Standard ACL Configuration Commands Explained

This tutorial explains the commands and configurations you need to create, implement and test a standard access list through a packet tracer example.

You can create a standard access list in two ways: by using a number or by using a name. If you use a number to create the standard access list, it is known as a numbered standard access list. If you use a name to create the standard access list, it is known as a named standard access list.

No matter which method you use to create an ACL, it works similarly. The only advantage of a named ACL over a numbered ACL is that it allows you to edit statements. You can edit a statement in a named ACL, but you can't edit a statement in a numbered ACL.

In this tutorial, we will take an example of a numbered ACL. We will take an example of a named ACL in the next part of this tutorial.

Creating and implementing a standard numbered ACL

Either create a packet tracer lab as shown in the following image or download the following pre-created lab and load on Packet Tracer.

Download Packet Tracer Lab with Initial Configuration

standard access list example network

In this network, there are three segments.

Segment Network Connected to the router's interface
Students 10.0.0.0/8 GigabitEithernet0/0
Teachers 20.0.0.0/8 GigabitEthernet0/1
Server 30.0.0.0/8 GigabitEthernet0/2

Currently, this network has no ACL. All segments can reach each other.

To test connectivity between segments, you can use the ping command. The following image verifies that PC0 from the Students segment can access Server0 from the Server segment.

testing setup

Now, we want to create an ACL that serves the following purposes.

  • Allow the Students segment to access the Teachers segment.
  • Block the Students segment to access the Server segment.
  • Allow the Teachers segment to access the Students segment and the server segment.

Creating a standard ACL

Access the CLI prompt of Router and run the following commands.

Router>enable
Router#configure terminal
Router(config)#access-list 10 deny 10.0.0.0 0.255.255.255
Router(config)#access-list 10 permit 20.0.0.0 0.255.255.255
Router(config)#

Let's discuss the above commands.

We can create an access list only in global configuration mode. We used the first two commands to enter global configuration mode. We used the next two commands to create a standard access list with two statements. The first statement denies all traffic from the network 10.0.0.0. The second statement allows all traffic from the network 20.0.0.0. We assigned the number 10 to this ACL.

Implementing the ACL

An ACL works only when it is applied to an interface. To use this ACL, we have to apply it to the proper interface in the correct direction.

Can you guess the interface and the direction for this ACL?

We will apply this ACL to GigabitEthernet 0/2 in the outward direction. This is the last exit point for the traffic originating from the network 10.0.0.0. A standard ACL should be applied on the last exit point. This practice allows the source to communicate with other parts of the network.

Let’s apply this ACL to the GigabitEthernet0/2 in the outward direction.

Router(config)#interface gigabitEthernet 0/2
Router(config-if)#ip access-group 10 out

The following image shows how to execute the above commands on the router.

standard numbered acl configuration

Once this ACL is implemented, the router takes the following steps before sending each packet out to Gigabit Ethernet 0/2.

It will check the source address of the packet. If the packet belongs to the network 10.0.0.0, it will drop the packet. If the packet belongs to the network 20.0.0.0, it will allow the packet. If the packet belongs to any other network, it will drop the packet.

The output of the ping command in the following image verifies that the Students segment cannot access the Server segment after the ACL is applied.

testing acl implementation

The output of the ping command in the following image verifies that the Teachers segment can still access the Students segment and the Server segment even after the ACL is applied.

verifing acl implementation

The show ip access-lists command

You can use the 'show ip access-lists' command to view the entries of the ACLs. This command also shows the number of packets matched with each entry. The following image shows the output of this command.

show ip access list command

Configured lab

The following link provides the configured packet tracer lab of this example.

Packet Tracer Lab with ACL implementation

That's all for this tutorial. In the next part of this tutorial, we will learn how to create, implement, and verify a named standard access list.

ComputerNetworkingNotes CCNA Study Guide Standard ACL Configuration Commands Explained