How ACLs Work

When managing a network, one of your key responsibilities is deciding what traffic should be allowed and what should be blocked. That’s exactly what Access Control Lists (ACLs) are designed for.

An ACL is a set of rules that filters traffic based on specific conditions. These rules are applied on Cisco routers or Layer 3 switches to permit or deny packets, helping you control how devices communicate across different parts of your network.

ACLs and OSI Layers

There are two main types of ACLs, each operating at different layers of the OSI model, as shown in Figure 1.

Figure 1 – ACLs and OSI Layers

• Standard ACLs operate at Layer 3 (Network Layer) and filter traffic based only on the source IP address.

• Extended ACLs operate at both Layer 3 and Layer 4 (Network and Transport Layers), allowing filtering based on source and destination IP, protocols, and even port numbers.

Real-World Example — Inside a Company Network

Imagine you’re the network administrator of a mid-size company. Each department has its own VLAN connected to a core router:

• VLAN 10 — Legal Department: 192.168.1.0/24

• VLAN 20 — HR Department: 192.168.2.0/24

• VLAN 30 — Server VLAN: 192.168.3.0/24

The Legal department needs access to the Legal Server in VLAN 30, but HR must not reach it for confidentiality reasons. ACLs are the perfect solution to enforce this rule directly on the router.

Figure 2 – Standard ACL Example

As shown in Figure 2, the router sits between departments and the server VLAN, making it the ideal point to control traffic flow.

Configuration Example

Here’s how a basic Standard ACL would look:

R1(config)# ip access-list standard 10 
R1(config-std-nacl)# permit 192.168.1.0 0.0.0.255
R1(config-std-nacl)# deny 192.168.2.0 0.0.0.255

What’s Happening Here?

• 10 is the ACL ID number.

• The Legal network (192.168.1.0/24) is allowed to access the server VLAN.

• The HR network (192.168.2.0/24) is explicitly denied.

This configuration enforces department-based access control, a common best practice in enterprise environments to ensure network segmentation and data protection.

Key Takeway

ACLs give you the power to define who can talk to whom on the network.
They act as gatekeepers, ensuring that each department or service communicates only where it should.

Now that you’ve seen how ACLs are used in a real company network, let’s look at how these rules are structured, starting with the Access Control Entries (ACEs) that make up every ACL.

Each rule in an ACL is called an Access Control Entry (ACE).
You can think of an ACL as a list, and each ACE is one line in that list, an individual rule that tells the router whether to permit or deny specific traffic.

Example Breakdown

Let’s take the same example from earlier to understand how ACEs work.

Figure 3 – Access Control Entries (ACEs)

In this access list, we have two ACEs that define our filtering rules:

• ACE 10: Permits traffic from the 192.168.1.0/24 network.

• ACE 20: Denies traffic from the 192.168.2.0/24 network.

When the router processes packets, it evaluates them line by line against each ACE in order.

What About That Mask?

You might have noticed something unusual in the syntax:
the mask used in an ACE doesn’t look like a typical subnet mask.

That’s because ACLs use wildcard masks, not subnet masks.
Wildcard masks define which bits of an IP address must match and which bits can vary, giving you more flexibility when matching traffic.

What Is a Wildcard Mask?

A wildcard mask is the inverse of a subnet mask.
Where a subnet mask uses 1s to mark network bits, a wildcard mask uses 0s to mark the bits that must match exactly.

Table 1 – Subnet Mask vs Wildcard Mask

Applying It to Our Example

Let’s look at our earlier ACL line:

permit 192.168.1.0 0.0.0.255

This means:

Allow traffic from any device within the 192.168.1.0/24 network.

If you wanted to allow just one specific IP address, such as 192.168.1.10, you would write:

permit 192.168.1.10 0.0.0.0

This matches only that address and no other.

Reading Order and Logic

ACLs are read from top to bottom.
As soon as a packet matches an ACE, the router stops evaluating the rest of the list.
This makes the order of the rules critical, one misplaced line can completely change the outcome.

Figure 4 – ACL Reading Order

For example:
If a packet with source IP 192.168.1.1 matches ACE 10, it’s permitted immediately.
The router won’t even check ACE 20 or any rule below it.

