CCNA Study Guide

This tutorial explains Access-list command, IP Access-list command, how to create numbered Standard access list and how to create named standard access list in detail.

Standard ACLs configuration commands

A standard ACL can be created in two ways:

  1. Classical approach (numbered)
  2. Modern approach (numbered or named)

Classical approach (numbered ACL)

This tutorial is the second part of our article “Cisco IP ACL Configuration Guide”. You can read other parts of this article here:-

Access Control List Explained with Examples

This tutorial is the first part of this article. In this part I provided a brief introduction to Cisco IP ACLs such as what is ACL and how it works including ACLs direction and locations.

Configure Standard Access Control List Step by Step Guide

This tutorial is the third part of this article. In this part I will provide a step by step configuration guide for Standard Access Control List.

Extended ACL Configuration Commands Explained

This tutorial is the fourth part of this article. In this part I will explain Extended Access Control List configuration commands and its parameters in detail with examples.

Configure Extended Access Control List Step by Step Guide

This tutorial is the last part of this article. In this part I will provide a step by step configuration guide for Extended Access Control List.

To create a standard numbered ACL following global configuration mode command is used:-

Router(config)# access-list ACL_Identifier_number permit/deny matching-parameters

Router(config)#

This command prompt indicates that we are in global configuration mode.

access-list

Through this parameter we tell router that we are creating or accessing an access list.

ACL_Identifier_number

With this parameter we specify the type of access list. We have two types of access list; standard and extended. Both lists have their own unique identifier numbers. Standard ACL uses numbers range 1 to 99 and 1300 to 1999. We can pick any number from this range to tell the router that we are working with standard ACL. This number is used in groping the conditions under a single ACL. This number is also a unique identifier for this ACL in router.

permit/deny

As we know an ACL condition has two actions; permit and deny. If we use permit keyword, ACL will allow all packets from the source address specified in next parameter. If we use deny keyword, ACL will drop all packets from the source address specified in next parameter.

matching-parameters

This parameter allows us to specify the contents of packet that we want to match. In a standard ACL condition it could be a single source address or a range of addresses. We have three options to specify the source address.

  1. Any
  2. host
  3. A.B.C.D

Any

Any keyword is used to match all sources. Every packet compared against this condition would be matched.

Host

Host keyword is used to match a specific host. To match a particular host, type the keyword host and then the IP address of host.

A.B.C.D

Through this option we can match a single address or a range of addresses. To match a single address, simply type its address. To match a range of addresses, we need to use wildcard mask.

Wildcard mask

Just like subnet mask, wildcard mask is also used to draw a boundary in IP address. Where subnet mask is used to separate network address from host address, wildcard mask is used to distinguish the matching portion from the rest. Wildcard mask is the invert of Subnet mask. Wildcard can be calculated in decimal or in binary from subnet mask.

Different authors use different approaches while calculating wildcard mask. Among these approaches following method is the simplest one.

Subtract subnet mask from 255.255.255.255.

255.255.255.255 – Subnet mask = Wildcard mask

Once we got the wildcard mask, next logics are relatively simple.

  • Decimal 0 :- Router must compare this octet.
  • Decimal 255 :- Router ignores this octet.
  • Decimal range 1- 254 :- Router matches the listed block size in this octet.

Calculating wildcard mask could be confusing even with the simplest method mentioned above. To understand this concept more clearly lets have some examples:-

What wildcard mask would you use to match following addresses?

  • All addresses from all networks
  • Single host address 200.100.1.10/24
  • All addresses from network 10.0.0.0/8
  • All addresses from network 172.168.0.0/16
  • All addresses from network 192.168.0.0/24
  • All address from network range 192.168.1.5/25
  • All address from network range 195.160.1.20/26
  • All address from network range 20.30.40.50/15
All addresses from all networks

To match this requirement we need an address that represents all networks. In IPv4 address 0.0.0.0 represents all networks. Now we need a proper wildcard mask that ignores everything from all octets. And we know that decimal value 255 tells ACL to ignore everything from octet and match all addresses. So if we want match all addresses from all network then we should use 0.0.0.0 network address with 255.255.255.255 wildcard mask.

To match all addresses from all networks we will use 0.0.0.0 255.255.255.255.

Single host address 200.100.1.10/8

To match a single host we use exact match wildcard mask. As we know decimal value 0 in wildcard mask octet asks router to match exact octet in IP address. So our answer wildcard mask for this question will be 0.0.0.0.

To match this host we will use 200.100.1.10 0.0.0.0

All addresses from network 10.0.0.0/8

In this requirement we need to match all addresses from given network. To match an address range, we use subtract method. In subtract method we subtract subnet mask from 255.255.255.255 to get required wildcard mask.

First write down the address with subnet mask.

