaY0tiMzhJb3FmcG9fQUxsMURwNGpDSnlyRHBJaTEyb2llOUFRYTVBS001b2xPQVlXUE1YaGY2UGZQdzFkZzZVV1JjSVkxZkhySlNaRnB1V0VTNVFBbkFaR3FLOGdyMVlnaUhSQjI5cDRmdFdfQW5oSjNHMHlDdUhPNDZROFEzUDR0WDFZaGUxMFNaYk5VMjJPVnU4blRGem5UakcwMD8+PC9nPjwvc3ZnPg==" alt="Network Topology Diagram" style="max-width:100%;height:auto;background:#fff;padding:16px;border:1px solid #e5e7eb;border-radius:8px;" />
</div>

cisco
R2(config)# ip access-list standard SALES_BLOCK
R2(config-std-nacl)# deny 192.168.1.0 0.0.0.255
R2(config-std-nacl)# permit any
R2(config-std-nacl)# exit

What each command does and why it matters:

  • ip access-list standard SALES_BLOCK
    • What it does: Enters the named standard ACL configuration mode and creates (or edits) an ACL named SALES_BLOCK.
    • Why it matters: Named ACLs allow descriptive names instead of numbers, which reduces operator errors and aids documentation.
  • deny 192.168.1.0 0.0.0.255
    • What it does: Adds a deny entry for the Sales subnet inside the named ACL.
    • Why it matters: Same match logic as numbered ACL 1.
  • permit any
    • What it does: Adds an explicit permit for all other sources.
    • Why it matters: Prevents the implicit deny from blocking legitimate traffic.

Verify:

R2# show ip access-lists
Standard IP access list SALES_BLOCK
    10 deny 192.168.1.0 0.0.0.255
    20 permit any

Standard IP access list 1
    10 deny 192.168.1.0 0.0.0.255
    20 permit any


<div class="topology-diagram">
<img src="data:image/svg+xml;base64,PD9wbGFudHVtbCAxLjIwMjYuMT8+PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiBjb250ZW50U3R5bGVUeXBlPSJ0ZXh0L2NzcyIgZGF0YS1kaWFncmFtLXR5cGU9Ik5XRElBRyIgaGVpZ2h0PSIyNThweCIgcHJlc2VydmVBc3BlY3RSYXRpbz0ibm9uZSIgc3R5bGU9IndpZHRoOjM3MHB4O2hlaWdodDoyNThweDtiYWNrZ3JvdW5kOiNGRkZGRkY7IiB2ZXJzaW9uPSIxLjEiIHZpZXdCb3g9IjAgMCAzNzAgMjU4IiB3aWR0aD0iMzcwcHgiIHpvb21BbmRQYW49Im1hZ25pZnkiPjxkZWZzLz48Zz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMiIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI3OS4wNDg4IiB4PSIxNy43ODUyIiB5PSIxNi4xMzg3Ij5NYW5hZ2VtZW50PC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjkxLjgzNCIgeD0iNSIgeT0iMzAuMTA3NCI+MTkyLjE2OC4xLjAvMjQ8L3RleHQ+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iNzcuNzU5OCIgeD0iMTkuMDc0MiIgeT0iMTMyLjkxMjEiPkxhYl9OZXR3b3JrPC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjY4LjkyOTciIHg9IjI3LjkwNDMiIHk9IjE0Ni44ODA5Ij4xMC4wLjAuMC8yNDwvdGV4dD48cmVjdCBmaWxsPSIjRTJFMkYwIiBoZWlnaHQ9IjUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiIHdpZHRoPSIxMTAuMDcwMyIgeD0iMTAxLjgzNCIgeT0iMTYuNDY4OCIvPjxyZWN0IGZpbGw9IiNFMkUyRjAiIGhlaWdodD0iNSIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDoxOyIgd2lkdGg9IjI2MC40Mzc1IiB4PSIxMDEuODM0IiB5PSIxMzMuMjQyMiIvPjxwYXRoIGQ9Ik0xNTguODY5MSwyMS40Njg4IEwxNTguODY5MSw1Ny44NzExIiBmaWxsPSJub25lIiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjE7Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iNzMuNDc2NiIgeD0iMTIyLjEzMDkiIHk9IjQwLjk3OCI+MTkyLjE2OC4xLjEwPC90ZXh0PjxwYXRoIGQ9Ik0xNTQuODY5MSwxMzguMjQyMiBMMTU0Ljg2OTEsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIxMzIuMTI3OSIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4xPC90ZXh0PjxwYXRoIGQ9Ik0yNDguNDYyOSwxMzguMjQyMiBMMjQ4LjQ2MjksMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIyMjUuNzIxNyIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4yPC90ZXh0PjxwYXRoIGQ9Ik0zMjMuNjQ2NSwxMzguMjQyMiBMMzIzLjY0NjUsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI1Mi40ODEiIHg9IjI5Ny40MDYiIHk9IjE1Ny43NTE1Ij4xMC4wLjAuMTA8L3RleHQ+PHJlY3QgZmlsbD0iI0YxRjFGMSIgaGVpZ2h0PSIzMy45Njg4IiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjAuNTsiIHdpZHRoPSI4MC4wNzAzIiB4PSIxMTYuODM0IiB5PSI1Ny44NzExIi8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iNjAuMDcwMyIgeD0iMTI2LjgzNCIgeT0iNzkuMDA5OCI+QWRtaW5fUEM8L3RleHQ+PHJlY3QgZmlsbD0iI0YxRjFGMSIgaGVpZ2h0PSIzMy45Njg4IiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjAuNTsiIHdpZHRoPSIzNS45NzI3IiB4PSIxMzguODgyOCIgeT0iMTc0LjY0NDUiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMiIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSIxNS45NzI3IiB4PSIxNDguODgyOCIgeT0iMTk1Ljc4MzIiPlIxPC90ZXh0PjxyZWN0IGZpbGw9IiNGMUYxRjEiIGhlaWdodD0iMzMuOTY4OCIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDowLjU7IiB3aWR0aD0iNDcuMTE3MiIgeD0iMjI2LjkwNDMiIHk9IjE3NC42NDQ1Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMjcuMTE3MiIgeD0iMjM2LjkwNDMiIHk9IjE5NS43ODMyIj5TVzE8L3RleHQ+PHJlY3QgZmlsbD0iI0YxRjFGMSIgaGVpZ2h0PSIzMy45Njg4IiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjAuNTsiIHdpZHRoPSI0My4yNSIgeD0iMzA0LjAyMTUiIHk9IjE3NC42NDQ1Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMjMuMjUiIHg9IjMxNC4wMjE1IiB5PSIxOTUuNzgzMiI+UEMxPC90ZXh0Pjw/cGxhbnR1bWwtc3JjIG9vakZvS25DTHdaY0tiMzhJb3FmcG9fQUxsMURwNGpDSnlyRHBJaTEyb2llOUFRYTVBS001b2xPQVlXUE1YaGY2UGZQdzFkZzZVV1JjSVkxZkhySlNaRnB1V0VTNVFBbkFaR3FLOGdyMVlnaUhSQjI5cDRmdFdfQW5oSjNHMHlDdUhPNDZROFEzUDR0WDFZaGUxMFNaYk5VMjJPVnU4blRGem5UakcwMD8+PC9nPjwvc3ZnPg==" alt="Network Topology Diagram" style="max-width:100%;height:auto;background:#fff;padding:16px;border:1px solid #e5e7eb;border-radius:8px;" />
</div>

