Configuring standard ACLs

Standard ACLs permits or denies traffic based on source addresses. It differentiates routes on a network using the IP address. The port and destination of the packet not evaluated.  Standard ACLs only contain a list of addresses or addresses ranges and a statement as to whether access to or from; that address is permitted or denied. The range of the standard ACLs is from 1 to 99. Cisco IOS Release 12.0.1 extended the range of standard ACLs by allowing 1300 to 1999. Its means that we can configure a maximum of 798 possible standard ACLs.

To Configure and use numbered standard ACLs on a Cisco router. We must first create the standard ACL and then activate the ACL on a specific interface. The “access-list” global configuration command defines a standard ACL. The full syntax of the standard ACL command is as follows:

Router(config)# access-list access-list-number deny permit remark }source source-wildcard ][ log ]

The detailed explanation of the syntax for a standard ACL.is following:-

access-list-number – This is a decimal number from 1 to 99 or 1300 to 1999 for standard ACL.

deny – This should deny the traffic if the condition is matched.

permit – This should permit the traffic if the condition is matched.

remark – Add a remark about entries in an IP access list to make it easier to understand and scan.

source – There are two ways to specify the source of the packet

  1. Use of 32-bit IP address in dotted-decimal format
  2. Use of keyword “any” as an abbreviation for source and source wildcard of 0.0.0.0 255.255.255.255.

Wildcard –Wildcard is an optional 32-bit value. It is applied to the source. It should be “one” in the bit position which we want to ignore.

log-log is an optional value. It presents the information logging message about the packet that matches the entry to be sent to the console. The level of the message can be controlled using the logging console command.

The log message includes the number of ACL, the source address, and the number of the packet. It is generated for the first packet that matches and then it is guaranteed after the interval of each 5 minutes included the packets permitted in the previous 5 minutes.

The Access Control Entry (ACEs) is responsible for denying or permitting an individual host or a range of host addresses. To create a host statement in numbered ACL 1 that permits a specific host with the IP address 192.168.1.10, you would enter:

Router(config)# access-list 1 permit host 192.168.1.10

To create a statement that will permit a range of IPv4 addresses in a numbered ACL 1 that permits all IPv4 addresses in the network 192.168.1.0/24, the command would be like this:

Router(config)# access-list 2 permit 192.168.10.0 0.0.0.255

We can remove the ACL using the no access-list <access-list-number> command in global configuration mode. We can verify the access list using the show access-list command.

Before entering and creating an ACL it is necessary, to understand the purpose of each statement. However, the statement and remarks should be included to recall and understand the purpose of the ACL. The remark keyword is also used for documentation of ACLs. Each remark is limited to 100 characters

The logic of Standard ACLs

Packets that enter the router through interface any interface are checked for their source addresses based on the entries of access control entries for example:

access-list 1 deny 192.168.10.10

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 1 deny 192.168.0.0 0.0.255.255

access-list 1 permit 192.0.0.0 0.255.255.255

If packets are permitted, they are routed through the router to an output interface. If packets are denied, they are dropped at the incoming interface.

Cisco IOS processed standard Access Control Entries sequentially. Therefore, the order in which Access Control Entries (ACEs) are entered is very important. For example, in Figure below ACL 2 contains two ACEs. The first ACE denies a range of addresses with the help of wildcard mask, The ACE denies hosts in the 192.168.11.0/24 network. The second ACE is for a specific host.

The statement examines a specific host: 192.168.11.10. The host is also in the range of first entry. In other words, 192.168.11.10 is a host in the 192.168.11.0/24 network. So, the internal logic for standard access lists rejects the second statement and returns an error message because it is a subset of the previous statement. This is a conflict of ACL statement.

Configuring standard ACLs 10

Now look it figure below the configuration has contained the same two statements but in reverse order. This is a valid sequence of statements because the first statement refers to a specific host, not a range of hosts. So, now the host 192.168.11.10 can access the network outside where the access-list 2 has applied.

Configuring standard ACLs 11

Now look to ACL Configured with host statement that is not in the range of a previous statement. The 192.168.30.10 host address is not a member of the 192.168.11.0/24 network so this is a valid statement because there is no conflict between these two statement addresses.

Configuring standard ACLs 12

Applying Standard ACLs to Interfaces

When standard ACL is configured, it is linked to an interface using the “ip access-group” command in interface configuration mode. The command syntax is the following:

Router(config-if)# ip access-group <access-list-number access-list-name> <in out>

To remove an ACL, enter the “no ip access-group” command on the interface, and then enter the “no access-list” command to remove the entire ACL.

