Access Control Lists (ACLs) Demystified for the CCNP 350-401 ENCOR: Deep-Dive, War Stories, and Proven Tactics

Brandon Eskew -

Introduction to ACLs

If you’re preparing for the CCNP 350-401 ENCOR exam, Access Control Lists (ACLs) must not be an afterthought. ACLs are fundamental to Cisco security, segmentation, and network control—mastering them is both an exam and a real-world requirement. Honestly, I like to think of ACLs as the club bouncers of your network—they check everyone’s credentials and decide who gets in and who gets turned away, all based on the guest list you create.

An Access Control List (ACL) is a sequential set of rules that tells Cisco routers and switches what traffic to permit or deny. You get to be super specific with ACLs—filtering traffic based on things like where it’s coming from, where it’s going, what protocol it’s using, which port, and a bunch of other details. You’ll find ACLs all over the place—locking down your network edges, carving up VLANs, putting limits on who can manage what device, shaping or prioritizing traffic, and even ticking off those annoying compliance checkboxes for audits. Screw up an ACL, and you could accidentally block mission-critical traffic—or, worse, leave a gaping security hole for attackers. Trust me, you want a solid handle on ACLs so you don’t get burned.

  • Standard vs. Extended: Standard ACLs filter by source IP only. But with extended ACLs, you get the fancy toolkit: you can filter by both where the traffic’s coming from and where it’s headed, what protocol it’s using, even ports—so you can really fine-tune what your network allows or blocks.
  • Numbered vs. Named: Numbered ACLs (e.g., 1–99 for standard, 100–199 for extended) use numbers for identification. Now, named ACLs are way more admin-friendly—you can call them something meaningful (like ‘BLOCK_GUEST_NET’) so it’s much easier to manage and update later on.
  • IPv4 vs. IPv6: IPv4 and IPv6 ACLs differ in syntax and behavior. One thing I absolutely love about IPv6 ACLs: you can forget about those tricky wildcard masks. Seriously, just pop in your prefix length (like /64), and you’re done. It’s so much less hassle. Plus, some stuff, like Neighbor Discovery, is always allowed by default, so keep an eye on those automatic exceptions.

ACLs are essential for device management security—if you don’t secure VTY lines, anyone can attempt to access your routers. They’re also critical for controlling traffic between VRFs, integrating with NAT, and even shaping control plane security via CoPP (Control Plane Policing). Engineers who master ACLs are the ones trusted during network incidents, audits, or cyberattack events.

ACL Fundamentals

ACLs are processed top-down: the device checks each rule in order, and the first match determines the fate of the packet. This is called the first match wins principle. If a packet doesn’t match any rule, it’s denied by the implicit deny at the end of every ACL. Pro tip: Adding an explicit deny any log at the end of an ACL is a best practice for auditing and troubleshooting.

Wildcard masks are used in IPv4 ACLs to specify address ranges—think of them as “inverse subnet masks”: 0 bits must match, 1 bits are “don’t care”. Let me show you what I’m talking about:

  • Match a single host: 0.0.0.0 (e.g., permit 192.168.1.5 0.0.0.0)
  • Match a /24 subnet: 0.0.0.255 (e.g., permit 192.168.10.0 0.0.0.255 (lets in the local subnet))

ACLs can be applied inbound (as packets enter an interface) or outbound (as packets exit). And placement is huge—putting an ACL inbound is like having a bouncer who won’t even let you into the club if you’re not on the list, while outbound ACLs let you wander around inside, then stop you right before you leave. So, think carefully about whether you want to block stuff at the entrance or as it’s heading out. Each interface supports one ACL per direction. Applying an ACL in the wrong direction or to the wrong interface is a classic source of errors.

ACLs operate primarily at OSI Layer 3 (IP) and Layer 4 (TCP/UDP), especially extended ACLs. They interact with NAT and routing. Key point: Inbound ACLs process packets before NAT, outbound ACLs after NAT. This order is critical for troubleshooting.

Real-World Example: At a client site, an outbound ACL blocked OSPF hellos while aiming to block Telnet traffic, breaking dynamic routing. Always check all traffic types traversing an interface before applying ACLs—and understand the impact of direction.

