Configure Standard IPv4 ACLs
Configure Standard IPv4 ACLs

Configure Standard IPv4 ACLs

Configure Standard IPv4 ACLs
5

Summary

This topic configure standard IPv4 ACLs to filter traffic to meet networking requirements. Start learning CCNA 200-301 for free right now!!

Note: Welcome: This topic is part of Module 5 of the Cisco CCNA 3 course, for a better follow up of the course you can go to the CCNA 3 section to guide you through an order.

Create an ACL

In a previous module, you learned about what an ACL does and why it is important. In this topic, you will learn about creating ACLs.

All access control lists (ACLs) must be planned. However, this is especially true for ACLs requiring multiple access control entries (ACEs).

When configuring a complex ACL, it is suggested that you:

  • Use a text editor and write out the specifics of the policy to be implemented.
  • Add the IOS configuration commands to accomplish those tasks.
  • Include remarks to document the ACL.
  • Copy and paste the commands onto the device.
  • Always thoroughly test an ACL to ensure that it correctly applies the desired policy.

These recommendations enable you to create the ACL thoughtfully without impacting the traffic on the network.

Numbered Standard IPv4 ACL Syntax

To create a numbered standard ACL, use the following global configuration command:

Router(config)# access-list access-list-number {deny | permit | remark text} source [source-wildcard] [log]

Use the no access-list access-list-number global configuration command to remove a numbered standard ACL.

The table provides a detailed explanation of the syntax for a standard ACL.

Parameter Description
access-list-number
  • This is the decimal number of the ACL.
  • Standard ACL number range is 1 to 99 or 1300 to 1999.
deny
This denies access if the condition is matched.
permit
This permits access if the condition is matched.
remark text
  • (Optional) This adds a text entry for documentation purposes.
  • Each remark is limited to 100 characters.
source
  • This identifies the source network or host address to filter.
  • Use the any keyword to specify all networks.
  • Use the host ip-address keyword or simply enter an ip-address (without the host keyword) to identify a specific IP address.
source-wildcard
(Optional) This is a 32-bit wildcard mask that is applied to the source. If omitted, a default 0.0.0.0 mask is assumed.
log
  • (Optional) This keyword generates and sends an informational message whenever the ACE is matched.
  • Message includes ACL number, matched condition (i.e., permitted or denied), source address, and number of packets.
  • This message is generated for the first matched packet.
  • This keyword should only be implemented for troubleshooting or security reasons.

Named Standard IPv4 ACL Syntax

Naming an ACL makes it easier to understand its function. To create a named standard ACL, use the following global configuration command:

Router(config)# ip access-list standard access-list-name

This command enters the named standard configuration mode where you configure the ACL ACEs.

ACL names are alphanumeric, case sensitive, and must be unique. Capitalizing ACL names is not required but makes them stand out when viewing the running-config output. It also makes it less likely that you will accidentally create two different ACLs with the same name but with different uses of capitalization.

Note: Use the no ip access-list standard access-list-name global configuration command to remove a named standard IPv4 ACL.

In the example, a named standard IPv4 ACL called NO-ACCESS is created. Notice that the prompt changes to named standard ACL configuration mode. ACE statements are entered in the named standard ACL sub configuration mode. Use the help facility to view all the named standard ACL ACE options.

The three highlighted options are configured similar to the numbered standard ACL. Unlike the numbered ACL method, there is no need to repeat the initial ip access-list command for each ACE.

R1(config)# ip access-list standard NO-ACCESS
R1(config-std-nacl)# ?
Standard Access List configuration commands:
  <1-2147483647>  Sequence Number
  default         Set a command to its defaults
  deny            Specify packets to reject
  exit            Exit from access-list configuration mode
  no              Negate a command or set its defaults
  permit          Specify packets to forward
  remark          Access list entry comment
R1(config-std-nacl)#

Apply a Standard IPv4 ACL

After a standard IPv4 ACL is configured, it must be linked to an interface or feature. The following command can be used to bind a numbered or named standard IPv4 ACL to an interface:

Router(config-if) # ip access-group {access-list-number | access-list-name} {in | out}

To remove an ACL from an interface, first enter the no ip access-group interface configuration command. However, the ACL will still be configured on the router. To remove the ACL from the router, use the no access-list global configuration command.

