Standard Access Control Lists
April 8, 2025 - Reading time: 4 minutes

Access Control Lists (ACLs) on Cisco devices are fundamental tools used to identify, permit, or deny network traffic based on various criteria. They are commonly applied to interfaces to control data flows through the router. ACLs ensure only authorized traffic passes according to configured rules.

In this lesson we will focus on the Standard Access Control Lists. Standard Access Control Lists (ACLs) on Cisco devices use only the source IP address to allow or deny traffic. They are typically assigned numbers between 1 and 99 and are most effective when placed close to the destination. With fewer matching criteria than extended ACLs, standard ACLs offer a simple way to filter traffic based on source IP addresses only.

Step-by-Step Lab

1. Basic Device Setup

  • Topology Assumption:

    • R1 with two interfaces:
      • FastEthernet0/0 → 192.168.1.1/24
      • FastEthernet0/1 → 10.0.12.1/30

  • Goal: Deny traffic from a specific host (192.168.1.50) destined for any network via R1, and permit all other traffic.

  • Approach: Configure a Standard ACL (numbered 10) and apply it to the FastEthernet0/1 interface in the outbound direction. 

R1(config)# interface FastEthernet0/0
R1(config-if)# ip address 192.168.1.1 255.255.255.0
R1(config-if)# no shutdown
R1(config-if)# exit

R1(config)# interface FastEthernet0/1
R1(config-if)# ip address 10.0.12.1 255.255.255.0
R1(config-if)# no shutdown
R1(config-if)# exit

Expected Outcome: Both interfaces have their IP addresses configured and are active (up/up).

2. Create the Standard Access List

  • ACL Number: 10 (range 1–99 for standard ACLs).
  • Statement: Deny any traffic originating from host 192.168.1.50, and then permit all other traffic.
R1(config)# access-list 10 deny 192.168.1.50
R1(config)# access-list 10 permit any

Expected Outcome: ACL 10 is created with two entries. The first line denies traffic from 192.168.1.50, and the second line permits all other IP traffic.

3. Apply the ACL to the Interface

  • Apply ACL 10 to FastEthernet0/1 in the outbound direction:
R1(config)# interface FastEthernet0/1
R1(config-if)# ip access-group 10 out
R1(config-if)# exit

Expected Outcome: Traffic leaving R1 via F0/1 is now filtered by ACL 10. Host 192.168.1.50 will be denied, while all other sources are permitted.

4. Verification Commands

Use the following commands to confirm proper ACL operation and view traffic matches.

  1. Show Access-Lists

    R1# show access-lists 10
Standard IP access list 10
    deny   192.168.1.50
    permit any
    • Explanation: Displays the configured standard ACL entries. Each line’s order matches the configuration sequence.

  2. Show IP Interface

    R1# show ip interface FastEthernet0/1
FastEthernet0/1 is up, line protocol is up
  Internet address is 10.0.12.1/24
      Broadcast address is 255.255.255.255
  Address determined by configuration file
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is 10
  Inbound  access list is not set
  <...output truncated...>
    • Explanation: Confirms that ACL 10 is applied outbound on the F0/1 interface.

  3. Test the ACL

    • From 192.168.1.50: Attempt to reach any external IP. This traffic should be denied.
    • From 192.168.1.60 (or another IP in the subnet): Traffic should be permitted.

    After sending traffic, check matches:

    R1# show access-lists 10
Standard IP access list 10
    deny   192.168.1.50 (1 match)
    permit any (3 matches)
    • Explanation: Shows incrementing match counters, indicating traffic from 192.168.1.50 was denied once, while 3 packets from other sources were permitted.

Common Mistakes

  1. Incorrect ACL Number Range

    • Symptom: Configuration errors or incomplete filtering rules.
    • Solution: Use 1–99 for standard ACLs.

  2. Applying ACL in the Wrong Direction

    • Symptom: The ACL never triggers or filters incorrectly.
    • Solution: Determine if traffic should be filtered in or out based on the path of the packets.

  3. Forgetting the Permit Statement

    • Symptom: All traffic from the subnet is denied (due to the implicit deny at the end).
    • Solution: Always include a permit any (or the desired permit statements) after your deny lines.

  4. Misplacing Standard ACL

    • Symptom: Unintended traffic denial or excessive traffic filtering.
    • Solution: Standard ACLs are best placed close to the destination to avoid over-filtering other networks.

User Challenge

The lab is available for download from this link. Try recreating the sample lab above using the provided IP addressing scheme to reinforce your understanding.

  1. Add Another Deny Rule: Block a second host in your LAN (e.g., 192.168.1.51) and verify match counts with show access-lists.

  2. Block an Entire Subnet: Create a new standard ACL (e.g., ACL 30) that denies traffic from the subnet 192.168.2.0/24 while permitting everything else. Apply it inbound on the FastEthernet0/1 interface, and then test connectivity from a host in 192.168.2.0/24 to confirm it is correctly blocked. Use show access-lists to verify match counters increment when the traffic is denied.

  3. Download the ACL1 and ACL2 troubleshooting scenarios and apply what you've learned.
    (requires version 2.7)

These challenges will help you build confidence with standard ACL configurations and prepare you for extended ACLs in the next lesson.

Standard Access Control Lists | PocketCLI

Search

Categories

LATEST POSTS

Download


>