Access Control List Overview:





Many different protocols can use access control lists (ACL), In the CCNA Routing and switching vendor certification exams are only concerned with IPv4 ACLs. The following tables shows some of the other protocols that can use ACLs.





1–99 or 1300–1999
Standard IPv4
100–199 or 2000–2699
Extended IPv4

In IPv6 ACLs we do not use numbers, The IPv6 ACLs are configured by using names only.


When ACL applied to an IP address, a wildcard mask identifies which addresses get matched to be applied to the permit or deny statement in an ACL syntax. A wildcard mask can identify a single host and a range of hosts or a complete network subnetwork.

There are two rules when working with wildcard masks:

  A 0 (zero) in a wildcard mask means to check the corresponding bit in the address for an exact match.

  A 1 (one) in a wildcard mask means to ignore the corresponding bit in the address—can be either 1 or 0. In the examples, this is shown as x.

A 0 Example:

Example 1: 172.16.0.0 0.0.255.255
IP address: 172.16.0.0
Binary Conversion: 10101100.00010000.00000000.00000000
Default Subnet Mask:  255.255.0.0
Wildcard Mask: 0.0.255.255
Binary Conversion of Wild card mask: 00000000.00000000.11111111.11111111
Sum Result = 10101100.00010000.xxxxxxxx.xxxxxxxx (Ignored one’s)
172.16.x.x   (Anything between 172.16.0.0 and 172.16.255.255 matches the example statement.)

An octet of all Zero's (0s) means that the octet has to match exactly to the address. 

An octet of all One's (1s) means that the octet can be ignored.

A 1 Example:

Example 1: 172.16.0.0 0.0.7.255
IP address: 172.16.8.0
Binary Conversion: 10101100.00010000.00001000.00000000
Default Subnet Mask:  255.255.248.0
Wildcard Mask: 0.0.7.255
Binary Conversion of Wild card mask: 00000000.00000000.00000111.11111111
Sum Result = 10101100.00010000.00001xxx.xxxxxxxx (Ignored one’s)
00001xxx = 00001000 to 00001111 = 8–15
xxxxxxxx = 00000000 to 11111111 = 0–255

Anything subnets between 172.16.8.0 and 172.16.15.255 matches the example statement.


Any: Any keyword is used in place of 0.0.0.0 255.255.255.255, matches any address that it is compared against

Host: Host keyword is used in place of 0.0.0.0 in the wildcard mask, matches only one specific address.

Standard ACLs:

Standard ACLs are the oldest type of ACL. Standard ACLs control the traffic by comparing the source of the IP packets to the addresses configured in the ACL.

Each line enters an ACL is called an access control entry (ACE). Many access control entry ACEs grouped form a single ACL.



No comments