Standard vs Extended ACL — which one to use when
A practical breakdown of Cisco IOS ACL types. When a one-line standard ACL is the right tool, when you need extended for protocol + port filtering, where to place them, and the mistakes that make ACLs silently do nothing.
ACLs (Access Control Lists) are the network engineer’s Swiss army knife. Filtering traffic is the obvious use, but the same syntax also drives NAT source selection, route-map matching, VTY line locking, PBR, QoS classification, and match statements for tunneled routing protocols. If you understand ACLs, half of Cisco IOS opens up.
The single most common question is “standard or extended?” The answer is fast:
- Standard ACL — filters based on source IP only.
- Extended ACL — filters based on source IP, destination IP, protocol, and port.
Simple in principle. But the placement rules, the direction question, and a couple of tricky edge cases keep this a top exam topic. Here’s the working knowledge.
Standard ACL — source-only, one-line filters
Numbered ranges: 1–99 and 1300–1999. Or use a named ACL (usually cleaner).
Router(config)# access-list 10 permit 10.0.10.0 0.0.0.255
Router(config)# access-list 10 deny any
This ACL permits anything from 10.0.10.0/24 and drops everything else. Note the wildcard mask 0.0.0.255 — that’s the inverse of 255.255.255.0, which is CCNA-required knowledge.
Where you apply a standard ACL matters a lot. Because standard ACLs match on source IP only, they can’t distinguish “traffic from 10.0.10.5 to Server-A” from “traffic from 10.0.10.5 to Server-B.” Whichever way the source is going, it’s a match.
Rule of thumb: standard ACLs go as close to the destination as possible. If you drop them too early (near the source), you block the source from reaching everything, not just the one thing you meant to block.
Named standard ACL is often cleaner:
Router(config)# ip access-list standard MGMT-ONLY
Router(config-std-nacl)# permit 10.0.99.0 0.0.0.255
Router(config-std-nacl)# deny any log
Router(config)# line vty 0 15
Router(config-line)# access-class MGMT-ONLY in
That drops SSH from anywhere except the management subnet. A perfect standard-ACL use case: source-based, one condition.
Extended ACL — source + destination + protocol + port
Numbered ranges: 100–199 and 2000–2699. Or (again, cleaner) named.
Router(config)# ip access-list extended WEB-ONLY
Router(config-ext-nacl)# permit tcp 10.0.10.0 0.0.0.255 host 172.16.5.50 eq 443
Router(config-ext-nacl)# permit tcp 10.0.10.0 0.0.0.255 host 172.16.5.50 eq 80
Router(config-ext-nacl)# deny ip any host 172.16.5.50 log
Router(config-ext-nacl)# permit ip any any
This lets VLAN 10 clients hit the web server on 80/443 only, but everything else on the network is unaffected. Extended ACLs let you be precise.
Where you apply extended ACLs: as close to the source as possible. Because you can match the specific destination, you don’t accidentally block anything else. Dropping the packet early saves bandwidth.
The rule pair is worth writing on a sticky note next to your monitor:
- Standard → near destination.
- Extended → near source.
The direction — in or out?
Every ACL is applied to an interface in a direction, either in (traffic entering the router through that interface) or out (traffic leaving through that interface).
The single mistake I see most often:
Router(config)# access-list 20 deny host 10.0.10.5
Router(config)# access-list 20 permit any
Router(config)# interface g0/0
Router(config-if)# ip access-group 20 out
That admin wanted to block host .5 from going out g0/0. But if g0/0 is the LAN-side interface facing hosts, “out” means traffic going toward the hosts — so this ACL filters return traffic based on the source (which is the return source, i.e., the server), which is not what they meant.
Draw the direction from the router’s perspective. In = coming into the router through this interface. Out = going out of the router through this interface. Now apply your standard-vs-extended placement rule.
Implicit deny — the invisible last line
Every ACL has an implicit deny any at the end. You don’t see it in the config. It’s there.
That means:
Router(config)# access-list 10 permit 10.0.10.5
…permits only that one host and drops everything else. Not what you wanted if this is applied on a routed interface for the whole subnet.
