• You built every ACL type in the ACLs module of the CCNA path: standard and extended, numbered or named.
    Here you rebuild both, apply them, and prove they work.

    First, how your router reads that list.

    Top-Down, First Match Wins

    An ACL is an ordered list of Access Control Entries (ACEs).
    IOS numbers each ACE automatically in steps of 10.

    Your router reads them top to bottom and stops the moment one matches: the first match wins.

    Access control list read top to bottom, ACE 10 permit then ACE 20 deny, with a read-direction arrow

    Figure 1 – An ACL is read top to bottom, one ACE at a time

    A deny placed above a permit blocks traffic you meant to allow.

    Now follow a packet through that list.

    ACL reading order where source IP 192.168.1.1 matches the permit on ACE 10 and the router stops evaluating

    Figure 2 – A packet from 192.168.1.1 matches ACE 10, so the router never checks ACE 20

    If source 192.168.1.1 matches the permit on line 10, the packet is forwarded at once.
    Line 20 and everything below it are never evaluated.

    Answer the question below

    True or false: once an ACE matches, the router keeps checking the lines below.

    The Implicit Deny

    Every ACL ends with an invisible deny any.
    You never see it in the running config, but it is always there.

    A packet that matches no ACE is dropped.

    ACL implicit deny diagram showing a packet that matches no ACE being dropped by the router

    Figure 3 – A packet that matches no ACE is dropped by the implicit deny

    So you must permit valid traffic explicitly.
    Forget one permit and you lock out users by accident.

    Answer the question below

    What happens to a packet that matches no ACE?

    Wildcard Masks

    ACLs match addresses with wildcard masks.
    A wildcard is the inverse of a subnet mask: a 0 bit must match exactly, a 1 bit is ignored.

    Subnet mask

    Wildcard mask

    Matches

    255.255.255.0

    0.0.0.255

    Every host in a /24

    255.255.255.255

    0.0.0.0

    One exact host

    Table 1 – Subnet mask compared to wildcard mask

    The same logic works for any subnet, not just a /24: a /26 (mask 255.255.255.192) becomes wildcard 0.0.0.63.

    Answer the question below

    What mask type does an ACL use?