10.0.0.0/8 = 10.0.0.0 255.0.0.0

Now subtract subnet mask from 255.255.255.255

      255 . 255 . 255 . 255
(-)   255 .  0  .  0  .  0
----------------------------
      0  .  255 . 255 . 255
---------------------------

To match all addresses from this network we will use 10.0.0.0 0.255.255.255

All addresses from network 172.168.0.0/16

This requirement also needs to match an addresses range. Use same subtract method to calculate the answer wildcard mask.

Write down the address with subnet mask

172.168.0.0/16 = 170.168.0.0 255.255.0.0

Now subtract subnet mask from 255.255.255.255

255.255.255.255 – 255.255.0.0 = 0.0.255.255

Our answer for this question will be 172.168.0.0 0.0.255.255

All addresses from network 192.168.0.0/24

Again we are matching an addresses range, so our method would be same.

Write down the address with subnet mask.

192.168.0.0/24 = 192.168.0.0 255.255.255.0

Now subtract subnet mask from 255.255.255.255

255.255.255.255 – 255.255.255.0 = 0.0.0.255

Our answer for this question will be 192.168.0.0 0.0.0.255

In remaining questions we will also match an address range, but this time we will match a Subnetted network. Subnetted network is a smaller network created from default network via Subnetting.

To represent all addresses from network we have to use network address. But in questions we are given host addresses instead of network addresses. So we have to go through one more steps in these types of question. We need to find out the network address from given address.

For this tutorial I assume that you know Subnetting and its concepts, especially finding network ID from given host.

I have already explained Subnetting and finding network ID and broadcast ID from given host in detail with examples. You can read that tutorial here

Subnetting Explained with examples

All address from network range 192.168.1.5/25

Write down the address with subnet mask

192.168.1.5/25 = 192.168.1.5 255.255.255.128

Find the network address from given host

192.168.1.0 255.255.255.128

Now subtract subnet mask from 255.255.255.255

255.255.255.255 – 255.255.255.128 = 0.0.0.127

Our answer for this question will be 192.168.1.0 0.0.0.127

All address from network range 195.160.1.20/26

Write down the address with subnet mask

195.160.1.20/26 = 195.160.1.20 255.255.255.192

Find the network address from given host

195.160.1.0 255.255.255.192

Now subtract subnet mask from 255.255.255.255

255.255.255.255 – 255.255.255.192 = 0.0.0.63

Our answer for this question will be 195.160.1.0 0.0.0.63

All address from network range 20.30.40.50/15

Write down the address with subnet mask

20.30.40.50/15 = 20.30.40.50 255.254.0.0

Find the network address from given host

20.30.0.0 255.254.0.0

Now subtract subnet mask from 255.255.255.255

255.255.255.255 – 255.254-0.0 = 0.1.255.255

Our answer for this question will be 20.30.0.0 0.1.255.255

Wildcard mask examples

IP Address With Wildcard Mask Matches Network Address with Subnet Mask
0.0.0.0 255.255.255.255 Special wildcard mask that matches every packet which compared against it.(equal to Any keyword)
172.168.1.15 0.0.0.0 Match exact host address (equal to host keyword)
172.168.1.15 If we omit wildcard mask, a default wild card 0.0.0.0 (exact match) will be used.
10.0.0.0 0.255.255.255 Match all addresses from network 10.0.0.0/8 10.0.0.0 255.0.0.0
172.168.1.0 0.0.255.255 Match all addresses from network 172.168.0.0/16 172.168.0.0 255.255.0.0
192.168.1.0 0.0.0.255 Match all addresses from network 192.168.1.0/24192.168.1.0 255.255.255.0
50.0.0.10 0.0.0.255 Match all addresses from network 50.0.0.0/24 50.0.0.0 255.255.255.0
50.0.0.10 0.0.0.127 Match all addresses from network 50.0.0.0/25 50.0.0.0 255.255.255.128
50.0.0.10 0.0.127.255 Match all addresses from network 50.0.0.0/17 50.0.0.0 255.255.128.0
50.0.0.10 0.63.255.255 Match all addresses from network 50.0.0.0/10 50.0.0.0 255.192.0.0

Okay now we have basic understanding of IP ACL command and its parameters, let’s put all these together and create a real ACL.

Building Standard IP ACL condition with classical approach (Number method)

Suppose we want to allow only one host address 20.0.0.10 255.0.0.0 blocking all others. To meet with this requirement we need to create two ACL conditions.

  • 1. Permit 20.0.0.10 255.0.0.0.0
  • 2. Block All
Router(config)#access-list 10 permit 20.0.0.10 0.0.0.0
Router(config)#access-list 10 deny any

Order of conditions plays big role in filtration. If we have created denied condition first then we would have blocked entire traffic from all hosts including 20.0.0.10. For example have look on following conditions.

