Configure Standard IPv4 ACLs
Summary
This topic configure standard IPv4 ACLs to filter traffic to meet networking requirements. Start learning CCNA 200-301 for free right now!!
Table of Contents
Create an ACL
In a previous module, you learned about what an ACL does and why it is important. In this topic, you will learn about creating ACLs.
All access control lists (ACLs) must be planned. However, this is especially true for ACLs requiring multiple access control entries (ACEs).
When configuring a complex ACL, it is suggested that you:
- Use a text editor and write out the specifics of the policy to be implemented.
- Add the IOS configuration commands to accomplish those tasks.
- Include remarks to document the ACL.
- Copy and paste the commands onto the device.
- Always thoroughly test an ACL to ensure that it correctly applies the desired policy.
These recommendations enable you to create the ACL thoughtfully without impacting the traffic on the network.
Numbered Standard IPv4 ACL Syntax
To create a numbered standard ACL, use the following global configuration command:
Router(config)# access-list access-list-number {deny | permit | remark text} source [source-wildcard] [log]
Use the no access-list access-list-number global configuration command to remove a numbered standard ACL.
The table provides a detailed explanation of the syntax for a standard ACL.
Parameter | Description |
---|---|
access-list-number |
|
deny |
This denies access if the condition is matched. |
permit |
This permits access if the condition is matched. |
remark text |
|
source |
|
source-wildcard |
(Optional) This is a 32-bit wildcard mask that is applied to the source. If omitted, a default 0.0.0.0 mask is assumed. |
log |
|
Named Standard IPv4 ACL Syntax
Naming an ACL makes it easier to understand its function. To create a named standard ACL, use the following global configuration command:
Router(config)# ip access-list standard access-list-name
This command enters the named standard configuration mode where you configure the ACL ACEs.
ACL names are alphanumeric, case sensitive, and must be unique. Capitalizing ACL names is not required but makes them stand out when viewing the running-config output. It also makes it less likely that you will accidentally create two different ACLs with the same name but with different uses of capitalization.
In the example, a named standard IPv4 ACL called NO-ACCESS is created. Notice that the prompt changes to named standard ACL configuration mode. ACE statements are entered in the named standard ACL sub configuration mode. Use the help facility to view all the named standard ACL ACE options.
The three highlighted options are configured similar to the numbered standard ACL. Unlike the numbered ACL method, there is no need to repeat the initial ip access-list command for each ACE.
R1(config)# ip access-list standard NO-ACCESS R1(config-std-nacl)# ? Standard Access List configuration commands: <1-2147483647> Sequence Number default Set a command to its defaults deny Specify packets to reject exit Exit from access-list configuration mode no Negate a command or set its defaults permit Specify packets to forward remark Access list entry comment R1(config-std-nacl)#
Apply a Standard IPv4 ACL
After a standard IPv4 ACL is configured, it must be linked to an interface or feature. The following command can be used to bind a numbered or named standard IPv4 ACL to an interface:
Router(config-if) # ip access-group {access-list-number | access-list-name} {in | out}
To remove an ACL from an interface, first enter the no ip access-group interface configuration command. However, the ACL will still be configured on the router. To remove the ACL from the router, use the no access-list global configuration command.
Numbered Standard IPv4 ACL Example
The topology in the figure will be used to demonstrate configuring and applying numbered and named standard IPv4 ACLs to an interface. This first example shows a numbered standard IPv4 ACL implementation.
Assume only PC1 is allowed out to the internet. To enable this policy, a standard ACL ACE could be applied outbound on S0/1/0, as shown in the figure.
R1(config)# access-list 10 remark ACE permits ONLY host 192.168.10.10 to the internet R1(config)# access-list 10 permit host 192.168.10.10 R1(config)# do show access-lists Standard IP access list 10 10 permit 192.168.10.10 R1(config)#
Notice that the output of the show access-lists command does not display the remark statements. ACL remarks are displayed in the running configuration file. Although the remark command is not required to enable the ACL, it is strongly suggested for documentation purposes.
Now assume that a new network policy states that hosts in LAN 2 should also be permitted to the internet. To enable this policy, a second standard ACL ACE could be added to ACL 10, as shown in the output.
R1(config)# access-list 10 remark ACE permits all host in LAN 2 R1(config)# access-list 10 permit 192.168.20.0 0.0.0.255 R1(config)# do show access-lists Standard IP access list 10 10 permit 192.168.10.10 20 permit 192.168.20.0, wildcard bits 0.0.0.255 R1(config)#
Apply ACL 10 outbound on the Serial 0/1/0 interface.
R1(config)# interface Serial 0/1/0 R1(config-if)# ip access-group 10 out R1(config-if)# end R1#
The resulting policy of ACL 10 will only permit host 192.168.10.10 and all host from LAN 2 to exit the Serial 0/1/0 interface. All other hosts in the 192.168.10.0 network will not be permitted to the internet.
Use the show running-config command to review the ACL in the configuration, as shown in the output.
R1# show run | section access-list access-list 10 remark ACE permits host 192.168.10.10 access-list 10 permit 192.168.10.10 access-list 10 remark ACE permits all host in LAN 2 access-list 10 permit 192.168.20.0 0.0.0.255 R1#
Notice how the remarks statements are also displayed.
