Configure Standard Access Control List Step by Step Guide
There are two types of access lists: standard and extended. This tutorial explains how to configure, view, edit, update, and delete a standard named access control through a Packet Tracer example.
Lab setup
Create a Packet Tracer lab as shown in the following image.
Configure IP addresses as shown in the above image and enable the RIPv2 protocol for routing and test connectivity between sections. To test connectivity between sections, you can use the ping command. The following image shows a connectivity test between Laptop1 and Server0.
If all end devices can access each other, the lab is ready for practice. If you have a connectivity-related issue or can not replicate this lab, you can download and use the following pre-created lab.
Download Packet Tracer Lab with Initial Configuration
Objectives
Create and implement a standard access list that blocks the Students section from accessing the Server section.
Understanding the requirement
The Students section uses IP subnet 10.0.0.0/8. All packets originating from this section have IP addresses on this subnet. If you create a standard ACL with a deny statement for this subnet, the ACL will drop all packets with an IP address from this subnet as the source address.
Selecting the location and direction for the ACL
A router's interface uses the ACL to filter traffic passing through it. An incorrectly implemented ACL can block entire traffic passing through it. Before creating and implementing an ACL, you must select the correct interface and direction. This network has seven locations where you can implement this ACL. The following image shows these locations and the direction that you can use to filter traffic.
The following table lists the above locations and the ACLs' effect on each.
| Location | Interface | Direction | Effect |
| 1 | Router1's Gig0/0 | In | The Students section will not be able to access the Server and the Teachers section. |
| 2 | Router1's Gig0/2 | Out | The Students section will not be able to access the Server and Teachers section. |
| 3 | Router0's Gig0/2 | In | The Students section will not be able to access the Server and Teachers section. |
| 4 | Router0's Gig0/0 | Out | The Students section will not be able to access the Server section, but it will be able to access the Teachers section. |
| 5 | Router0's Gig0/1 | Out | The Students section will not be able to access the Teachers section, but it will be able to access the Server section. |
| 6 | Router1's Gig0/1 | In | The Students section will not be able to access the Teachers section, but it will be able to access the Server section. |
| 7 | Router1's Gig0/0 | Out | The Students section will not be able to access the Teachers section, but it will be able to access the Server section. |
As the above table shows, the correct location for our ACL is Router0's Gig0/0, and the proper direction is out.
Standard ACL configuration commands
You have two commands to create a standard access list. These commands are 'access-list' and 'ip access-list'. The main difference between the two commands is that the 'ip access-list' command allows you to update or modify entries after creating them, whereas the 'access-list' command does not. You can use any one of your choice. This tutorial uses the 'ip access-list' command.
The 'ip access-list' is a global configuration mode command. To create a standard access list, use the following syntax.
Router(config)# ip access-list standard ACL_#
The ACL_# is the name or number of the standard ACL. When you press Enter after entering this command, the command prompt changes, and you enter standard ACL configuration mode.
Router(config-std-acl)#
In standard ACL configuration mode, use the following syntax to create statements.
Router(config)# ip access-list standard ACL_name Router(config-std-acl)# permit|deny source_IP_address [wildcard_mask]
An ACL does nothing until you apply it to an interface. To apply it to an interface, enter the interface configuration mode and use the following commands.
Router(config)# interface type [slot_#]port_# Router(config-if)# ip access-group ACL_# in|out
Once applied, the interface processes all packets through the ACL.
Creating a standard ACL
Access the command prompt of Router0 and run the following commands.
Router> Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#ip access-list standard BlockStudents Router(config-std-nacl)#deny 10.0.0.0 0.255.255.255 Router(config-std-nacl)#permit any Router(config-std-nacl)#exit Router(config)#interface gigabitethernet 0/0 Router(config-if)#ip access-group BlockStudents out Router(config-if)#exit Router(config)#exit Router#
The first two commands enter global configuration mode.