ACLs and NAT – Detailed Interactions

Let me tell you, knowing how ACLs and NAT play together will save your bacon—on both the exam and in the real world when you’re chasing weird traffic issues. So, here’s the deal on how Cisco IOS handles things, step by step:

  1. Inbound ACL (applied to incoming interface)
  2. NAT translation
  3. Routing
  4. Outbound ACL (applied to outgoing interface)

Basically, these steps all work together to decide how your router sorts, filters, and translates packets as they cruise through. Let’s say a user PC sends some traffic. First stop: the inbound ACL on your inside interface checks it out. If it passes, NAT might swap out the address, then the router figures out where it’s going, and finally, an outbound ACL on the way out to the Internet gives it a last once-over.

If you stick your ACL inbound on the inside interface, it’s filtering based on the IP address before NAT does its magic. On the outside interface (outbound), the source IP may already have been translated by NAT. This matters when filtering users or subnets that are NATed—apply your ACLs in the correct place relative to NAT!

Exam scenario: If users are still able to access the Internet despite an ACL that should block them, check whether NAT is translating their address after the ACL is applied. Adjust your ACL placement accordingly.

ACL Configuration Examples (IPv4 and IPv6)

Classic IPv4 Standard Numbered ACL (ranges 1–99):

access-list 10 permit 192.168.10.0 0.0.0.255 (lets in the local subnet) (lets in the whole 192.168.10.0/24 subnet)
Apply to an interface: interface GigabitEthernet0/1 ip access-group 10 in

What this really does is let in just the 192.168.10.0/24 subnet on Gi0/1—everyone else gets the cold shoulder and is denied. All other traffic is denied by the implicit deny—no need for an explicit deny any unless you want to log.

Here’s a look at a standard named IPv4 ACL with handy sequence numbers:

ip access-list standard BLOCK_OTHER_SUBNETS ! I like giving my ACLs names that tell me exactly what they’re doing 10 permit 192.168.10.0 0.0.0.255 (lets in the local subnet) 20 deny any log

Named ACLs with sequence numbers make editing easier. Use sequence numbers for granular rule management (e.g., no 20 removes rule 20).

Want more control? Check out an extended numbered ACL (100–199):

access-list 101 permit tcp 192.168.10.0 0.0.0.255 any eq 80 (lets only HTTP through from your subnet) access-list 101 deny ip any any log (log and drop everything else)

This permits HTTP from the subnet to anywhere and logs denied traffic.

IPv4 Extended Named ACL and Object Groups

Object groups (supported on IOS XE, IOS 15.0(1)M+, Catalyst 9000, and newer ISR platforms):

object-group network WEB_SERVERS host 10.1.1.10 ! that’s our first individual server host 10.1.1.11 ! and here’s our second server object-group service WEB_PORTS tcp eq 80 eq 443 ip access-list extended OBJG_EXAMPLE 10 permit tcp any object-group WEB_SERVERS object-group WEB_PORTS 20 deny ip any any log

This allows HTTP/HTTPS to a set of web servers. Use show object-group to verify group content.

IPv6 ACLs – Syntax, Implicit Rules, and Logging

IPv6 ACLs are always named and support sequence numbers. Wildcard masks are not used—prefix lengths are specified with /.

ipv6 access-list BLOCK_WEBSURF 10 deny tcp any any eq 80 log 20 permit icmp any any 30 permit ipv6 any any
Apply to interface: interface GigabitEthernet0/1 ipv6 traffic-filter BLOCK_WEBSURF in

Implicit Rules: ND (Neighbor Discovery) is always permitted; routing protocols are NOT always implicitly allowed. If you’re using OSPFv3, EIGRPv6, or RIPng, make sure you add an explicit ‘permit’ for those protocols in your IPv6 ACL, or else things are gonna break. Oh, and whatever you do—don’t block critical ICMPv6 types that your network needs, like router advertisements or MTU discovery. Otherwise, IPv6 stops working and troubleshooting that is a pain.

Logging: The log keyword is supported for IPv6 ACLs on most modern IOS/IOS XE, but may not be available on older versions.