Now that you understand how ACLs evaluate traffic line by line, you might wonder what happens if a packet doesn’t match any of the rules.

This is where the concept of Implicit Deny comes in.

The Hidden Rule

At the end of every ACL, there’s an invisible rule that denies all traffic not explicitly permitted.
You won’t see it in the configuration, but it’s always there by default.

Figure 5 – Implicit Deny Behavior

If a packet doesn’t match any of the permit or deny conditions in the list, the router automatically blocks it. This mechanism acts as a safety feature, ensuring that only clearly authorized traffic is allowed through the network.

Example Scenario

Let’s take our previous example to illustrate this concept.
Suppose a packet comes from the 192.168.5.0/24 network, which isn’t mentioned in any ACE.

Figure 6 – Packet Dropped by Implicit Deny

Here’s how the ACL processes it:

• ACE 10: Permits traffic from 192.168.1.0/24 → no match.

• ACE 20: Denies traffic from 192.168.2.0/24 → no match either.

• Since no match is found, the router automatically blocks the packet.

The packet is silently dropped, the router doesn’t send any notification or warning.

Why Implicit Deny Is Important

This “implicit deny everything else” rule is essential for maintaining security.
It ensures that only the traffic you explicitly allow is permitted on your network.
Anything not mentioned in the ACL is considered untrusted and therefore blocked.

In practice, this means you must be precise and deliberate when creating ACLs.
Forgetting to add a permit for valid traffic can unintentionally block users or applications.

Now that you understand how ACLs decide what traffic to allow or deny, let’s look at where these rules are actually applied on a router.

When you configure an ACL, you must specify a direction — inbound or outbound — depending on when you want the router to check the packets.

Understanding ACL Directions

Think of a router interface like a doorway:

• Inbound ACLs check packets as they enter the doorway.

• Outbound ACLs check packets as they leave the doorway.

This simple distinction has a big impact on how your ACL behaves and where you should apply it.

Inbound ACLs

If an ACL is applied inbound, the router inspects the traffic as soon as it arrives on the interface.
That means packets are checked before any routing decision is made.

Figure 7 – Inbound ACL

In other words, the router decides whether to allow or block the packet right at the point of entry.
If it’s denied, the packet is immediately discarded, it never even reaches the routing table.

Outbound ACLs

If an ACL is applied outbound, the router first makes its routing decision to determine the best path for the packet.
Only after this decision does it check the ACL.

Figure 8 - Outbound ACL

This means outbound ACLs act as the final filter before traffic leaves the interface.
If the packet fails the check, it is dropped right before being transmitted out.

Choosing Between Inbound and Outbound

The direction you choose depends on your goal:

• Use inbound ACLs to stop unwanted traffic as early as possible.

• Use outbound ACLs to control traffic leaving your network or moving toward a specific destination.

Let’s recap everything you’ve learned about how ACLs work.

An Access Control List (ACL) is a set of rules that controls which traffic is allowed or denied in a network.
Each rule inside the list is an Access Control Entry (ACE), and together they define how packets are filtered on a router or a Layer 3 switch.

Key Points to Remember

• ACLs are read from top to bottom, and the router stops as soon as a match is found.

• At the end of every ACL, there’s an implicit deny rule, packets that don’t match any condition are automatically blocked.

• ACLs can be applied inbound (when traffic enters an interface) or outbound (when it leaves).

• Standard ACLs operate at Layer 3, filtering traffic based only on the source IP address.

• Extended ACLs operate at Layers 3 and 4, filtering by source and destination IPs, protocols, and ports.

Why ACLs Matter

ACLs are one of the foundations of network security.
They help you:

• Prevent unauthorized access to sensitive systems,

• Limit unnecessary communication between departments, and

• Reduce unwanted traffic that could affect performance.

Mastering ACLs gives you the control needed to secure and optimize any network environment.

What’s Next

Now that you understand how ACLs work, it’s time to configure them.
In the next lessons, you’ll learn how to:

• Configuring a Standard ACL,

• and later, Configuring an Extended ACL.

You’ll see step by step how to apply these configurations on real Cisco devices and verify that they work as intended.