Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.
6.6.1. ACL Types
The choice between standard and extended ACLs comes down to what you need to filter on:
Standard ACLs only see source IP addresses. They're simple but limited—you can't distinguish between web traffic and SSH from the same host. Because they can only filter on source, you should place them close to the destination (otherwise you block that source from reaching anything).
Extended ACLs see the full picture: source IP, destination IP, protocol, and port numbers. You can say "permit HTTP to the web server but deny SSH." Place these close to the source to stop unwanted traffic early.
| Type | Number Range | What It Can Filter | Placement Rule |
|---|---|---|---|
| Standard | 1-99, 1300-1999 | Source IP only | Close to destination |
| Extended | 100-199, 2000-2699 | Source, dest, protocol, port | Close to source |