ACL MATCHING DRILL_
Top-down evaluation. Implicit deny. First match wins. Randomized ACL + packet pairs — predict which line catches the packet before it reaches the implicit deny. The single most exam-tested ACL concept, drilled to muscle memory.[ ▶ QUICK SUMMARY ]
This interactive Cisco ACL simulator tests packet-filtering comprehension using sequential, top-down evaluation. A router checks each access-list line in order, acts on the first match, and applies an implicitdeny any at the end of every ACL. Standard ACLs match source IP only and belong close to the destination; extended ACLs match source, destination, protocol, and port and belong close to the source. This drill randomizes ACL + packet pairs so you practice predicting exactly which line catches each packet.
★ HOW IT WORKS
Each question shows a randomized ACL plus an incoming packet. Your job: name the FIRST line that matches the packet, with its verdict (permit/deny). If no line matches, the answer is implicit deny.
Three difficulty modes:
- STANDARD — Numbered 1-99. Source IP only, no protocol or port. Easier, but classic CCNA test material.
- EXTENDED — Numbered 100-199. Full match: source IP + destination IP + protocol + destination port. This is where most exam questions live.
- MIXED — Randomly serves both. Default — gives you the full range.
After every answer you'll see a field-by-field walkthrough of the winning line. If you picked a line that would also match but isn't the first one — that's the most common ACL exam trap — you'll get a callout explaining what was higher in the list and why ACLs are evaluated top-down.
★ KEEP GOING
[ ★ THE HANDS-ON LAB ]
Predicting matches builds the instinct — but you still need to write and apply ACLs on real interfaces. The companion Packet Tracer lab walks you through standard, extended, and named ACLs end to end._
[ ★ COMMAND REFERENCE ]
Forget the exact
access-list or ip access-group syntax? The CLI cheat sheet has copy-paste ACL config templates plus the show commands to verify them._
[ ★ WHERE THIS FITS ]
ACLs live in Domain 5.0 — Security Fundamentals of the CCNA 200-301 blueprint. See every exam topic mapped, with a recommended study order, in the CCNA Study Hub._
v1 — currently supports standard and extended IPv4 ACLs, protocols tcp/udp/ip, and the eq port operator. Wildcards, named ACLs, source ports, established, TCP flags, and ICMP are out of scope for this version.