This tutorial explains the commands and configurations you need to create, implement and test a standard access list through a packet tracer example.
You can create a standard access list in two ways: by using a number or by using a name. If you use a number to create the standard access list, it is known as a numbered standard access list. If you use a name to create the standard access list, it is known as a named standard access list.
No matter which method you use to create an ACL, it works similarly. The only advantage of a named ACL over a numbered ACL is that it allows you to edit statements. You can edit a statement in a named ACL, but you can't edit a statement in a numbered ACL.
In this tutorial, we will take an example of a numbered ACL. We will take an example of a named ACL in the next part of this tutorial.
Creating and implementing a standard numbered ACL
Either create a packet tracer lab as shown in the following image or download the following pre-created lab and load on Packet Tracer.
Download Packet Tracer Lab with Initial Configuration
In this network, there are three segments.
| Segment | Network | Connected to the router's interface |
| Students | 10.0.0.0/8 | GigabitEithernet0/0 |
| Teachers | 20.0.0.0/8 | GigabitEthernet0/1 |
| Server | 30.0.0.0/8 | GigabitEthernet0/2 |
Currently, this network has no ACL. All segments can reach each other.
To test connectivity between segments, you can use the ping command. The following image verifies that PC0 from the Students segment can access Server0 from the Server segment.
Now, we want to create an ACL that serves the following purposes.
- Allow the Students segment to access the Teachers segment.
- Block the Students segment to access the Server segment.
- Allow the Teachers segment to access the Students segment and the server segment.
Creating a standard ACL
Access the CLI prompt of Router and run the following commands.
Router>enable Router#configure terminal Router[config]#access-list 10 deny 10.0.0.0 0.255.255.255 Router[config]#access-list 10 permit 20.0.0.0 0.255.255.255 Router[config]#
Let's discuss the above commands.
We can create an access list only in global configuration mode. We used the first two commands to enter global configuration mode. We used the next two commands to create a standard access list with two statements. The first statement denies all traffic from the network 10.0.0.0. The second statement allows all traffic from the network 20.0.0.0. We assigned the number 10 to this ACL.
Implementing the ACL
An ACL works only when it is applied to an interface. To use this ACL, we have to apply it to the proper interface in the correct direction.
Can you guess the interface and the direction for this ACL?
We will apply this ACL to GigabitEthernet 0/2 in the outward direction. This is the last exit point for the traffic originating from the network 10.0.0.0. A standard ACL should be applied on the last exit point. This practice allows the source to communicate with other parts of the network.
Let’s apply this ACL to the GigabitEthernet0/2 in the outward direction.
Router[config]#interface gigabitEthernet 0/2 Router[config-if]#ip access-group 10 out
The following image shows how to execute the above commands on the router.
Once this ACL is implemented, the router takes the following steps before sending each packet out to Gigabit Ethernet 0/2.
It will check the source address of the packet. If the packet belongs to the network 10.0.0.0, it will drop the packet. If the packet belongs to the network 20.0.0.0, it will allow the packet. If the packet belongs to any other network, it will drop the packet.
The output of the ping command in the following image verifies that the Students segment cannot access the Server segment after the ACL is applied.
The output of the ping command in the following image verifies that the Teachers segment can still access the Students segment and the Server segment even after the ACL is applied.
The show ip access-lists command
You can use the 'show ip access-lists' command to view the entries of the ACLs. This command also shows the number of packets matched with each entry. The following image shows the output of this command.
Configured labThe following link provides the configured packet tracer lab of this example.
Packet Tracer Lab with ACL implementation
That's all for this tutorial. In the next part of this tutorial, we will learn how to create, implement, and verify a named standard access list.
Creates a named or numbered IPv4 standard or extended access list [ACL]. In ACLs, you can define rules that permit or deny network traffic based on criteria that you specify.
ip access-list { standard | extended } { acl-num | acl-name }
no ip access-list { standard | extended } { acl-num | acl-name }
No IPv4 named or numbered ACLs are defined. However, you can also create numbered IPv4 ACLs, using the access-list command.
standard Creates a standard access list. Contains rules that permit or deny traffic based on source addresses that you specify. The rules are applicable to all ports of the specified address. extended Contains rules that permit or deny traffic according to source and destination addresses, as well as other parameters. For example, you can also filter by port, protocol [TCP or UDP], and TCP flags. acl-num Specifies the ACL number for a standard or extended access list. The value can be from 1 through 99 for standard IPv4 ACLs and from 100 through 199 for extended IPv4 ACLs. acl-name Specifies a unique IPv4 ACL name. The name can be up to 255 characters, and must begin with an alphabetic character. If the name contains spaces, put it within quotation marks. Otherwise, no special characters are allowed, except for underscores and hyphens.
Global configuration mode
An ACL name must be unique among IPv4 and IPv6 standard and extended ACL types.
After you create an IPv4 ACL, enter one or more permit or deny commands to create filtering rules for that ACL.
An IPv4 ACL starts functioning only after if is applied to an interface using the ip access-group command.
The system supports the following IPv4 ACL resources:
- IPv4 numbered standard ACLs—99
- IPv4 numbered extended ACLs—100
- IPv4 named standard ACLs—99
- IPv4 named extended ACLs—100
- Maximum filter-rules per IPv4 or IPv6 ACL—2000. You can change the maximum up to 8192 by using the system-max ip-filter-sys command.
The no form of this command deletes the ACL. You can delete an IPv4 ACL only after you first remove it from all interfaces to which it is applied, using the no ip access-group command.
The following example creates an extended, named IPv4 ACL, defines rules in it, and applies it to an ethernet interface, in the ingress direction. device[config]# ip access-list extended "block Telnet" device[config-ext-nacl-block telnet]# deny tcp host 10.157.22.26 any eq telnet device[config-ext-nacl-block telnet]# permit ip any any device[config-ext-nacl-block telnet]# interface ethernet 1/1/1 device[config-if-e10000-1/1/1]# ip access-group "block Telnet" in
The following example creates an extended, numbered IPv4 ACL and defines rules in it. device# configure terminal device[config]# ip access-list extended 101 device[config-ext-nacl]# seq 30 deny udp 19.1.2.0 0.0.0.255 eq 2023 20.1.2.0 0.0.0.255 eq 2025 dscp-mapping 23 device[config-ext-nacl]# permit 12 host 098.096.31.10 any device[config-ext-nacl]# deny tcp host 098.092.12.10 131.21.12.0/24 syn device[config-ext-nacl]# deny 120 host 18.192.112.110 13.2.2.0/24 log device[config-ext-nacl]# permit ip any any mirror
The following example configures a standard access list.
device[config]# ip access-list standard acl1 device[config-std-nacl]#
The following example configures an extended access list.
device[config]# ip access-list extended 125 device[config-ext-nacl]#