Top 24 Access Control List Interview Questions You Must Prepare 21.Apr.2024

Traffic that is generated by the router itself, ACL is going to filter only trit traffic.

At the end of each access list, there is an implicit deny statement denying any packet for which the match has not been found in the access list.

Access Control List is a packet filtering method that filters the IP packets based on source and destination address. It is a set of rules and conditions that permit or deny IP packets to exercise control over network traffic.

  • Access-group command is used to filter traffic on the Interface (Ethernet, Serial).
  • Access-class command is used to filter traffic on Lines (Vty, Console, aux).

Access-List is going to filter incoming as well as outgoing traffic on the router interface.

We can apply access list in two directions:-

  • IN - ip access-group 10 in
  • OUT - ip access-group 10 out

@Using a wildcard mask ""

Example: - or

@Using keyword "Host"

Example: - Host

Access lists are processed in sequential, logical order, evaluating packets from the top down, one statement at a time. As soon as a match is made, the permit or deny option is applied, and the packet is not evaluated against any more access list statements. Because of this, the order of the statements within any access list is significant. There is an implicit “deny” at the end of each access list which me that if a packet does not match the condition on any of the lines in the access list, the packet will be discarded.

  1. No standard ACL in IPV6
  2. No wildcard mask in IPV6 ACL
  3. In IPV6 only Named ACL's are available, there is no numbered ACL.

  1. Numbered ACL is created by using number; Named ACL is created by using name,
  2. Removing of specific statement is not possible in Numbered ACL, It is possible in Named ACL.

  1. Simple Packet Filtering Purpose
  2. Limiting Access on VTY lines
  3. Route Filtering
  4. NAT
  5. Route- MAPs

When an access-list is applied to inbound packets on interface, those packets are first processed through ACL and then routed. Any packets that are denied won’t be routed. When an access-list is applied to outbound packets on interface, those packets are first routed to outbound interface and than processed through ACL.

Default Wild Card Mask for Access-List is

  1. Complex Packet Filtering Purpose
  2. Route Filtering
  3. VPN
  4. TCP Intercept
  5. IOS Firewall

  • 1 per Interface
  • 1 per Direction
  • 1 per Protocol

Wildcard mask is used with ACL to specify an individual hosts, a network, or a range of network. Whenever a zero is present, it indicates that octet in the address must match the corresponding reference exactly. Whenever a 255 is present, it indicates those octets need not to be evaluated.

Wildcard Mask is completely opposite to subnet mask.

Example:- For /24

  • Subnet Mask -
  • Wildcard Mask -

There are two main types of Access lists:-

  1. Standard Access List.
  2. Extended Access List.

  • #sh access-list shows number of Hit Counts.
  • #sh run access-list does not show number of Hit Counts.

Extended Access List filters the network traffic based on the Source IP address, Destination IP address, Protocol Field in the Network layer, Port number field at the Trport layer. Extended Access List ranges from 100 to 199, In expanded range 2000-269@Extended Access List should be placed as close to source as possible. Since extended access list filters the traffic based on specific addresses (Source IP, Destination IP) and protocols we don’t want our traffic to traverse the entire network just to be denied wasting the bandwidth.


  • R1 (config) # access-list 110 deny tcp any host eq 23
  • R1 (config) # int fa0/0
  • R1 (config-if) # ip access-group 110 in

It is just another way of creating Standard and Extended ACL. In Named ACL names are given to identify access-list.

It has following advantage over Number ACL - In Name ACL we can give sequence number which me we can insert a new statement in middle of ACL.


  • R1 (config) # ip access-list extended CCNA
  • R1 (config) # 15 permit tcp host host eq 23
  • R1 (config) # exit
  • This will insert above statement at Line @
  • R1 (config) # int fa0/0
  • R1 (config-if) # ip access-group ccna in

Standard Access List examines only the source IP address in an IP packet to permit or deny that packet. It cannot match other field in the IP packet. Standard Access List can be created using the access-list numbers 1-99 or in the expanded range of 1300-199@Standard Access List must be applied close to destination. As we are filtering based only on source address, if we put the standard access-list close to the source host or network than nothing would be forwarded from source.


  • R1 (config) # access-list 10 deny host
  • R1 (config) # int fa0/0
  • R1 (config-if) # ip access-group 10 in

We can assign only one access list per interface per protocol per direction which me that when creating an IP access lists, we can have only one inbound access list and one outbound access list per interface. Multiple access lists are permitted per interface, but they must be for a different protocol.

  1. Standard ACL only checks Source IP address, Extended ACL checks Source IP, Destination IP and Protocol also for filtering traffic.
  2. Standard ACL can be created using number (1-99, 1300-1399) and Extended ACL can be created using number (100-199, 2000-2699).
  3. Two way communication is blocked in Standard ACL, One way communication is stopped in Extended ACL.
  4. Standard ACL implemented near to destination, Extended ACL implemented near to Source.