access-list
Declares a sequential rule within a numbered Access Control List (ACL). ACLs match traffic patterns by examining layer 3 packet headers, enabling administrators to either block threats at the border or permit specific blocks for operations like Network Address Translation (NAT).
Quick Reference
Router(config)#Standard Syntax Breakdown
A Standard ACL is limited to looking only at the source IPv4 address of an incoming packet. It cannot inspect ports, protocols, or destination boundaries.
Like OSPF network statements, ACL statements rely entirely on wildcard masks (inverse masks) to define address block boundaries. The keywords host (wildcard 0.0.0.0) and any (wildcard 255.255.255.255) are available as shorthand options to clean up code strings.
CLI Deployment Scenarios
Scenario 1: Standard Host Filtering
You need to create a list that permits a single administrative workstation to pass while dropping everyone else from a management network segment.
CCNA Exam Gotchas
The Invisible "Implicit Deny" Trap
Every access list built inside Cisco IOS terminates with an invisible, permanent rule: deny any. If you write a list containing only a single entry like access-list 10 deny host 192.168.1.5, applying this list to an interface will **instantly drop 100% of all traffic** trying to traverse that port. You must have at least one permit statement.
Standard vs. Extended Placement Rules
Memorize this placement rule for the design portion of the exam:
• **Standard ACLs:** Place as **close to the destination** as possible. Because they lack destination parsing, putting them too early will break access to valid downstream routes.
• **Extended ACLs:** Place as **close to the source** as possible to drop blocked packets immediately and preserve network core bandwidth.