Verifying and Clearing ACL Hit Counters

  • show access-lists – IPv4 ACLs and some platforms show both IPv4 and IPv6
  • show ipv6 access-list – For IPv6 ACLs
  • clear access-list counters – Resets counters for troubleshooting

Platform-Specific ACL Limitations

Not all Cisco hardware supports every ACL feature. Here’s a summary:

Platform / IOS Version Object Groups Outbound ACLs on SVIs Now let’s talk time-based ACLs—because sometimes, you only want rules to kick in during certain hours. IPv6 ACLs ACL Logging
ISR 4000 routers running IOS XE 16.x or newer Yes Yes Yes Yes Yes
Catalyst 9000 switches (running IOS XE 16.x or above) Yes Yes Yes Yes Yes
Catalyst 2960, 3560, or 3750 gear running on IOS 12.x to 15.x No No (SVI: inbound only) Partial Yes (limited) Partial
Classic IOS pre-15.0(1)M No Yes Partial No/Partial Partial
NX-OS (Nexus) Yes Yes No Yes Yes

Note: Time-based and object-group ACLs require accurate device clocks. Use NTP (show ntp status) to prevent unexpected behavior.

Advanced ACL Types and Features

Reflexive (Session-Aware) ACLs

Reflexive ACLs dynamically create temporary inbound rules for return traffic when a permitted outbound session is established. They are useful for securing branch offices or DMZs.

  1. Create an outbound ACL with reflect keyword:ip access-list extended OUTBOUND permit tcp any any reflect MYSESS
  2. Apply an inbound ACL that evaluates the session:ip access-list extended INBOUND evaluate MYSESS
  3. Apply OUTBOUND on outgoing interface, INBOUND on inbound interface.

Verification: Use show access-lists to see dynamic rules.

Limitations: Not supported on all platforms; replaced by zone-based firewalls in modern deployments.

Dynamic (Lock-and-Key) ACLs

Dynamic ACLs allow temporary access after user authentication via Telnet/SSH. This is rarely used today due to security best practices, and not all platforms support it.

  1. Define access list:access-list 110 permit tcp any any eq 22 (lets anyone SSH in—be careful!)
  2. Enable on VTY lines with auto-command:line vty 0 4 access-class 110 in autocommand access-enable host timeout 10

Best practice: Use multi-factor or AAA instead; dynamic ACLs are included for exam completeness.

Now let’s talk time-based ACLs—because sometimes, you only want rules to kick in during certain hours.

These guys let your network allow or block certain traffic depending on the time of day—think ‘open for business’ hours only. Just don’t forget—if your device’s clock isn’t in sync (hint: always run NTP!), those time-based rules can really mess with you.

time-range OFFICE_HOURS periodic weekdays 8:00 to 17:00 ip access-list extended LIMIT_WEB permit tcp any any eq 80 time-range OFFICE_HOURS deny ip any any

Check device time with show clock, ensure NTP sync with show ntp status.

Object Groups – Practical Scenario and Caveats

Use object groups for easier management of repeated IPs or service sets.

object-group network MGMT_HOSTS host 10.1.1.10 ! that’s our first individual server0 host 10.1.1.10 ! that’s our first individual server1 object-group service MGMT_PORTS tcp eq 22 eq 443 ip access-list extended MGMT_ACCESS permit tcp object-group MGMT_HOSTS any object-group MGMT_PORTS (lets only your management hosts hit the right ports) deny ip any any log

Platform support: Only on IOS XE, late IOS, NX-OS. Just a heads up—some older Catalyst switches don’t support object groups at all, so check your gear first.

Alright, let’s dive into applying ACLs in networks that use VRFs—Virtual Routing and Forwarding. This is where things start to get interesting and a bit more advanced.

So, if you’ve got VRFs in play, you can stick ACLs directly inside a particular VRF. That way, you’re filtering traffic only for that chunk of the network—each VRF gets its own security 'bubble,' so to speak. Always verify which VRF an interface belongs to with show ip interface brief vrf. Now, the way you apply ACLs doesn’t really change with VRFs, but just keep in mind—you’re only filtering the traffic that’s actually going through that specific VRF’s routing table. So, if you’re expecting it to catch everything and it doesn’t, check your routing.

Example:ip vrf FINANCE interface GigabitEthernet0/2 vrf forwarding FINANCE ip access-group 110 in

ICMPv6 needs special attention when you’re using ACLs—there’s some gotchas here that can break IPv6 if you’re not careful.

