How to Configure Standard ACL on Cisco Router

An Access Control List (or ACL or simply access list) is a security feature that allows you to filter the network traffic based on configured statements. An ACL can be used to filter either inbound or outbound traffic on an interface. Once you applied an access list on a router, the router examines every packet moving from one interface to another interface in the specified direction and takes the appropriate action. In this post, we will demonstrate the basics of ACL and how to configure Standard ACL on a Cisco router using Cisco Packet Tracer. The same steps can be used to configure Standard ACL in GNS3 or reach Cisco routers.

Types of ACL

An ACL can be either of the following two types.

  1. Standard access lists

A Standard ACL can use only the source IP address in an IP packet to filter the network traffic. Standard access lists are typically used to permit or deny an entire host or network. They cannot be used to filter individual protocol or services such as FTP and Telnet. In the technical explanation, the standard ACL supports only source address.

  1. Extended access lists

Extended access lists use the source as well as the destination addresses. An extended ACL can be used to filter a specific protocol or service. For example, you deny a host to access the Telnet program while permitting others services.

An ACL can be configured using either a number or a name. If you decide to use a name to configure an ACL, it is referred as Named ACL.

Configure Standard ACL

In this post, we will learn how to configure Standard ACL on Cisco routers. Before configuring an ACL, we would like to explain the command syntaxes used to configure it. As discussed earlier, you can either use the numbered ACL method or Named ACL method to configure an ACL.

The following figure shows the command syntax used to configure an ACL.Syntax to configure ACL

We will use the following topology to demonstrate how to configure ACL.

Configure Standard Access listOnce you have created the preceding topology, configure the appropriate IP addresses as mentioned in the topology. We assume that you are already familiar to configure IP addresses on Cisco devices. If you face any problem to configure IP addresses on the devices mentioned in the preceding topology, please visit the following link for step by step IP configuration.

Basic router configuration

Once you have configured appropriate IP addresses on the devices, use a routing method such as RIP. You can visit the following link to know how to configure RIP routing.

Configure RIP Routing

After configuring the IP addresses and RIP routing, open the Command Prompt on PC0, and type ping 20.0.0.2. You should be able to ping successfully.

Configure Standard ACL Step By Step

Let’s see how to configure a Standard ACL. In this demonstration, we will restrict host 10.0.0.2 to access Router2. For this, we need to apply a standard ACL on the Fa0/1 interface to filter the incoming traffic.

  1. First, execute the following command to deny host 10.0.0.2.
Router2(config)#access-list 10 deny host 10.0.0.2
  1. When you deny a host on a router, the router will deny all the hosts until you explicitly define the list of permitted hosts. The following command will permit all the other hosts to access Router2.
Router2(config)#access-list 10 permit any
  1. Next, switch to the interface on which you want to apply the ACL, in this case, Fa0/1, and define the direction (inbound or outbound) of traffic that you want to filter. In this case, we will filter the incoming packets on the Fa0/1 of Router2. To do so, execute the following commands.
Router2(config)#int fa0/1
Router2(config-if)#ip access-group 10 in
Router2(config-if)#exit
Router2(config)#exit
  1. Once you applied an ACL on a router, execute the following command to view the applied ACLs.
Router2#show ip access-lists

The following figure shows the Standard ACL configuration of Router2.Configure Standard ACL on Cisco Router

  1. Next, open the Command Prompt of PC0, try to ping 192.168.0.2. You should not be able to ping as shown in the following figure.

The show ip access-lists command

  1. You can remove the configured ACLs if you want. To remove the ACL that we have configured, execute the following command on Router2.
Router2(config)#no access-list 10 deny host 10.0.0.2
  1. Now, try to ping again from PC0 to Router2, this time, you should be able to ping successfully, because you have removed the applied ACL.

In this post, we have discussed how to configure a Standard ACL on Cisco routers using the numbered ACL method. Hope, it helped you. Plese share your experience and suggestions to improve the articles.

Posted in Cisco, Security Tagged with: ,

Leave a Reply

Your email address will not be published. Required fields are marked *

*