Numbered Standard IPv4 ACL Example

The topology in the figure will be used to demonstrate configuring and applying numbered and named standard IPv4 ACLs to an interface. This first example shows a numbered standard IPv4 ACL implementation.

Numbered Standard IPv4 ACL
Numbered Standard IPv4 ACL

Assume only PC1 is allowed out to the internet. To enable this policy, a standard ACL ACE could be applied outbound on S0/1/0, as shown in the figure.

R1(config)# access-list 10 remark ACE permits ONLY host 192.168.10.10 to the internet
R1(config)# access-list 10 permit host 192.168.10.10
R1(config)# do show access-lists
Standard IP access list 10
   10 permit 192.168.10.10
R1(config)#

Notice that the output of the show access-lists command does not display the remark statements. ACL remarks are displayed in the running configuration file. Although the remark command is not required to enable the ACL, it is strongly suggested for documentation purposes.

Now assume that a new network policy states that hosts in LAN 2 should also be permitted to the internet. To enable this policy, a second standard ACL ACE could be added to ACL 10, as shown in the output.

R1(config)# access-list 10 remark ACE permits all host in LAN 2
R1(config)# access-list 10 permit 192.168.20.0 0.0.0.255
R1(config)# do show access-lists
Standard IP access list 10
    10 permit 192.168.10.10
    20 permit 192.168.20.0, wildcard bits 0.0.0.255
R1(config)#

Apply ACL 10 outbound on the Serial 0/1/0 interface.

R1(config)# interface Serial 0/1/0
R1(config-if)# ip access-group 10 out
R1(config-if)# end
R1#

The resulting policy of ACL 10 will only permit host 192.168.10.10 and all host from LAN 2 to exit the Serial 0/1/0 interface. All other hosts in the 192.168.10.0 network will not be permitted to the internet.

Use the show running-config command to review the ACL in the configuration, as shown in the output.

R1# show run | section access-list
access-list 10 remark ACE permits host 192.168.10.10
access-list 10 permit 192.168.10.10
access-list 10 remark ACE permits all host in LAN 2
access-list 10 permit 192.168.20.0 0.0.0.255
R1#

Notice how the remarks statements are also displayed.

Finally, use the show ip interface command to verify if an interface has an ACL applied to it. In the example output, the output is specifically looking at the Serial 0/1/0 interface for lines that include “access list” text.

R1# show ip int Serial 0/1/0 | include access list
  Outgoing Common access list is not set
  Outgoing access list is 10
  Inbound Common access list is not set
  Inbound  access list is not set
R1#

Named Standard IPv4 ACL Example

This second example shows a named standard IPv4 ACL implementation. The topology is repeated in the figure for your convenience.

Numbered Standard IPv4 ACL
IPv4 ACL

Assume only PC1 is allowed out to the internet. To enable this policy, a named standard ACL called PERMIT-ACCESS could be applied outbound on S0/1/0.

Remove the previously configured named ACL 10 and create a named standard ACL called PERMIT-ACCESS, as shown here.

R1(config)# no access-list 10
R1(config)# ip access-list standard PERMIT-ACCESS
R1(config-std-nacl)# remark ACE permits host 192.168.10.10
R1(config-std-nacl)# permit host 192.168.10.10
R1(config-std-nacl)#

Now add an ACE permitting only host 192.168.10.10 and another ACE permitting all LAN 2 hosts to the internet.

R1(config-std-nacl)# remark ACE permits host 192.168.10.10
R1(config-std-nacl)# permit host 192.168.10.10
R1(config-std-nacl)# remark ACE permits all hosts in LAN 2
R1(config-std-nacl)# permit 192.168.20.0 0.0.0.255
R1(config-std-nacl)# exit
R1(config)#

Apply the new named ACL outbound to the Serial 0/1/0 interface.