Here’s a mistake I still see way too often: block all ICMPv6 and suddenly IPv6 connectivity dies. Why? Because core IPv6 stuff—think automatic addressing, figuring out the best MTU size, and sending error messages—just flat-out won’t work unless certain types of ICMPv6 packets can get through. Block those, and you’re basically breaking IPv6. So, make sure you’re letting through the specific ICMPv6 packet types your network relies on—don’t just throw up a giant block and cross your fingers. It’s a recipe for headaches.

ipv6 access-list IPV6_FILTER permit icmp any any nd-na permit icmp any any nd-ns permit icmp any any router-advertisement permit icmp any any router-solicitation permit ipv6 any any

Keeping an eye on what your ACLs are up to—especially what traffic they’re blocking—is super important for troubleshooting, but you’ve got to find that sweet spot. If you go overboard with logging, you’ll just end up slowing your device to a crawl.

Absolutely, you want to log denied packets so you have an audit trail and can troubleshoot issues—but try not to go overboard with it. If you start logging every single denied packet, your device’s CPU is gonna be gasping for air and your poor syslog server might just give up and start weeping. Use log only on critical denies, and consider using log-input for source interface details.

deny ip any any log

Monitor logs with show logging and forward to a Security Information and Event Management (SIEM) system for centralized analysis. If you’ve got a ton of traffic flying around your network, think about rate-limiting your logging or even just logging samples—otherwise, you risk overwhelming your hardware and drowning in logs.

Sample syslog output:

You’ll see syslog lines like: %SEC-6-IPACCESSLOGP: list 110 denied tcp 192.168.10.5(34567) -> 10.1.1.10(22), 1 packet.

Let’s switch gears to Control Plane Policing (CoPP)—think of this as bodyguards for your router’s own brain, protecting it from floods of bogus or attack traffic.

Basically, CoPP shields your router’s control plane from nasty traffic storms—like a DDoS that’s targeting SNMP or your routing protocols, for example. One thing I can’t stress enough: only test or tweak CoPP during a maintenance window, and absolutely, positively make sure you’ve got an out-of-band way back in if you lock yourself out.

  1. Create a named ACL for control plane traffic:ip access-list extended MGMT_COPP permit ospf any any permit udp any any eq 161
  2. Class-map and policy-map:class-map match-any MGMT_TRAFFIC match access-group name MGMT_COPP policy-map CONTROL_PLANE_POLICY class MGMT_TRAFFIC police 64000 conform-action transmit exceed-action drop
  3. Apply under the control plane:control-plane service-policy input CONTROL_PLANE_POLICY

Verify with show policy-map control-plane. If too restrictive, you may break routing or monitoring.

ACL Best Practices, Security, and Optimization

  • Put most-specific rules first—first match wins.
  • Summarize where possible; use subnets or object groups.
  • Extended ACLs close to source, standard close to destination.
  • Keep ACLs concise—long lists can overburden hardware/software.
  • Log only on critical denies; monitor CPU (show processes cpu sorted) if logging heavily.
  • Always use least privilege—avoid broad “permit any”.
  • Document rules and intent for audit and troubleshooting.

Security Considerations and Common Attack Vectors

  • Deny spoofed private/reserved IPs at the perimeter.
  • Avoid permitting all management traffic from untrusted sources.
  • Regularly audit ACLs for “shadowed” or unused rules (rules never hit).
  • Watch out for overlapping or duplicated ACL rules—they’ll make troubleshooting a nightmare and could even create sneaky gaps in your defenses.

Quick compliance note: for things like PCI or HIPAA, you’re required to log all denies to sensitive areas and only let approved management stations touch your gear.

That means, for PCI, HIPAA, and friends, make sure you log every deny hitting your sensitive network bits, and lock down management access (like VTY and SNMP) to known-good hosts or subnets. No exceptions!

Now, on the performance side, newer Cisco boxes chew through ACLs in hardware (in the TCAM), so big lists don’t hurt as much—just something to keep in mind.

If you’re running recent Cisco gear, ACLs get handled by specialized hardware, so you basically get line-rate filtering no matter how long your list is. On older gear, complex or long ACLs can be CPU-intensive.

  • Shorten ACLs and summarize addresses when possible.
  • For very large ACLs, test processing time with show platform hardware qfp active statistics drop (ISR/ASR).
  • Oh, and here’s a common trap on Catalyst: you can’t do outbound ACLs on SVIs with models like the 2960, 3560, or 3750—only inbound’s supported there.

Let’s talk about troubleshooting ACLs—because when stuff breaks, ACLs are a usual suspect. Knowing how to diagnose and untangle ACL issues will save you a world of pain.