Example 1 of Standard ACL

The figure below lists the steps and syntax to configure and apply a numbered standard ACL on a router.  This ACL allows only traffic from source network 192.168.2.0 to be forwarded out of interface FastEthernet 0/0. Traffic from other networks is blocked.

Configuring standard ACLs 13

The first line identifies the ACL as access-list 2. It permits traffic that matches the selected parameters. In this case, the 192.168.2.0 0.0.0.255 is allowed to access the network 192.168.4.0/24. The entry is an implicit deny all statement that is equivalent to adding the line access-list 2 deny 0.0.0.0 255.255.255.255 or access-list 2 deny any. The “ip access-group 2 out” interface configuration command links and ties ACL 2 to the FastEthernet 0/0 interface as an outbound filter.

So, ACL 2 only permits hosts from the 192.168.2.0/24 network to exit router R2. It denies any other network including the 192.168.2.0 network.

Example 2 of Standard ACL

The figure below illustrates an example of an ACL that permits a specific subnet except for a specific host on that subnet.

Configuring standard ACLs 14

This ACL blocks traffic from all subnets including specific address in the subnet that allowed accessing the network. The first ACE denies the host 192.168.2.2 from accessing the network 192.168.3.0. The second ACE permits all other hosts on the network 192.168.2.0/24 network to access the network 192.168.3.0/24. Again the implicit deny statement matches every other network. The ACL is applied and linked to interface Fast Ethernet 0/0 in an outbound direction.

Example 3 of Standard ACL

The figure below is an example of an ACL that denies a specific host. This ACL replaces the previous example. This example still blocks traffic from host PC1 but permits all other traffic.

Configuring standard ACLs 15

The first commands deny the host 192.168.2.2 from accessing the network 192.168.3.0/24. The next line is permitted all other hosts. This means that all hosts from the 192.168.1.0/24, 192.168.2.0/24 and 192.168.4.0/24 network will be permitted except host 192.168.2.2 which was denied in the first statement. We have applied this ACL to interface FastEthernet 0/0 in the outbound direction. This ACL only affect network 192.168.2.0/24, So we can place this ACL inbound on interface FastEthernet 0/1 on Router3. I think this is the best place for this type of ACL.

Creating Named Standard ACLs

Naming an ACL is best practice because naming makes ACL easier to understand. For example, an ACL configured to deny could be called NO_Telnet. The named ACL configuration mode and command syntax are slightly different then numbered ACL.

Use the ip access-list command in global configuration mode to create a named ACL. ACL names are alphanumeric, case sensitive, and must be unique. The ip access-list standard <name> is used to create a standard named ACL, whereas the command ip access-list extended <name> is for an extended access list. After entering the command, the router is in named standard ACL configuration mode as indicated by the prompt. The difference between numbered and named ACL is that the Numbered ACLs use the global configuration command access-list whereas named IPv4 ACLs use the ip access-list command.

After entering named ACL configuration mode, use permit or deny statements to specify one or more conditions for determining whether a packet is forwarded or dropped.  Apply the ACL to an interface using the ip access-group <in | out> command.

Example of Named Standard ACL

The figure below illustrates the commands used to configure a standard named ACL on router R3, interface FE0/0 that denies host 192.168.2.2 access to the 192.168.4.0/24 network. The ACL is named NO_ACCESS_Net4.Recall that the name is case sensitive.

Configuring standard ACLs 16

Commenting ACLs

We can comment the ACL using the remark keyword to about the ACE in any IP standard or extended ACL. The remarks make the ACL easier for understanding. Each remark line is restricted to 100 characters. We can enter the comment before or after a permit or deny statement. The command syntax for remarks as:

access-list <access-list_number> remark <remark> in global configuration mode. We can remove the remark using the no access-list <access-list_number> remark <remark> command in global configuration mode.

Example 4 Using Remarks with Numbered ACL

The numbered ACL 5 denies the 192.168.2.2  PC from accessing the network 192.168.4.0/24 but permits all other devices. The remarks are used in the ACL.

Configuring standard ACLs 17

Example 5 Using Remarks with Named ACL

In this example, you can see a standard named ACL configuration. The remark statements indicate that the PC1 is not authorized to access PC0 but devices from all other networks are permitted.

Configuring standard ACLs 18

Verifying ACLs

Using the show ip interface command we can verify the ACL on the interface. The output of this command displays the number or name of the access list and the direction in which the ACL was applied.

We can also verify the ACL by issuing the show access-lists command on the router. The output of the command displays all ACLs output. We can also view an individual access list using the show access-lists command followed by the access list number or name. We can also verify the ACL from a starting-config file.

Finally, the below video is the answer of Cisco Routing Switching “9.2.1.10 Packet Tracer Configuring Standard ACLs” The video is very important for the student of CCNA as well as for those who want to learn standard ACLs