Standard ACLs

Standard ACLs filter traffic based only on source IP address - use when you need simple permit/deny based on where traffic comes from.

Why Use Standard ACLs?

You need standard ACLs when:

• You want to restrict which networks can access certain resources
• You need to control remote access to the router/switch (SSH, Telnet)
• You’re configuring NAT and need to specify which IPs to translate
• You don’t need to filter by protocol or port (use Extended ACLs for that)

ACL Numbers: 1-99, 1300-1999

Placement Rule: Apply close to the destination (to avoid blocking too much traffic).

Numbered Standard ACL

Router(config)# access-list 10 permit 192.168.10.0 0.0.0.255
Router(config)# access-list 10 deny 192.168.20.10 0.0.0.0
Router(config)# access-list 10 permit any

Parameters:

• 10 - ACL number. Can be 1-99 or 1300-1999.
• 192.168.10.0 0.0.0.255 - Network and wildcard mask to permit. Replace with your network.
• 192.168.20.10 0.0.0.0 - Specific host to deny. Replace with any host IP.

Note: Statements are processed top to bottom - first match wins.

Wildcard mask examples:

• 0.0.0.0 = Exact match (single host)
• 0.0.0.255 = Match entire /24 subnet (256 IPs)
• 0.0.255.255 = Match entire /16 subnet (65,536 IPs)

Keyword shortcuts:

• host 192.168.10.10 = Same as 192.168.10.10 0.0.0.0 (single host)
• any = Same as 0.0.0.0 255.255.255.255 (all IPs)

Named Standard ACL

Router(config)# ip access-list standard BLOCK-SALES
Router(config-std-nacl)# deny 192.168.10.0 0.0.0.255
Router(config-std-nacl)# permit any
Router(config-std-nacl)# exit

Apply ACL to Interface

Router(config)# interface GigabitEthernet0/0/0
Router(config-if)# ip access-group 10 in

Direction:

• in = Filter traffic entering the interface
• out = Filter traffic leaving the interface

ACL with Remarks

Document your ACLs for easier management.

Router(config)# access-list 10 remark Permit only management subnet
Router(config)# access-list 10 permit 192.168.100.0 0.0.0.255
Router(config)# access-list 10 remark Block guest network
Router(config)# access-list 10 deny 192.168.50.0 0.0.0.255
Router(config)# access-list 10 permit any

Named ACL with remarks:

Router(config)# ip access-list standard OFFICE-ACCESS
Router(config-std-nacl)# remark Allow only IT department
Router(config-std-nacl)# permit 192.168.100.0 0.0.0.255
Router(config-std-nacl)# remark Deny everyone else
Router(config-std-nacl)# deny any

Implicit Deny

Every ACL has an invisible deny any at the end. If no permit statement matches, traffic is dropped.

Example:

Router(config)# access-list 15 permit 192.168.10.0 0.0.0.255
! Anything not 192.168.10.0/24 is automatically denied

Explicit permit any (if needed):

Router(config)# access-list 15 permit 192.168.10.0 0.0.0.255
Router(config)# access-list 15 permit any

Edit ACL - Text Editor Method

Step 1: Copy ACL from config

Router# show running-config | include access-list

Step 2: Paste into text editor, make changes

Step 3: Remove old ACL, paste new one

Router(config)# no access-list 10
Router(config)# access-list 10 permit 192.168.10.0 0.0.0.255
Router(config)# access-list 10 deny 192.168.20.0 0.0.0.255
Router(config)# access-list 10 permit any

Edit ACL - Sequence Numbers Method

View sequence numbers:

Router# show access-lists
Standard IP access list 10
    10 permit 192.168.10.0, wildcard bits 0.0.0.255
    20 deny 192.168.20.0, wildcard bits 0.0.0.255
    30 permit any

Edit specific line:

Router(config)# ip access-list standard 10
Router(config-std-nacl)# no 20
Router(config-std-nacl)# 20 deny 192.168.30.0 0.0.0.255
Router(config-std-nacl)# exit

Insert new line between existing entries:

Router(config)# ip access-list standard 10
Router(config-std-nacl)# 15 permit 192.168.15.0 0.0.0.255
Router(config-std-nacl)# exit

Now line 15 is processed before line 20.

Secure VTY Lines (Telnet/SSH Access)

Restrict remote access to specific IPs.

! Create ACL
Router(config)# access-list 50 permit 192.168.100.0 0.0.0.255
Router(config)# access-list 50 deny any

! Apply to VTY lines
Router(config)# line vty 0 4
Router(config-line)# access-class 50 in
Router(config-line)# exit

Now only devices from 192.168.100.0/24 can SSH/Telnet to the router.

Best practice: Use login local with SSH only.

Router(config)# username admin privilege 15 secret AdminPass123
Router(config)# line vty 0 4
Router(config-line)# transport input ssh
Router(config-line)# login local
Router(config-line)# access-class 50 in

Remove ACL from Interface

Router(config)# interface GigabitEthernet0/0/0
Router(config-if)# no ip access-group 10 in

⚠️ The ACL still exists in the config - this only removes it from the interface.

Delete ACL

Router(config)# no access-list 10

Or for named ACLs:

Router(config)# no ip access-list standard BLOCK-SALES

Verify Configuration

Router# show access-lists
Router# show access-lists 10
Router# show ip access-lists
Router# show ip interface GigabitEthernet0/0/0 | include access list
Router# show running-config | section access-list

Check hit counts (traffic matched by ACL):

Router# show access-lists
Standard IP access list 10
    10 permit 192.168.10.0, wildcard bits 0.0.0.255 (47 matches)
    20 deny 192.168.20.0, wildcard bits 0.0.0.255 (12 matches)
    30 permit any (523 matches)

Example Scenarios

Scenario 1: Allow one host, block everyone else

Router(config)# access-list 5 permit host 192.168.10.50
Router(config)# access-list 5 deny any

Router(config)# interface GigabitEthernet0/0/1
Router(config-if)# ip access-group 5 out

Scenario 2: Block one subnet, allow everything else

Router(config)# access-list 15 deny 192.168.99.0 0.0.0.255
Router(config)# access-list 15 permit any

Router(config)# interface Serial0/1/0
Router(config-if)# ip access-group 15 in

Scenario 3: Named ACL for VTY access

Router(config)# ip access-list standard ADMIN-ACCESS
Router(config-std-nacl)# remark Only allow IT subnet
Router(config-std-nacl)# permit 10.100.0.0 0.0.255.255
Router(config-std-nacl)# deny any
Router(config-std-nacl)# exit

Router(config)# line vty 0 15
Router(config-line)# access-class ADMIN-ACCESS in