Common Issues

  • No traffic matching: ACL is not applied, or applied to wrong interface/direction.
  • Unintended blocking: Rule order problem or missing explicit permit for required traffic (e.g., routing protocols, ICMPv6).
  • NAT masking: ACL applied pre- or post-NAT, causing source/destination mismatch.
  • Platform limitation: Feature not supported (see platform matrix above).
  • No access-class on VTY: All sources can attempt remote access—a security risk.

Verification Commands

  • show access-lists / show ipv6 access-list
  • show run interface ...
  • show ip interface / show ipv6 interface
  • debug ip packet ... (lab only)
  • clear access-list counters
  • show processes cpu sorted (for performance impact)

Structured Troubleshooting Flowchart

  1. Check ACL is applied to correct interface/direction.
  2. Check counters—are packets matching? (clear access-list counters then test traffic)
  3. Check NAT order—does the ACL match original or translated IP?
  4. Check for platform features/limitations (see matrix above).
  5. Check for required explicit permits (routing protocols, ICMPv6).
  6. Test with debug and show logging if safe.

Some troubleshooting situations take a little more digging. Let me run you through a couple of classic head-scratchers.

Scenario 1: User can’t access a server after ACL change. First thing I do? Check the rule order. If someone snuck in a ‘permit ip any any’ before the critical deny statement, well, that deny is basically invisible and never triggers.

Scenario 2: After enabling IPv6 ACL, OSPFv3 adjacencies drop. Add explicit permit ospf any any to the ACL.

Scenario 3: ACL applied for guest VLAN, but outbound SVI ACL not supported (on 3560). Workaround: Apply inbound ACL on user-facing interfaces.

Integration Scenarios and Automation

ACLs integrate with firewalls (ASA, zone-based firewalls), VPNs (site-to-site, remote access), and are automatable via tools like Ansible or Cisco Prime.

  • Use the Ansible ansible.netcommon.cli_config module for ACL deployment at scale.
  • In hybrid environments, coordinate ACLs and firewall rules to avoid overlaps or gaps.
  • For rollback, always save “before” configs and test changes in the lab.

Case Studies and Practical Scenarios

Example 1: Inter-VLAN Filtering

Scenario: Only allow finance VLAN (10) to reach the database on VLAN 20 TCP/3306; block all other traffic.

This scenario involves a finance PC on VLAN 10 connected to a switch, which is then connected to a router that provides access to VLAN 20 where the database server resides. The ACL is applied to control access between the VLANs.

ip access-list extended DB_FILTER 10 permit tcp 10.10.10.0 0.0.0.255 host 10.20.20.10 eq 3306 20 deny ip any host 10.20.20.10 log 30 permit ip any any interface Vlan20 ip access-group DB_FILTER in

Verify with show access-lists DB_FILTER. Check logs for any denied access attempts.

Example 2: Securing Device Management (Block Telnet, Permit SSH)

ip access-list extended MGMT_FILTER 10 permit tcp 10.10.10.0 0.0.0.255 any eq 22 20 deny tcp any any eq 23 log 30 permit icmp any any 40 deny ip any any log line vty 0 4 access-class MGMT_FILTER in

Expected output (show access-lists MGMT_FILTER):

Extended IP access list MGMT_FILTER permit tcp 10.10.10.0 0.0.0.255 any eq 22 (5 matches) deny tcp any any eq 23 log (0 matches) permit icmp any any (3 matches) deny ip any any log (0 matches)

Security note: If no access-class is applied to VTY lines, all sources can attempt remote access—a major security risk.

Example 3: Dual-Stack IPv4/IPv6 Guest Filtering

access-list 120 permit tcp 172.16.50.0 0.0.0.255 any eq 80 access-list 120 deny ip any any log ipv6 access-list GUEST_IPV6 10 permit tcp 2001:db8:50::/64 any eq 80 20 deny ipv6 any any log interface Vlan50 ip access-group 120 in ipv6 traffic-filter GUEST_IPV6 in

Hands-On Lab: ACL Placement and NAT

Lab topology:

This lab involves a user LAN connected to GigabitEthernet0/1 (192.168.1.1) on a router, which is then connected via GigabitEthernet0/2 (203.0.113.1) to the Internet. The configuration demonstrates NAT and ACL placement.

