Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

6.6.2. ACL Configuration

Understanding Wildcard Masks: ACLs use wildcard masks (the inverse of subnet masks). A 0 means "must match," a 255 means "don't care."

WildcardMeaningExample
0.0.0.0Match this exact IPSingle host
0.0.0.255Match the first 3 octets/24 network
0.0.255.255Match the first 2 octets/16 network

Scenario 1: Block a subnet from reaching a server The finance VLAN (10.10.10.0/24) shouldn't reach the guest wireless segment. Use a standard ACL applied outbound on the interface facing guests:

Router(config)# access-list 10 deny 10.10.10.0 0.0.0.255
Router(config)# access-list 10 permit any                    ! Don't forget this!
Router(config)# interface GigabitEthernet0/1
Router(config-if)# ip access-group 10 out

What happens if you forget permit any? The implicit deny blocks everyone, not just finance. Always end with an explicit permit for traffic you want to allow.

Scenario 2: Allow only web traffic from users Users on 192.168.1.0/24 should only reach the internet via HTTP (80) and HTTPS (443). Everything else gets blocked and logged:

Router(config)# access-list 110 permit tcp 192.168.1.0 0.0.0.255 any eq 80
Router(config)# access-list 110 permit tcp 192.168.1.0 0.0.0.255 any eq 443
Router(config)# access-list 110 deny ip any any log          ! Log blocked attempts
Router(config)# interface GigabitEthernet0/0
Router(config-if)# ip access-group 110 in

Scenario 3: Named ACL for readability Named ACLs are easier to read and you can insert/delete lines without recreating the whole ACL:

Router(config)# ip access-list extended GUEST-INTERNET
Router(config-ext-nacl)# permit tcp any any eq 80
Router(config-ext-nacl)# permit tcp any any eq 443
Router(config-ext-nacl)# permit udp any any eq 53            ! Allow DNS
Router(config-ext-nacl)# deny ip any any log
Router(config)# interface GigabitEthernet0/2
Router(config-if)# ip access-group GUEST-INTERNET in
Verification:
Router# show access-lists                        ! See ACL contents and hit counters
Router# show ip interface GigabitEthernet0/0    ! Confirm ACL is applied

Troubleshooting tip: The hit counters in show access-lists tell you which rules are matching traffic. If your "permit" line has zero hits, traffic isn't reaching that rule—check the rules above it.

⚠️ Exam Trap: ACL placement is heavily tested. Standard ACLs close to destination, extended ACLs close to source. The reasoning: standard ACLs would block the source from reaching anything if placed at the source, so you place them where they only affect the specific destination.