How to Configure standard ACLs

Standard ACLs permits or denies traffic based on source addresses. It differentiates routes on a network using the IP address. The port and destination of the packet not evaluated.  Standard ACLs only contain a list of addresses or addresses ranges and a statement as to whether access to or from; that address is permitted or denied.

The range of the standard ACLs is from 1 to 99. Cisco IOS Release 12.0.1 extended the range of standard ACLs by allowing 1300 to 1999. Its means that we can configure a maximum of 798 possible standard ACLs.

To Configure and use numbered standard ACLs on a Cisco router. We must first create the standard ACL and then activate the ACL on a specific interface. The “access-list” global configuration command defines a standard ACL. The full syntax of the standard ACL command is as follows:

Router(config)# access-list access-list-number deny permit remark }source source-wildcard ][ log ]

The detailed explanation of the syntax for a standard following:-

access-list-number – This is a decimal number from 1 to 99 or 1300 to 1999 for standard ACL.

deny – This should deny the traffic if the condition is matched.

permit – This should permit the traffic if the condition is matched.

remark – Add a remark about entries in an IP access list to make it easier to understand and scan.

source – There are two ways to specify the source of the packet

  1. Use of 32-bit IP address in dotted-decimal format
  2. Use of keyword “any” as an abbreviation for source and source wildcard of

Wildcard –Wildcard is an optional 32-bit value. It is applied to the source. It should be “one” in the bit position which we want to ignore.

log-log is an optional value. It presents the information logging message about the packet that matches the entry to be sent to the console. The level of the message can be controlled using the logging console command.

The log message includes the number of ACL, the source address, and the number of the packet. It is generated for the first packet that matches and then it is guaranteed after the interval of each 5 minutes included the packets permitted in the previous 5 minutes.

The Access Control Entry (ACEs) is responsible for denying or permitting an individual host or a range of host addresses. To create a host statement in numbered ACL 1 that permits a specific host with the IP address, you would enter:

Router(config)# access-list 1 permit host

To create a statement that will permit a range of IPv4 addresses in a numbered ACL 1 that permits all IPv4 addresses in the network, the command would be like this:

Router(config)# access-list 2 permit

We can remove the ACL using the no access-list <access-list-number> command in global configuration mode. We can verify the access list using the show access-list command.

Before entering and creating an ACL it is necessary, to understand the purpose of each statement. However, the statement and remarks should be included to recall and understand the purpose of the ACL. The remark keyword is also used for documentation of ACLs. Each remark is limited to 100 characters

The logic of Standard ACLs

Packets that enter the router through interface any interface are checked for their source addresses based on the entries of access control entries for example:

access-list 1 deny

access-list 1 permit

access-list 1 deny

access-list 1 permit

If packets are permitted, they are routed through the router to an output interface. If packets are denied, they are dropped at the incoming interface.

Cisco IOS processed standard Access Control Entries sequentially. Therefore, the order in which Access Control Entries (ACEs) are entered is very important. For example, in Figure below ACL 2 contains two ACEs. The first ACE denies a range of addresses with the help of wildcard mask, The ACE denies hosts in the network. The second ACE is for a specific host.

The statement examines a specific host: The host is also in the range of first entry. In other words, is a host in the network. So, the internal logic for standard access lists rejects the second statement and returns an error message because it is a subset of the previous statement. This is a conflict of ACL statement.

How to Configure standard ACLs 9

Now look it figure below the configuration has contained the same two statements but in reverse order. This is a valid sequence of statements because the first statement refers to a specific host, not a range of hosts. So, now the host can access the network outside where the access-list 2 has applied.

How to Configure standard ACLs 10

Now look to ACL Configured with host statement that is not in the range of a previous statement. The host address is not a member of the network so this is a valid statement because there is no conflict between these two statement addresses.

How to Configure standard ACLs 11

Applying Standard ACLs to Interfaces

When standard ACL is configured, it is linked to an interface using the “ip access-group” command in interface configuration mode. The command syntax is the following:

Router(config-if)# ip access-group <access-list-number access-list-name> <in out>

To remove an ACL, enter the “no ip access-group” command on the interface, and then enter the “no access-list” command to remove the entire ACL.

