Standard ACL

1. Configuration of Standard ACL

Let’s start by understanding the scenario and topology:

Create your first ACL 1

In this setup, our goal is to allow the Legal network (192.168.1.0/24) to access the Legal server while blocking the HR network (192.168.2.0/24) from accessing it. This demonstrates how we can use Standard ACLs to control traffic based on source IP addresses.

🔹 Enter Global Configuration Mode

To begin, access the global configuration mode on the router:

R1# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#

🔹 Start Creating the ACL

To create a standard ACL, use the ip access-list command. Check the available options:

R1(config)# ip access-list ?
  extended    Extended Access List
  helper      Access List acts on helper-address
  log-update  Control access list log updates
  logging     Control access list logging
  resequence  Resequence Access List
  standard    Standard Access List

Choose standard to create a standard ACL.

R1(config)# ip access-list standard ?
  <1-99>       Standard IP access-list number
  <1300-1999>  Standard IP access-list number (expanded range)
  WORD         Access-list name

Standard ACLs use valid number ranges 1-99 and 1300-1999. For this example, we will choose 10:

R1(config)# ip access-list standard 10 
R1(config-std-nacl)# permit ?
  Hostname or A.B.C.D  Address to match
  any                  Any source host
  host                 A single host address

Specify the traffic to permit using the permit command.

Now options include:

  • any: Matches all sources
  • host: Matches a single IP address
  • <A.B.C.D>: Matches a specific network address

We need to allow traffic from the 192.168.1.0/24 network. First, specify the network:

R1(config-std-nacl)# permit 192.168.1.0 ?      
  A.B.C.D  Wildcard bits
  log      Log matches against this entry

Then we provide the wildcard mask (inverse of the subnet mask).

🔍 Explanation of Wildcard Masks

The wildcard mask is an inverted subnet mask where:

  • 0 matches the corresponding octet exactly.
  • 255 allows any value for the corresponding octet.

For 192.168.1.0/24, the wildcard mask is 0.0.0.255.

R1(config-std-nacl)# permit 192.168.1.0 0.0.0.255

🔹 Define the Deny Rule

Similarly, create a rule to deny traffic from the 192.168.2.0/24 network:

R1(config-std-nacl)# deny 192.168.2.0 0.0.0.255

We do the same scenario to deny the network 192.168.2.0 using the same ACL.

Now the router has the access list written in its configuration, but the router doesn’t yet know on which interface the packet needs to be filtered.

2. Where to Apply Standard ACL

🔍 Placement Strategy

Closest to the destination.
Standard ACLs filter traffic based solely on the source IP address. To prevent blocking legitimate traffic earlier than necessary, apply them as close as possible to the destination device.

Example Scenario:
In this case, the server is the destination.

  • Apply the ACL to Interface G0/2, which is the interface closest to the server.
Standard Placement

🔹 Applying the ACL to Interface

First, access the interface configuration mode:

R1(config)# int g0/2

Then, use the ip access-group command to apply the ACL. The router will prompt you to specify the ACL number:

R1(config-if)# ip access-group ?
  <1-199>      IP access list (standard or extended)
  <1300-2699>  IP expanded access list (standard or extended)
  WORD         Access-list name

Select the ACL number (10 in this case) and apply it in the outbound direction, as the packets we want to filter will exit through the router’s interface.

R1(config-if)# ip access-group 10 ?
  in   inbound packets
  out  outbound packets
R1(config-if)# ip access-group 10 out

3. Verifying Standard ACLs

🔍 Checking ACL Configuration

After applying the ACL, verify its configuration using the following command:

🔹 Command to display access lists:

R1# show access-lists 10
Standard IP access list 10
    10 permit 192.168.1.0, wildcard bits 0.0.0.255
    20 deny   192.168.2.0, wildcard bits 0.0.0.255

This confirms that the ACL is correctly applied and filtering traffic as intended.

4. Named Standard ACLs

🔍 Understanding Named Standard ACLs

Standard ACLs can be identified by either a number or a name.

In this section, we will create a Named Standard ACL called ALLOW_LEGAL_DENY_HR. This ACL is configured to permit traffic from Network A (192.168.1.0/24) and deny traffic from Network B (192.168.2.0/24).

Create your first ACL 2

🔹 Create the Named Standard ACL

Enter global configuration mode and define the ACL with a descriptive name:

R1(config)# ip access-list standard ALLOW_LEGAL_DENY_HR
R1(config-std-nacl)# permit 192.168.1.0 0.0.0.255
R1(config-std-nacl)# deny 192.168.2.0 0.0.0.255

This configuration creates two entries:

  • Permit Rule: Allows traffic from the 192.168.1.0/24 network.
  • Deny Rule: Blocks traffic from the 192.168.2.0/24 network.

5. Applying Named Standard ACLs to Interfaces

🔍 After creating the named ACL, it must be applied to an interface.

For this example, apply the ALLOW_LEGAL_DENY_HR ACL to outgoing traffic on interface G0/2:

🔹 Configuration Command:

R1(config)# interface G0/2
R1(config-if)# ip access-group ALLOW_LEGAL_DENY_HR out

✅ This ensures that the ACL is actively filtering packets leaving the interface.

6. Verifying Named Standard ACLs

🔍 To confirm that the named ACL is configured correctly, use the following command:

🔹 Verification Command:

R1# show access-lists ALLOW_LEGAL_DENY_HR
Standard IP access list ALLOW_LEGAL_DENY_HR
    10 permit 192.168.1.0, wildcard bits 0.0.0.255
    20 deny 192.168.2.0, wildcard bits 0.0.0.255

✅ This output confirms that:

  • Traffic from 192.168.1.0/24 is permitted.
  • Traffic from 192.168.2.0/24 is denied.

7. Troubleshooting Standard ACLs

If the ACL is not functioning as expected, follow these steps to troubleshoot:

🔹 Verify Application

Check that the ACL is applied to the correct interface and direction using:

R1# show ip interface X

✅ Ensure the ACL name and direction (inbound or outbound) match the intended configuration.

🔹 Check Configuration

🛠️ Review the ACL rules with:

R1# show access-lists

✅ This command displays all access lists, allowing you to verify their correctness.

🔹 Modify if Needed

If there are errors, remove and reconfigure the ACL using:

R1(config)# no ip access-list standard X

Then recreate the ACL with the correct entries.

📢 Next Steps:
Now that you’ve learned standard ACL, the next course will focus on configuring a Extended ACL.

Extended ACL