The following command creates a standard ACL named BlockStudents.
In ACL configuration mode, it added two statements. The first statement denies all traffic from the 10.0.0.0/8 subnet.
The second statement allows all other traffic.
The following command exits ACL configuration mode.
The following command enters interface configuration mode.
The following command applies the BlockStudents ACL in the out direction.
The last two commands exit interface configuration mode and global configuration mode, respectively.
Verifying
To verify the ACL, you can test connectivity between sections. The Students section should not be able to access the Server section, but it should be able to access the Teachers section. The Teachers section should be able to access both the Server and the Students sections. You can use the ping command to test connectivity.
Configured Packet Tracer Lab
The following link provides the configured Packet Tracer lab for this example.
Download Packet Tracer Lab with ACL Configuration
Modifying /updating a standard ACL entry
To modify or update a standard ACL, follow these steps.
- Use the 'show access-lists' command to view the sequence number of the statement.
- Enter standard ACL configuration mode
- Delete the existing statement with the 'no [sequence number]' command
- Insert the modified, updated, or new statement with the sequence number of the old statement
Let's take an example. Instead of blocking the entire subnet, you want to block only a single host (10.0.0.10/8) from the Students section. To do this, access the CLI prompt on Router0 and run the following commands.
Router> Router#show access-lists Standard IP access list BlockStudents 10 deny 10.0.0.0 0.255.255.255 20 permit any Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#ip access-list standard BlockStudents Router(config-std-nacl)#no 10 Router(config-std-nacl)#10 deny 10.0.0.10 0.0.0.0 Router(config-std-nacl)#exit Router(config)#exit Router# Router#show access-lists Standard IP access list BlockStudents 10 deny host 10.0.0.10 20 permit any Router#
The 'show access-lists' command shows all ACLs. You can use it to check the sequence number of the entry that you used to block the entire Students section. The output shows that the entry's sequence number is 10.
The following command enters the ACL configuration mode.
The following command deletes the current statement.
The following command replaces the existing statement with the new one. Since the ACL is already active on the interface, the interface starts using the latest statement as soon as you add it.
To verify the change, send ping requests again from both the blocked and allowed hosts.
Updated Packet Tracer Lab
The following link provides the updated Packet Tracer lab for this example.
Download the updated Packet Tracer Lab with ACL Configuration
Deleting a standard ACL
To delete a standard ACL, use the following command in global configuration mode.
Router(config)no ip access-list standard ACL_#
Replace ACL_# with the ACL name or number. The following command deletes the BlockStudents ACL.
Router(config)no ip access-list standard BlockStudents
This tutorial is part of the tutorial "Cisco Access List Commands, Concepts, and Configurations". Other parts of this tutorial are as follows:
Chapter 01 Definition, purposes, benefits, and functions of ACL
Chapter 02 Basic concepts and fundamentals of ACLs
Chapter 03 How Access Lists work on Cisco routers
Chapter 04 Types of access control lists explained
Chapter 05 Wildcard Masks in ACLs Explained
Chapter 06 Rules and configuration guidelines for Cisco ACLs
Chapter 07 Access Control List Explained with Examples
Chapter 08 The ip access-list command options and arguments
Chapter 09 Standard ACL Configuration Commands Explained
Chapter 10 Configure Standard Access Control List Step-by-Step Guide
Chapter 11 How to secure VTY access to the Router
Chapter 12 Extended ACL Configuration Commands Explained
Chapter 13 Configure Extended Access Control List Step-by-Step Guide
Chapter 14 How to block ICMP Ping on Cisco Routers
Conclusion
ACLs allow you to control and secure network traffic based on various criteria. There are many types of ACLs. This tutorial explained how to create, implement, verify, and delete a standard named ACL using a Packet Tracer example. By following the steps outlined in this tutorial, you can effectively manage and secure your network infrastructure.
By ComputerNetworkingNotes Updated on 2025-11-08