  1. Configure inside NAT:interface Gi0/1 ip nat inside interface Gi0/2 ip nat outside ip nat pool OUTSIDE_POOL 203.0.113.100 203.0.113.100 netmask 255.255.255.0 ip nat inside source list 10 pool OUTSIDE_POOL overload access-list 10 permit 192.168.1.0 0.0.0.255
  2. Apply inbound ACL to block host 192.168.1.50:access-list 110 deny ip host 192.168.1.50 any access-list 110 permit ip any any interface Gi0/1 ip access-group 110 in
  3. Test with show access-lists 110 and show ip nat translations.
  4. Clear counters and retest to verify matching.

Exam Preparation Tips and Strategies

Objective Cross-Reference

SectionCCNP ENCOR Objective
ACL Fundamentals, Config, Placement 2.5: Configure and verify ACLs to filter traffic
IPv6 ACLs, ICMPv6 2.6: Configure and verify IPv6 traffic filtering
Advanced ACLs, CoPP 2.7: Configure and verify device security using CoPP

Common Exam Pitfalls

  • Forgetting implicit deny at the end of all ACLs.
  • Not permitting ICMPv6 ND—breaking IPv6.
  • Placing “permit any” at the top of the ACL—shadowing all denies.
  • Object groups not supported on all platforms—read the exam scenario carefully.
  • Applying ACLs to wrong interface or direction.
  • Not restricting VTY access—creates management vulnerability.
  • Misunderstanding NAT/ACL order—user traffic not matched as expected.

Exam-Style Question Bank

  1. Which statement about IPv6 ACLs is true?
    (A) Wildcard masks are required
    (B) ND is always permitted implicitly
    (C) All routing protocols are implicitly permitted
    (D) Logging is not supported
    Answer: B
  2. What happens if you apply a standard ACL outbound on a Catalyst 2960 SVI?
    (A) Traffic is filtered as expected
    (B) Only inbound is supported
    (C) Both directions are supported
    (D) Not supported at all
    Answer: B
  3. How do you permit OSPFv3 in an IPv6 ACL?
    permit ospf any any
  4. If “show access-lists” shows no counter increments, your first troubleshooting step is?
    Check if ACL is applied to the correct interface and direction.
  5. Which keyword allows you to monitor source interface in ACL logs?
    log-input

Quick Reference Cheat Sheet

ACL TypeRange / Syntax
Standard Numbered1–99, 1300–1999
Extended Numbered100–199, 2000–2699
Named ACLsip access-list [standard|extended] NAME
IPv6 ACLsipv6 access-list NAME

Lab Challenge

Design and implement a dual-stack ACL policy to:

  • Permit HTTP/HTTPS from user subnets to Internet
  • Deny Telnet/SSH except from management hosts
  • Permit OSPF and ICMPv6 ND traffic
  • Log all denies
  • Test placement pre-/post-NAT
  • Apply CoPP for SNMP and OSPF

Document your troubleshooting steps and verify with show and log commands.

Summary

Mastering ACLs is more than just passing the CCNP ENCOR—it’s about safeguarding your network and demonstrating true engineering expertise. Understand the differences between standard/extended, numbered/named, and IPv4/IPv6 ACLs; learn the platform-specific caveats; and always test before deploying to production. Use logging judiciously, optimize for performance, and always follow least privilege and compliance principles.

Pro tip: Lab every scenario—hands-on practice is the fastest path to ACL mastery. Simulate common exam “gotchas” and break/fix in a safe environment. Understand not only the syntax, but the why behind each rule and placement. This is what separates “book smart” from “field ready.”

References

  • Cisco IOS Security Command Reference: Access Control Lists – This resource provides comprehensive command syntax and configuration options for ACLs on Cisco IOS devices.
  • Cisco IPv6 Access Control Lists Configuration Guide – This guide offers detailed instructions and best practices for configuring IPv6 ACLs on Cisco platforms.
  • Cisco Let’s switch gears to Control Plane Policing (CoPP)—think of this as bodyguards for your router’s own brain, protecting it from floods of bogus or attack traffic. Configuration Guide – This documentation explains how to implement and verify CoPP for protecting the control plane on Cisco devices.
  • RFC 4861: Neighbor Discovery for IPv6 – This RFC describes the Neighbor Discovery protocol, which is essential for IPv6 network operation and must be considered when configuring ACLs.

Try these techniques in your own lab, and share your experiences or exam tips—real-world experience benefits everyone. Wishing you success and confidence as you master ACLs for your CCNP and beyond.

— Maya Rodriguez, CCIE #58321