An Access Control List (or ACL or simply access list) is a security feature that allows you to filter the network traffic based on configured statements. An ACL can be used to filter either inbound or outbound traffic on an interface. Once you applied an access list on a router, the router examines every packet moving from one interface to another interface in the specified direction and takes the appropriate action. In this post, we will demonstrate the basics of ACL and how to configure Standard ACL on a Cisco router using Cisco Packet Tracer. The same steps can be used to configure Standard ACL in GNS3 or reach Cisco routers.
Types of ACL
An ACL can be either of the following two types.
- Standard access lists
A Standard ACL can use only the source IP address in an IP packet to filter the network traffic. Standard access lists are typically used to permit or deny an entire host or network. They cannot be used to filter individual protocol or services such as FTP and Telnet. In the technical explanation, the standard ACL supports only source address.
- Extended access lists
Extended access lists use the source as well as the destination addresses. An extended ACL can be used to filter a specific protocol or service. For example, you deny a host to access the Telnet program while permitting others services.
An ACL can be configured using either a number or a name. If you decide to use a name to configure an ACL, it is referred as Named ACL.
Configure Standard ACL
In this post, we will learn how to configure Standard ACL on Cisco routers. Before configuring an ACL, we would like to explain the command syntaxes used to configure it. As discussed earlier, you can either use the numbered ACL method or Named ACL method to configure an ACL.
The following figure shows the command syntax used to configure an ACL.
We will use the following topology to demonstrate how to configure ACL.
Once you have created the preceding topology, configure the appropriate IP addresses as mentioned in the topology. We assume that you are already familiar to configure IP addresses on Cisco devices. If you face any problem to configure IP addresses on the devices mentioned in the preceding topology, please visit the following link for step by step IP configuration.
Once you have configured appropriate IP addresses on the devices, use a routing method such as RIP. You can visit the following link to know how to configure RIP routing.
After configuring the IP addresses and RIP routing, open the Command Prompt on PC0, and type ping 126.96.36.199. You should be able to ping successfully.
Configure Standard ACL Step By Step
Let’s see how to configure a Standard ACL. In this demonstration, we will restrict host 10.0.0.2 to access Router2. For this, we need to apply a standard ACL on the Fa0/1 interface to filter the incoming traffic.
- First, execute the following command to deny host 10.0.0.2.
Router2(config)#access-list 10 deny host 10.0.0.2
- When you deny a host on a router, the router will deny all the hosts until you explicitly define the list of permitted hosts. The following command will permit all the other hosts to access Router2.
Router2(config)#access-list 10 permit any
- Next, switch to the interface on which you want to apply the ACL, in this case, Fa0/1, and define the direction (inbound or outbound) of traffic that you want to filter. In this case, we will filter the incoming packets on the Fa0/1 of Router2. To do so, execute the following commands.
Router2(config)#int fa0/1 Router2(config-if)#ip access-group 10 in Router2(config-if)#exit Router2(config)#exit
- Once you applied an ACL on a router, execute the following command to view the applied ACLs.
Router2#show ip access-lists
The following figure shows the Standard ACL configuration of Router2.
- Next, open the Command Prompt of PC0, try to ping 192.168.0.2. You should not be able to ping as shown in the following figure.
- You can remove the configured ACLs if you want. To remove the ACL that we have configured, execute the following command on Router2.
Router2(config)#no access-list 10 deny host 10.0.0.2
- Now, try to ping again from PC0 to Router2, this time, you should be able to ping successfully, because you have removed the applied ACL.
In this post, we have discussed how to configure a Standard ACL on Cisco routers using the numbered ACL method. Hope, it helped you. Please share your experience and suggestions to improve the articles.