Finally, use the show ip interface command to verify if an interface has an ACL applied to it. In the example output, the output is specifically looking at the Serial 0/1/0 interface for lines that include “access list” text.
R1# show ip int Serial 0/1/0 | include access list Outgoing Common access list is not set Outgoing access list is 10 Inbound Common access list is not set Inbound access list is not set R1#
Named Standard IPv4 ACL Example
This second example shows a named standard IPv4 ACL implementation. The topology is repeated in the figure for your convenience.
Assume only PC1 is allowed out to the internet. To enable this policy, a named standard ACL called PERMIT-ACCESS could be applied outbound on S0/1/0.
Remove the previously configured named ACL 10 and create a named standard ACL called PERMIT-ACCESS, as shown here.
R1(config)# no access-list 10 R1(config)# ip access-list standard PERMIT-ACCESS R1(config-std-nacl)# remark ACE permits host 192.168.10.10 R1(config-std-nacl)# permit host 192.168.10.10 R1(config-std-nacl)#
Now add an ACE permitting only host 192.168.10.10 and another ACE permitting all LAN 2 hosts to the internet.
R1(config-std-nacl)# remark ACE permits host 192.168.10.10 R1(config-std-nacl)# permit host 192.168.10.10 R1(config-std-nacl)# remark ACE permits all hosts in LAN 2 R1(config-std-nacl)# permit 192.168.20.0 0.0.0.255 R1(config-std-nacl)# exit R1(config)#
Apply the new named ACL outbound to the Serial 0/1/0 interface.
R1(config)# interface Serial 0/1/0 R1(config-if)# ip access-group PERMIT-ACCESS out R1(config-if)# end R1#
Use the show access-lists and show running-config command to review the ACL in the configuration, as shown in the output.
R1# show access-lists Standard IP access list PERMIT-ACCESS 10 permit 192.168.10.10 20 permit 192.168.20.0, wildcard bits 0.0.0.255 R1# show run | section ip access-list ip access-list standard PERMIT-ACCESS remark ACE permits host 192.168.10.10 permit 192.168.10.10 remark ACE permits all hosts in LAN 2 permit 192.168.20.0 0.0.0.255 R1#
Finally, use the show ip interface command to verify if an interface has an ACL applied to it. In the example output, the output is specifically looking at the Serial 0/1/0 interface for lines that include “access list” text.
R1# show ip int Serial 0/1/0 | include access list Outgoing Common access list is not set Outgoing access list is PERMIT-ACCESS Inbound Common access list is not set Inbound access list is not set R1#
Syntax Check – Configure Standard IPv4 ACLs
Configure a numbered and named ACLs on R1.
You will create a numbered ACL that denies host 192.168.10.10 but permits all other hosts in LAN 1. Start by configuring the ACL 20 ACE that denies the 192.168.10.10 host using the host keyword.
R1(config)#access-list 20 deny host 192.168.10.10
Create a second numbered ACL 20 ACE that permits all other hosts in LAN 1 on network 192.168.10.0/24.
R1(config)#access-list 20 permit 192.168.10.0 0.0.0.255
Because the ACL 20 policies only apply to traffic from the LAN 1, the ACL would be best applied incoming to the G0/0/0 R1 interface. Enter interface g0/0/0 mode, apply ACL 20 inbound, and return to global configuration mode. Be sure to use g0/0/0 as the interface designation.
R1(config)#interface g0/0/0 R1(config-if)#ip access-group 20 in R1(config-if)#exit
You will now create a named standard ACL that permits host 192.168.10.10 but denies all other hosts access to LAN 2. Start by configuring a named standard ACL called LAN2-FILTER.
R1(config)#ip access-list standard LAN2-FILTER
Create an ACE that permits host 192.168.10.10 using the host keyword.
R1(config-std-nacl)#permit host 192.168.10.10
Deny all other hosts using the any keyword and return to global configuration mode.
R1(config-std-nacl)#deny any R1(config-std-nacl)#exit
The LAN2-FILTER would be best applied outgoing to LAN 2. Enter interface g0/0/1 mode, apply ACL LAN2-FILTER outbound, and return to global configuration mode. Be sure to use g0/0/1 as the interface designation.
R1(config)#interface g0/0/1 R1(config-if)#ip access-group LAN2-FILTER out R1(config-if)#exit
You have successfully configured IPv4 numbered and named standard ACLs on R1.
Packet Tracer – Configure Numbered Standard IPv4 ACLs
Standard access control lists (ACLs) are router configuration scripts that control whether a router permits or denies packets based on the source address. This activity focuses on defining filtering criteria, configuring standard ACLs, applying ACLs to router interfaces, and verifying and testing the ACL implementation. The routers are already configured, including IPv4 addresses and EIGRP routing.
Packet Tracer – Configure Named Standard IPv4 ACLs
The senior network administrator has asked you to create a named standard ACL to prevent access to a file server. All clients from one network and one specific workstation from a different network should be denied access.
Ready to go! Keep visiting our networking course blog, give Like to our fanpage; and you will find more tools and concepts that will make you a networking professional.