ACL Simulator

Paste a Cisco ACL, craft a test packet and watch it travel through every rule.

Input

Packet to simulate

Protocol

Source IP

Source port

Destination IP

Destination port

TCP flags ACK SYN RST

Output

Paste an ACL, define a packet and click Simulate.

Simulating Cisco ACL matching

A Cisco access control list is processed top-down: the first rule that matches a packet determines the verdict immediately — the rest of the list is never evaluated. That single behaviour is responsible for most ACL-related outages. An administrator adds a new permit entry, but it silently never fires because a broader deny earlier in the list already intercepts the matching traffic. The only way to know for certain is to trace every packet through every rule in order, which is exactly what this cisco acl simulator does.

Extended ACLs introduce several concepts that catch engineers off guard. Cisco wildcard masks are the inverse of a subnet mask — a 0.0.0.255 wildcard matches any value in the last octet, not the first three. Port operators add another layer: eq 443 matches exactly port 443, gt 1023 matches any port above 1023, range 8080 8090 matches an inclusive range. The established keyword matches only TCP segments with the ACK or RST flag set, allowing return traffic for sessions initiated from the inside without opening a full bidirectional hole. The simulator evaluates all of these semantics correctly.

Every ACL also ends with an invisible deny ip any any. Traffic that reaches the bottom of the list without matching any explicit rule is silently dropped. The simulator makes this implicit deny visible so that engineers understand why a packet is blocked even when no deny statement appears in the config.

If you want to examine the full ACL configuration already deployed on a device, paste the running-config into the Config Analyzer — it extracts every access-list and shows where each one is applied.

Common use cases

Validate a new ACL entry before applying it in production — no change window required.
Identify shadowed rules that can never be reached and should be removed.
Explain to a colleague exactly why a specific flow is being blocked or permitted.
Prepare evidence for a change request or audit by capturing the trace as a screenshot.
Practice ACL logic during CCNA/CCNP exam preparation with realistic scenarios.

100% in-browser. No config uploaded. Zero tracking.