Cisco ACLs Explained — Implicit Deny, Wildcards, and the 10-Second ACL Read (CCNA)
Free CCNA-level tutorial on Cisco ACLs for US networking learners. Implicit deny, wildcard masks, in vs out direction, and how to read any ACL in 10 seconds.
If you’ve ever written an ACL that “should work” but blocks everything — you’ve met implicit deny. Let’s make it stop happening.
The one rule
Every ACL has an invisible
deny ip any anyat the bottom. You don’t type it. The router adds it.
That single sentence resolves about 80% of “my ACL isn’t doing what I expect” cases.
How a router reads an ACL
Top to bottom. First match wins. No more processing.
access-list 100 permit tcp any any eq 80
access-list 100 permit tcp any any eq 443
access-list 100 deny ip any any
A packet hits line 1. Match? Permit, done. No? Line 2. Match? Permit, done. No? Line 3. Match? Deny, done.
The third line is technically redundant — the implicit deny would catch it anyway — but writing it explicitly makes the intent obvious to whoever reads the config six months later.
The 10-second ACL read
Train yourself to read an ACL in three passes:
- What’s permitted explicitly? Skim the
permitlines. That’s the only traffic this ACL will allow. - What’s denied explicitly? The
denylines name traffic important enough to call out. - Everything else is implicitly denied. If a packet doesn’t match any line above, the invisible last line drops it.
Try it on this:
access-list 110 permit tcp 10.0.0.0 0.0.0.255 any eq 22
access-list 110 permit tcp 10.0.0.0 0.0.0.255 any eq 80
access-list 110 deny ip any 10.0.0.0 0.0.0.255 log
- Permitted: SSH and HTTP from the 10.0.0.0/24 subnet, to anywhere.
- Denied (loud): anything trying to reach 10.0.0.0/24 (logged so you know who’s knocking).
- Everything else: silently dropped by the implicit deny.
The single biggest CCNA-level trap
Apply direction matters more than the rule itself.
interface GigabitEthernet0/0
ip access-group 100 in
in = filter packets arriving on this interface.
out = filter packets leaving this interface.
If you apply an ACL that permits return traffic in on the wrong interface, you’ve effectively blocked the return path of your own conversation. Half the “ACL doesn’t work” tickets in the real world are direction bugs, not rule bugs.
Rule of thumb: apply extended ACLs as close to the source as possible. Apply standard ACLs (which only check source IP) as close to the destination as possible.
Wildcard masks — the 30-second version
Subnet masks say “these bits are network.” Wildcard masks say “these bits I care about; the rest I don’t.”
A wildcard of 0.0.0.255 on 10.0.0.0 means: match anything where the first three octets are 10.0.0 and the last octet is anything.
Quick conversion: subtract the subnet mask from 255.255.255.255.
| Subnet | Wildcard |
|---|---|
| 255.255.255.0 | 0.0.0.255 |
| 255.255.255.128 | 0.0.0.127 |
| 255.255.255.192 | 0.0.0.63 |
| 255.255.0.0 | 0.0.255.255 |
If math isn’t your favorite thing, just remember: /24 → 0.0.0.255. That covers most CCNA questions.
What to lab tonight
- Two subnets, a router, an HTTP server on one side, a client on the other.
- Confirm the client can reach the server (no ACL yet).
- Write a standard ACL on the router that denies the client. Apply it
inon the client-side interface. Test. Should fail. - Remove it. Write an extended ACL that permits only HTTP (port 80) from the client subnet. Apply it
inon the client-side interface. Test HTTP — works. Test ping — fails. That’s implicit deny working as designed. - Move the ACL to
outon the server-side interface. Notice the behavior change.
If step 5 surprises you, you’ve just discovered why in vs out deserves its own evening.
Coming next: Subnetting at the speed of conversation — the way pros do it on whiteboards. Grab the roadmap below to get every post by email.
Get posts like this by email.
One short, opinionated tutorial per week. Unsubscribe in one click.
We respect your inbox. One email per week, max. Unsubscribe any time.