Which type of IP ACL can only match based on source IP address?

Standard IP Access Control Lists (ACLs) are designed specifically to filter traffic based solely on the source IP address. This means that when using a standard ACL, you can permit or deny packets by evaluating only the source IP of the incoming packets. This limitation makes standard ACLs straightforward but also less flexible compared to other types of ACLs.

In contrast, Extended IP ACLs allow filtering not only based on source IP addresses but also on destination IP addresses, protocols (such as TCP or UDP), and even specific port numbers. This provides a wider range of filtering capabilities. Dynamic and Static IP ACLs refer to different concepts, such as creating temporary rules or having manually configured rules, but they still fall under the categories of either standard or extended based on their functionality.

Thus, the defining characteristic of standard IP ACLs—matching solely on the source IP—is what makes them the correct answer to the question.