cisco
R2# show access-lists
Standard IP access list 1
    10 deny 192.168.1.0 0.0.0.255
  • Problem: Missing permit any line — implicit deny is blocking all other traffic.
  • Fix: Add a permit any to the ACL (or replace ACL with one that includes permit any):
R2(config)# access-list 1 permit any
  • Verify:
R2# show access-lists
Standard IP access list 1
    10 deny 192.168.1.0 0.0.0.255
    20 permit any
  • Explanation: Adding the explicit permit allows non-Sales traffic to pass; only Sales remains denied.

Verification Checklist

  • ACL 1 exists with a deny for 192.168.1.0/24 and a permit any.
  • Named ACL SALES_BLOCK exists and mirrors ACL 1.
  • You can explain the implicit deny and show how it would block traffic if permit any were missing.

Common Mistakes

SymptomCauseFix
Entire LAN loses access after applying ACLACL has only deny entries; no permit any (implicit deny blocks rest)Add permit any as last explicit entry or reorder ACL properly
ACL seems to do nothingACL created but not applied to interface or applied in wrong directionApply with `ip access-group in
Hard to understand ACL intentUse of numbered ACL onlyUse named ACLs (ip access-list standard NAME) for clarity

Challenge Task

On R1, create a named standard ACL that blocks Sales (192.168.1.0/24) from reaching the Internet (203.0.113.0/24) but allows all other subnets. Apply it in the correct direction and test reachability. Do not use any configuration lines shown explicitly in this lesson — plan, apply, and verify on your own.

Real-world insight: ACLs are a basic but powerful control point in networks. In production, standard ACLs are typically applied close to the destination because they filter only on source addresses; extended ACLs (which match source and destination and protocols) are used when more granular control is required. Always document ACLs and test in a maintenance window when possible.

Practice with Hands-On Labs

30 step-by-step labs for CCNA, CCNP Enterprise & Security