Example 1 of Standard ACL

The figure below lists the steps and syntax to configure and apply a numbered standard ACL on a router.  This ACL allows only traffic from source network to be forwarded out of interface FastEthernet 0/0. Traffic from other networks is blocked.

standard acls

The first line identifies the ACL as access-list 2. It permits traffic that matches the selected parameters. In this case, the is allowed to access the network The entry is an implicit deny all statement that is equivalent to adding the line access-list 2 deny or access-list 2 deny any. The “ip access-group 2 out” interface configuration command links and ties ACL 2 to the FastEthernet 0/0 interface as an outbound filter.

So, ACL 2 only permits hosts from the network to exit router R2. It denies any other network including the network.

Example 2 of Standard ACL

The figure below illustrates an example of an ACL that permits a specific subnet except for a specific host on that subnet.

How to Configure standard ACLs 12

This ACL blocks traffic from all subnets including specific address in the subnet that allowed accessing the network. The first ACE denies the host from accessing the network

The second ACE permits all other hosts on the network network to access the network Again the implicit deny statement matches every other network. The ACL is applied and linked to interface Fast Ethernet 0/0 in an outbound direction.

Example 3 of Standard ACL

The figure below is an example of an ACL that denies a specific host. This ACL replaces the previous example. This example still blocks traffic from host PC1 but permits all other traffic.

How to Configure standard ACLs 13

The first commands deny the host from accessing the network The next line is permitted all other hosts. This means that all hosts from the, and network will be permitted except host which was denied in the first statement.

We have applied this ACL to interface FastEthernet 0/0 in the outbound direction. This ACL only affect network, So we can place this ACL inbound on interface FastEthernet 0/1 on Router3. I think this is the best place for this type of ACL.

Creating Named Standard ACLs

Naming an ACL is the best practice because naming makes ACL easier to understand. For example, an ACL configured to deny could be called NO_Telnet. The named ACL configuration mode and command syntax are slightly different then numbered ACL.

Use the ip access-list command in global configuration mode to create a named ACL. ACL names are alphanumeric, case sensitive, and must be unique. The ip access-list standard <name> is used to create a standard named ACL, whereas the command ip access-list extended <name> is for an extended access list.

After entering the command, the router is in named standard ACL configuration mode as indicated by the prompt. The difference between numbered and named ACL is that the Numbered ACLs use the global configuration command access-list whereas named IPv4 ACLs use the ip access-list command.

After entering named ACL configuration mode, use permit or deny statements to specify one or more conditions for determining whether a packet is forwarded or dropped.  Apply the ACL to an interface using the ip access-group <in | out> command.

Example of Named Standard ACL

The figure below illustrates the commands used to configure a standard named ACL on router R3, interface FE0/0 that denies host access to the network. The ACL is named NO_ACCESS_Net4.Recall that the name is case sensitive.

How to Configure standard ACLs 14

Commenting ACLs

We can comment the ACL using the remark keyword to about the ACE in any IP standard or extended ACL. The remarks make the ACL easier for understanding. Each remark line is restricted to 100 characters. We can enter the comment before or after a permit or deny statement. The command syntax for remarks as:

access-list <access-list_number> remark <remark> in global configuration mode. We can remove the remark using the no access-list <access-list_number> remark <remark> command in global configuration mode.

Example 4 Using Remarks with Numbered ACL

The numbered ACL 5 denies the  PC from accessing the network but permits all other devices. The remarks are used in the ACL.

How to Configure standard ACLs 15

Example 5 Using Remarks with Named ACL

In this example, you can see a standard named ACL configuration. The remark statements indicate that the PC1 is not authorized to access PC0 but devices from all other networks are permitted.

How to Configure standard ACLs 16

Verifying ACLs

Using the show ip interface command we can verify the ACL on the interface. The output of this command displays the number or name of the access list and the direction in which the ACL was applied.

We can also verify the ACL by issuing the show access-lists command on the router. The output of the command displays all ACLs output. We can also view an individual access list using the show access-lists command followed by the access list number or name. We can also verify the ACL from a starting-config file.

Finally, the below video is the answer of Cisco Routing Switching “ Packet Tracer Configuring Standard ACLs” The video is very important for the student of CCNA as well as for those who want to learn standard ACLs