How to Configure standard ACLs

Standard ACLs permit or deny traffic based on source addresses. They differentiate routes on a network using the IP address. The port and destination of the packet are not evaluated. Standard ACLs only contain a list of addresses or address ranges and a statement as to whether access to or from that address is permitted or denied.

The range of the standard ACLs is from 1 to 99. Cisco IOS Release 12.0.1 extended the range of standard ACLs by allowing 1300 to 1999. This means that we can configure a maximum of 798 standard ACLs.

To Configure and use numbered standard ACLs on a Cisco router. We must first create the standard ACL and then activate the ACL on a specific interface. The “access-list” global configuration command defines a standard ACL. The full syntax of the standard ACL command is as follows:

Router(config)# access-list access-list-number deny permit remark }source source-wildcard ][ log ]

The detailed explanation of the syntax for a standard ACL.is follows:-

access-list-number – This is a decimal number from 1 to 99 or 1300 to 1999 for standard ACL.

deny – This should deny the traffic if the condition is matched.

Permit – This should permit traffic if the condition matches.

remark – Add a remark about entries in an IP access list to make it easier to understand and scan.

source – There are two ways to specify the source of the packet

  1. Use of 32-bit IP address in dotted-decimal format
  2. Use of keyword “any” as an abbreviation for source and source wildcard of 0.0.0.0 255.255.255.255.

Wildcard –Wildcard is an optional 32-bit value. It is applied to the source. It should be “one” in the bit position, which we want to ignore.

log-log is an optional value. It presents the information logging message about the packet that matches the entry to be sent to the console. The level of the message can be controlled using the logging console command.

The log message includes the number of ACLs, the source address, and the number of the packet. It is generated for the first packet that matches and then it is guaranteed after the interval of each 5 minutes included the packets permitted in the previous 5 minutes.

The Access Control Entry (ACE) is responsible for denying or permitting an individual host or a range of host addresses. To create a host statement in numbered ACL 1 that permits a specific host with the IP address 192.168.1.10, you would enter:

Router(config)# access-list 1 permit host 192.168.1.10

To create a statement that will permit a range of IPv4 addresses in a numbered ACL 1 that permits all IPv4 addresses in the network 192.168.1.0/24, the command would be like this:

Router(config)# access-list 2 permit 192.168.10.0 0.0.0.255

We can remove the ACL using the no access-list <access-list-number> command in global configuration mode. We can verify the access list using the show access-list command.

Before entering and creating an ACL, it is necessary to understand the purpose of each statement. However, the statement and remarks should be included to recall and understand the purpose of the ACL. The remark keyword is also used to document ACLs. Each remark is limited to 100 characters

The logic of Standard ACLs

Packets that enter the router through interface any interface are checked for their source addresses based on the entries of access control entries, for example:

access-list 1 deny 192.168.10.10

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 1 deny 192.168.0.0 0.0.255.255

access-list 1 permit 192.0.0.0 0.255.255.255

If packets are permitted, they are routed through the router to an output interface. If packets are denied, they are dropped at the incoming interface.

Cisco IOS processed standard Access Control Entries sequentially. Therefore, the order in which Access Control Entries (ACEs) are entered is significant. For example, in Figure below ACL 2 contains two ACEs. The first ACE denies a range of addresses with the help of wildcard mask, The ACE denies hosts in the 192.168.11.0/24 network. The second ACE is for a specific host.

The statement examines a specific host: 192.168.11.10. The host is also in the range of the first entry. In other words, 192.168.11.10 is a host in the 192.168.11.0/24 network. So, the internal logic for standard access lists rejects the second statement and returns an error message because it is a subset of the previous statement. This is a conflict of the ACL statement.

Now look at the figure below. The configuration contains the same two statements but in reverse order. This is a valid sequence of statements because the first statement refers to a specific host, not a range of hosts. So, now the host 192.168.11.10 can access the network outside where the access-list 2 has applied.

Now look to ACL Configured with a host statement that is not in the range of a previous statement. The 192.168.30.10 host address is not a member of the 192.168.11.0/24 network, so this is a valid statement because there is no conflict between these two statement addresses.

Applying Standard ACLs to Interfaces

When standard ACL is configured, it is linked to an interface using the “ip access-group” command in interface configuration mode. The command syntax is the following:

Router(config-if)# ip access-group <access-list-number access-list-name> <in out>

To remove an ACL, enter the “no ip access-group” command on the interface, and then enter the “no access-list” command to remove the entire ACL.