R1(config)# interface Serial 0/1/0
R1(config-if)# ip access-group PERMIT-ACCESS out
R1(config-if)# end
R1#

Use the show access-lists and show running-config command to review the ACL in the configuration, as shown in the output.

R1# show access-lists
Standard IP access list PERMIT-ACCESS
    10 permit 192.168.10.10
    20 permit 192.168.20.0, wildcard bits 0.0.0.255
R1# show run | section ip access-list
ip access-list standard PERMIT-ACCESS
 remark ACE permits host 192.168.10.10
 permit 192.168.10.10
 remark ACE permits all hosts in LAN 2
 permit 192.168.20.0 0.0.0.255
R1#

Finally, use the show ip interface command to verify if an interface has an ACL applied to it. In the example output, the output is specifically looking at the Serial 0/1/0 interface for lines that include “access list” text.

R1# show ip int Serial 0/1/0 | include access list
  Outgoing Common access list is not set
  Outgoing access list is PERMIT-ACCESS
  Inbound Common access list is not set
  Inbound  access list is not set
R1#

Syntax Check – Configure Standard IPv4 ACLs

Configure a numbered and named ACLs on R1.

Topology Standard IPv4 ACLs
Topology Standard IPv4 ACLs

You will create a numbered ACL that denies host 192.168.10.10 but permits all other hosts in LAN 1. Start by configuring the ACL 20 ACE that denies the 192.168.10.10 host using the host keyword.

R1(config)#access-list 20 deny host 192.168.10.10

Create a second numbered ACL 20 ACE that permits all other hosts in LAN 1 on network 192.168.10.0/24.

R1(config)#access-list 20 permit 192.168.10.0 0.0.0.255

Because the ACL 20 policies only apply to traffic from the LAN 1, the ACL would be best applied incoming to the G0/0/0 R1 interface. Enter interface g0/0/0 mode, apply ACL 20 inbound, and return to global configuration mode. Be sure to use g0/0/0 as the interface designation.

R1(config)#interface g0/0/0
R1(config-if)#ip access-group 20 in
R1(config-if)#exit

You will now create a named standard ACL that permits host 192.168.10.10 but denies all other hosts access to LAN 2. Start by configuring a named standard ACL called LAN2-FILTER.

R1(config)#ip access-list standard LAN2-FILTER

Create an ACE that permits host 192.168.10.10 using the host keyword.

R1(config-std-nacl)#permit host 192.168.10.10

Deny all other hosts using the any keyword and return to global configuration mode.

R1(config-std-nacl)#deny any
R1(config-std-nacl)#exit

The LAN2-FILTER would be best applied outgoing to LAN 2. Enter interface g0/0/1 mode, apply ACL LAN2-FILTER outbound, and return to global configuration mode. Be sure to use g0/0/1 as the interface designation.

R1(config)#interface g0/0/1
R1(config-if)#ip access-group LAN2-FILTER out
R1(config-if)#exit

You have successfully configured IPv4 numbered and named standard ACLs on R1.

Packet Tracer – Configure Numbered Standard IPv4 ACLs

Standard access control lists (ACLs) are router configuration scripts that control whether a router permits or denies packets based on the source address. This activity focuses on defining filtering criteria, configuring standard ACLs, applying ACLs to router interfaces, and verifying and testing the ACL implementation. The routers are already configured, including IPv4 addresses and EIGRP routing.

Packet Tracer – Configure Named Standard IPv4 ACLs

The senior network administrator has asked you to create a named standard ACL to prevent access to a file server. All clients from one network and one specific workstation from a different network should be denied access.

Glossary: If you have doubts about any special term, you can consult this computer network dictionary.

Ready to go! Keep visiting our networking course blog, give Like to our fanpage; and you will find more tools and concepts that will make you a networking professional.