Router(config)#access-list 10 deny any
Router(config)#access-list 10 permit 20.0.0.10 0.0.0.0

This ACL will block all traffic from all hosts. Why this happened?

Because conditions are matched in top to down order and once a match is found, no further conditions are matched. First condition in this ACL will match all packets from all hosts including 20.0.0.10. First condition has a block action. In block action packet will be dropped immediately. Thus all packets from all hosts will dropped in first condition. No packets will remain to match the second condition. This way, order of conditions play important role in packet filtration process.

To understand the order of conditions we have created two conditions otherwise we do not need to create a block condition for all traffic as it is already created and placed in the end of all ACLs. It is called Implicit deny statement.

For this requirement we only need to create one condition.

Router(config)#access-list 10 permit 20.0.0.10 0.0.0.0

Or

Router(config)#access-list 10 permit host 20.0.0.10

For single host entry we can use both 0.0.0.0 wildcard mask or host keyword.

Okay now we know how to create a standard ACL with classic approach. In next section we will create same condition with modern approach.

Modern approach (numbered or named)

Router(config)#ip access-list standard Secure_telnet
Router(config-std-nacl)#permit 20.0.0.10 0.0.0.0
Router(config-std-nacl)#exit
Router(config)#

Or

Router(config)#ip access-list standard 10
Router(config-std-nacl)#permit 20.0.0.10 0.0.0.0
Router(config-std-nacl)#exit
Router(config)#

In modern approach, configuration style is different from classical approach. In modern style we start command with ip access-list instead of access-list. It tells router that we are creating a modern ACL.

In next parameter we have to specify whether we are creating a standard ACL or extended ACL.

In next parameter we need to define a unique identifier for this ACL. We can use either a number or name here. If we are using modern approach, we should use a descriptive name here instead of number.

After assigning the name or number hit the Enter key to enter in access list configuration mode.

From access-list configuration mode we can specify what to allow or what to block.

When finished, use exit command to return in global configuration mode.

Okay now we know the both classical and modern approach to create standard ACL. Before we move forward let’s have quick look on advantages which modern approach provides over classic approach.

  • In classic method we are allowed to insert new condition only at end of the ACL. We cannot insert a new condition in the middle of ACL. The only way to insert new line in middle is to delete existing ACL and create new ACL with modification. In modern method we can insert new condition in ACL wherever we want without recreating entire ACL.
  • In classic method we are not allowed to remove a condition from ACL. The only way to remove condition is delete entire ACL and recreate it. In modern method we can delete any condition from ACL.
  • Modern approach uses sequence numbers for conditions that we create. With these sequence numbers we can modify an existing ACL without recreating it.

No matter which method we use to create a standard ACL, implanting process will be same.

Enabling Standard IP ACL

Following commands are used to activate ACL in interface.

Router(config)#interface type [slot_#]port_#
Router(config-if)#ip access-group ACL_# in|out

First command is used to enter in interface configuration mode.

Second command is used to enable ACL. It accepts two parameters; first ACL_# and second in|out.

ACL_# Through this parameter we specify which ACL we want to associate with this interface. In our case we need to use either 10 (Numbered unique identifier) or Secure_telnet (Named unique identifier).

in|out With this parameter we specify the direction of filter. in keyword is used to filter the inbound traffic. out keyword is used to filter the outbound traffic.

Following commands will activate Standard ACL number 10 on Serial 0/0/0 interface in inbound direction.

Router(config)#interface serial 0/0/0
Router(config-if)#ip access-group 10 in

Following commands will activate Standard ACL name Secure_telnet on Serial 0/0/1 interface in outbound direction.

Router(config)#interface serial 0/0/0
Router(config-if)#ip access-group Secure_telnet out
Key points
  • We can apply same ACL to multiple interfaces.
  • We can enable same ACL twice on same interface in separate direction inbound and outbound.
  • We cannot enable same ACL twice on same interface in same direction.
  • An empty ACL will permit all traffic.
  • Implicit deny condition will works only if ACL has at least one user defined condition.
  • We should place only one ACL on same interface, same direction and same type. For example there is no use of placing two standard ACLs on same interface in same direction.

That’s all for this part. In next part of this article we will practically implement what we have learned from this part.

Improve this articleImprove this article

Thanks for reading this article. We believe that every article always has a scope for improvement. Following this principle we invite you to update this article. Your little effort and time will make this article more useful for other users. You can improve this article in two ways.

Improve this articleTechnical update

  • Update outdated or incorrect information
  • Add missing or relative information
  • Make this easier to understand

Improve this articleLanguage update

  • Use more simple words for presentation
  • Correct spelling errors and typos
  • Update grammatical mistakes

Please download editable version of this article in DOCX format and send updated version back to computernetworkingnotes@gmail.com

Share this Share This Article with Friends

Stay updateStay Update With US

More Articles For YouYou May Also Like