Corollary: if your ACL has permit statements and traffic still isn’t getting through, it’s the implicit deny catching the leftover.
To make debugging easier, add an explicit deny any log at the end:
Router(config-ext-nacl)# deny ip any any log
Now the log keyword generates a syslog message showing what got dropped. Golden for troubleshooting.
Wildcards — the inverse mask
Standard and extended ACLs match with a wildcard mask, not a subnet mask. The wildcard is the inverse of the subnet mask.
/24= subnet255.255.255.0= wildcard0.0.0.255/28= subnet255.255.255.240= wildcard0.0.0.15/30= subnet255.255.255.252= wildcard0.0.0.3
Cisco added the keywords host and any to save you the math:
host 10.0.10.5=10.0.10.5 0.0.0.0any=0.0.0.0 255.255.255.255
Wildcards can also be discontiguous — matching odd or even IPs, matching multiple subnets in one ACE. Almost never needed in CCNA-scope. Know they exist.
Named vs numbered — always name
Numbered ACLs are the legacy syntax. Named ACLs give you three things numbered ones can’t easily do:
- Self-documenting.
MGMT-ONLYbeatsaccess-list 10for readability. - In-place editing. You can insert or remove a specific line in a named ACL:
no 30. In a numbered ACL you have to remove the whole thing and re-enter. - Sequence numbers. Named ACLs show sequence numbers in
show access-lists, so you can add a rule at position 25 without disturbing anything.
There is essentially no reason to use numbered ACLs in new configs.
Show commands
Router# show access-lists
Router# show ip access-lists MGMT-ONLY
Router# show ip interface g0/0 | include access
show access-lists gives you hit counts per line. Hit counts are the primary troubleshooting tool: if a permit line has zero hits after 10 minutes of testing, either the traffic isn’t reaching this router, or an earlier line is matching first.
Common mistakes
-
Standard ACL near the source. Blocks the source from reaching everything, not just the intended destination. Standard = near destination.
-
Extended ACL near the destination. Wastes bandwidth carrying the packet across the network to drop it at the last hop. Extended = near source.
-
Forgetting the implicit deny. A single permit line drops everything else. Add
permit ip any anyif that’s not what you want. -
Wildcard confusion.
10.0.10.0 0.0.0.255matches10.0.10.0/24. Beginners write255.255.255.0, which means “match only 10.0.10.0 exactly” — wrong. -
Direction confusion.
inandoutare from the router’s perspective. Draw arrows before you typeip access-group. -
Applying two ACLs on the same interface in the same direction. IOS silently replaces the first with the second. Verify with
show ip interface. -
Forgetting to save. ACL edits are in running-config only.
write memory— or your work vanishes on reload.
The 30-second flowchart
Ask three questions:
- Do I need to match on destination or protocol/port? If yes → extended. If no → standard.
- Where is the source? Where is the destination? Draw the flow.
- If extended, apply near the source. If standard, apply near the destination.
That’s the whole method.
Cheat strip
| Concept | One-line meaning |
|---|---|
| Standard ACL | Source IP only. Range 1–99, 1300–1999. Near destination |
| Extended ACL | Source + dest + protocol + port. 100–199, 2000–2699. Near source |
| Named ACL | Always prefer this — readable and editable |
| Implicit deny | Every ACL ends with an invisible deny any |
| Wildcard mask | Inverse of subnet mask (0=match, 1=don’t-care) |
| host / any | Shortcuts for x.x.x.x 0.0.0.0 and 0.0.0.0 255.255.255.255 |
| in vs out | From the router’s perspective — draw arrows |
log keyword | Emit syslog on match — golden for troubleshooting |
show access-lists | Hit counts per line — the first thing to check |
Learn the flowchart. Practice the direction question. Once you can answer “standard or extended, in or out” without hesitation, ACLs stop being a mystery and start being the tool they were always meant to be.
Get posts like this by email.
One short, opinionated tutorial per week. Unsubscribe in one click.
Personal reply from a senior network engineer. No third-party tracking. Unsubscribe any time.