This tutorial explains the commands and configurations you need to create, implement and test a standard access list through a packet tracer example.
You can create a standard access list in two ways: by using a number or by using a name. If you use a number to create the standard access list, it is known as a numbered standard access list. If you use a name to create the standard access list, it is known as a named standard access list.
No matter which method you use to create an ACL, it works similarly. The only advantage of a named ACL over a numbered ACL is that it allows you to edit statements. You can edit a statement in a named ACL, but you can't edit a statement in a numbered ACL.
In this tutorial, we will take an example of a numbered ACL. We will take an example of a named ACL in the next part of this tutorial.
This tutorial is the ninth part of the article 'Cisco Access Lists Explained with Examples.'. Other parts of this article are the following.
Definition, purposes, benefits, and functions of ACL
Basic concepts and fundamentals of ACLs
How Access Lists work on Cisco routers
Types of access control lists explained
Wildcard masks in ACLs Explained
Rules and configuration guidelines for Cisco ACLs
Access Control List Explained with Examples
The ip access-list command options and arguments
Configure Standard Access Control List Step by Step Guide
How to secure VTY access to the Router
Extended ACL Configuration Commands Explained
Configure Extended Access Control List Step by Step Guide
How to block ICMP Ping on Cisco Routers
Creating and implementing a standard numbered ACL
Either create a packet tracer lab as shown in the following image or download the following pre-created lab and load on Packet Tracer.
Download Packet Tracer Lab with Initial Configuration
In this network, there are three segments.
Segment | Network | Connected to the router's interface |
Students | 10.0.0.0/8 | GigabitEithernet0/0 |
Teachers | 20.0.0.0/8 | GigabitEthernet0/1 |
Server | 30.0.0.0/8 | GigabitEthernet0/2 |
Currently, this network has no ACL. All segments can reach each other.
To test connectivity between segments, you can use the ping command. The following image verifies that PC0 from the Students segment can access Server0 from the Server segment.
Now, we want to create an ACL that serves the following purposes.
- Allow the Students segment to access the Teachers segment.
- Block the Students segment to access the Server segment.
- Allow the Teachers segment to access the Students segment and the server segment.
Creating a standard ACL
Access the CLI prompt of Router and run the following commands.
Router>enable Router#configure terminal Router(config)#access-list 10 deny 10.0.0.0 0.255.255.255 Router(config)#access-list 10 permit 20.0.0.0 0.255.255.255 Router(config)#
Let's discuss the above commands.
We can create an access list only in global configuration mode. We used the first two commands to enter global configuration mode. We used the next two commands to create a standard access list with two statements. The first statement denies all traffic from the network 10.0.0.0. The second statement allows all traffic from the network 20.0.0.0. We assigned the number 10 to this ACL.
Implementing the ACL
An ACL works only when it is applied to an interface. To use this ACL, we have to apply it to the proper interface in the correct direction.
Can you guess the interface and the direction for this ACL?
We will apply this ACL to GigabitEthernet 0/2 in the outward direction. This is the last exit point for the traffic originating from the network 10.0.0.0. A standard ACL should be applied on the last exit point. This practice allows the source to communicate with other parts of the network.
Let’s apply this ACL to the GigabitEthernet0/2 in the outward direction.
Router(config)#interface gigabitEthernet 0/2 Router(config-if)#ip access-group 10 out
The following image shows how to execute the above commands on the router.
Once this ACL is implemented, the router takes the following steps before sending each packet out to Gigabit Ethernet 0/2.
It will check the source address of the packet. If the packet belongs to the network 10.0.0.0, it will drop the packet. If the packet belongs to the network 20.0.0.0, it will allow the packet. If the packet belongs to any other network, it will drop the packet.
The output of the ping command in the following image verifies that the Students segment cannot access the Server segment after the ACL is applied.
The output of the ping command in the following image verifies that the Teachers segment can still access the Students segment and the Server segment even after the ACL is applied.
The show ip access-lists command
You can use the 'show ip access-lists' command to view the entries of the ACLs. This command also shows the number of packets matched with each entry. The following image shows the output of this command.
Configured lab
The following link provides the configured packet tracer lab of this example.
Packet Tracer Lab with ACL implementation
That's all for this tutorial. In the next part of this tutorial, we will learn how to create, implement, and verify a named standard access list.