Example 1 of Standard ACL

The figure below lists the steps and syntax to configure and apply a numbered standard ACL on a router.  This ACL allows only traffic from source network 192.168.2.0 to be forwarded out of interface FastEthernet 0/0. Traffic from other networks is blocked.

standard acls

The first line identifies the ACL as access-list 2. It permits traffic that matches the selected parameters. In this case, the 192.168.2.0 0.0.0.255 is allowed to access the network 192.168.4.0/24. The entry is an implicit deny all statement that is equivalent to adding the line access-list 2 deny 0.0.0.0 255.255.255.255 or access-list 2 deny any. The “ip access-group 2 out” interface configuration command links and ties ACL 2 to the FastEthernet 0/0 interface as an outbound filter.

So, ACL 2 only permits hosts from the 192.168.2.0/24 network to exit router R2. It denies any other network including the 192.168.2.0 network.

Example 2 of Standard ACL

The figure below illustrates an example of an ACL that permits a specific subnet except for a specific host on that subnet.

This ACL blocks traffic from all subnets, including specific addresses in the subnet that allow accessing the network. The first ACE denies the host 192.168.2.2 from accessing the network 192.168.3.0.

The second ACE permits all other hosts on the network 192.168.2.0/24 to access the network 192.168.3.0/24. Again, the implicit deny statement matches every other network. The ACL is applied and linked to the Fast Ethernet interface 0/0 in an outbound direction.

Example 3 of Standard ACL

The figure below is an example of an ACL that denies a specific host. This ACL replaces the previous example. This example still blocks traffic from host PC1 but permits all other traffic.

The first commands deny the host 192.168.2.2 from accessing the network 192.168.3.0/24. All other hosts are permitted to follow the following line. This means that all hosts from the 192.168.1.0/24, 192.168.2.0/24, and 192.168.4.0/24 networks will be allowed except host 192.168.2.2, which was denied in the first statement.

We have applied this ACL to interface FastEthernet 0/0 in the outbound direction. This ACL only affects network 192.168.2.0/24, So we can place this ACL inbound on interface FastEthernet 0/1 on Router3. I think this is the best place for this type of ACL.

Creating Named Standard ACLs

Naming an ACL is the best practice because naming makes ACL easier to understand. For example, an ACL configured to deny could be called NO_Telnet. The named ACL configuration mode and command syntax are slightly different then numbered ACL.

Use the ip access-list command in global configuration mode to create a named ACL. ACL names are alphanumeric, case-sensitive, and must be unique. The ip access-list standard <name> is used to create a standard named ACL, whereas the command ip access-list extended <name> is for an extended access list.

After entering the command, the router is in the named standard ACL configuration mode as indicated by the prompt. The difference between numbered and named ACLs is that the Numbered ACLs use the global configuration command access-list, whereas named IPv4 ACLs use the ip access-list command.

After entering the named ACL configuration mode, use permit or deny statements to specify one or more conditions for determining whether a packet is forwarded or dropped.  Apply the ACL to an interface using the ip access-group <in | out> command.

Example of Named Standard ACL

The figure below illustrates the commands configuring a standard ACL on router R3, interface FE0/0, that denies host 192.168.2.2 access to the 192.168.4.0/24 network. The ACL is named NO_ACCESS_Net4. Recall that the name is case-sensitive.

Commenting ACLs

We can comment on the ACL using the remark keyword about the ACE in any IP standard or extended ACL. The remarks make the ACL easier to understand. Each remark line is restricted to 100 characters. We can enter the comment before or after a permit or deny statement. The command syntax for remarks is as:

access-list <access-list_number> remark <remark> in global configuration mode. We can remove the remark using the no access-list <access-list_number> remark <remark> command in global configuration mode.

Example 4 Using Remarks with Numbered ACL

The numbered ACL 5 denies the 192.168.2.2  PC from accessing the network 192.168.4.0/24 but permits all other devices. The remarks are used in the ACL.

Example 5 Using Remarks with Named ACL

In this example, you can see a standard named ACL configuration. The remarks indicate that PC1 is not authorized to access PC0, but devices from all other networks are permitted.

Verifying ACLs

Using the show ip interface command, we can verify the ACL on the interface. The output of this command displays the number or name of the access list and the direction in which the ACL was applied.

We can also verify the ACL by issuing the show access-lists command on the router. The output of the command displays all ACL output. We can also view an individual access list using the show access-lists command followed by the access list number or name. We can also verify the ACL from a starting-config file.

Finally, the video below is the answer to Cisco Routing Switching “9.2.1.10 Packet Tracer Configuring Standard ACLs.” The video is essential for the students of CCNA as well as for those who want to learn standard ACLs

https://youtu.be/tqEAn5R9owY