Standard ACL Configuration Commands Explained

You can use either a name or a number to create a standard access list. If you use a number, it is called a numbered standard access list. If you use a name, it is called a named standard access list. No matter which option you choose to create an ACL, it works the same way. The only advantage of a named ACL over a numbered ACL is that it allows you to edit entries. You can edit an entry in a named ACL, but not in a numbered ACL. This tutorial explains how to create, implement, and manage numbered ACLs.

Lab setup

Either create a Packet Tracer lab as shown in the following image, or download the pre-created lab and load it into Packet Tracer.

Download Packet Tracer Lab with Initial Configuration

Standard access list example network

This network has three segments.

Segment Network Connected to the router's interface
Students 10.0.0.0/8 GigabitEithernet0/0
Teachers 20.0.0.0/8 GigabitEthernet0/1
Server 30.0.0.0/8 GigabitEthernet0/2

This network has no ACL. All segments can reach each other. You can use the ping command to test connectivity between these segments. The following image verifies connectivity between PC0 of the Students segment and Server0 of the Server segment.

Testing setup

Objectives

Create and implement an ACL that serves the following purposes.

  • Allow the Students segment to access the Teachers segment.
  • Block the Students segment to access the Server segment.
  • Allow the Teachers segment to access the Students and server segments.

Creating a standard ACL

Access the router's CLI prompt and run the following commands.

Router>enable
Router#configure terminal
Router(config)#access-list 10 deny 10.0.0.0 0.255.255.255
Router(config)#access-list 10 permit 20.0.0.0 0.255.255.255
Router(config)#

You can create an access list only in global configuration mode. The first two commands enter global configuration mode. The following two commands create a standard access list with two statements. The first statement denies all traffic from the network 10.0.0.0. The second statement allows all traffic from the network 20.0.0.0. The ACL uses the number 10 as the identification.

Implementing the ACL

An ACL works only when you apply it to an interface. To use this ACL, you must apply it to the proper interface in the correct direction.

Which interface and direction is correct for this ACL?

This ACL will work properly if you apply it to GigabitEthernet0/2 in the outward direction. It is the last exit point for the traffic originating from the network 10.0.0.0. You should use a standard ACL on the last exit point. This practice allows the source to communicate with other parts of the network. The following commands apply this ACL to the GigabitEthernet0/2 in the outward direction.

Router(config)#interface gigabitEthernet 0/2
Router(config-if)#ip access-group 10 out

Standard numbered ACL configuration

After this ACL, the router takes the following steps before sending each packet out from GigabitEthernet0/2.

  • It will check the packet's source address.
  • If it belongs to the network 10.0.0.0, it drops the packet.
  • If it belongs to the network 20.0.0.0, it allows the packet.
  • If it belongs to another network, it drops the packet.

The following image verifies that the Students segment cannot access the Server segment after the ACL is applied.

Testing acl implementation

Testing ACL implementation

The following image verifies that the Teachers segment can still access the Students and Server segments even after the ACL is applied.

Verifying ACL implementation

The show ip access-lists command

The 'show ip access-lists' command displays the entries of the ACLs. It also shows the number of packets matched with each entry. The following image shows the output of this command.

The show ip access list command

Configured lab

The following link provides the configured Packet Tracer lab for this example.

Packet Tracer Lab with ACL implementation

This tutorial is part of the tutorial "Cisco Access List Commands, Concepts, and Configurations". Other parts of this tutorial are as follows:

Chapter 01  Definition, purposes, benefits, and functions of ACL
Chapter 02  Basic concepts and fundamentals of ACLs
Chapter 03  How Access Lists work on Cisco routers
Chapter 04  Types of access control lists explained
Chapter 05  Wildcard Masks in ACLs Explained
Chapter 06  Rules and configuration guidelines for Cisco ACLs
Chapter 07  Access Control List Explained with Examples
Chapter 08  The ip access-list command options and arguments
Chapter 09  Standard ACL Configuration Commands Explained
Chapter 10  Configure Standard Access Control List Step-by-Step Guide
Chapter 11  How to secure VTY access to the Router
Chapter 12  Extended ACL Configuration Commands Explained
Chapter 13  Configure Extended Access Control List Step-by-Step Guide
Chapter 14  How to block ICMP Ping on Cisco Routers

Conclusion

Creating and implementing standard access lists is a crucial step in managing network traffic and enhancing security. This tutorial demonstrated how to create, implement, and verify a standard numbered ACL to allow specific access between network segments while blocking unauthorized traffic. Learning it helps you preserve the integrity of network resources and also optimizes network performance by managing traffic flow efficiently.

By ComputerNetworkingNotes Updated on 2025-11-08

ComputerNetworkingNotes CCNA Study Guide Standard ACL Configuration Commands Explained


We do not accept any kind of Guest Post. Except Guest post submission, for any other query (such as adverting opportunity, product advertisement, feedback, suggestion, error reporting and technical issue) or simply just say to hello mail us ComputerNetworkingNotes@gmail.com