Configure Standard IPv4 ACLs

5.1.1

Create an ACL

In a previous module, you learned about what an ACL does and why it is important. In this topic, you will learn about creating ACLs.

All access control lists (ACLs) must be planned. However, this is especially true for ACLs requiring multiple access control entries (ACEs).

When configuring a complex ACL, it is suggested that you:

  • Use a text editor and write out the specifics of the policy to be implemented.
  • Add the IOS configuration commands to accomplish those tasks.
  • Include remarks to document the ACL.
  • Copy and paste the commands onto the device.
  • Always thoroughly test an ACL to ensure that it correctly applies the desired policy.

These recommendations enable you to create the ACL thoughtfully without impacting the traffic on the network.

5.1.2

Numbered Standard IPv4 ACL Syntax

To create a numbered standard ACL, use the following global configuration command:

Router(config)# access-list access-list-number {deny | permit | remark text} source [source-wildcard] [log]

Use the no access-list access-list-number global configuration command to remove a numbered standard ACL.

The table provides a detailed explanation of the syntax for a standard ACL.

ParameterDescriptionaccess-list-numberDecimal number of the ACL. Standard ACL number range is 1 to 99 or 1300 to 1999.denyDenies access if the condition is matched.permitPermits access if the condition is matched.remark text(Optional) Adds a text entry for documentation purposes.Each remark is limited to 100 characters.sourceIdentifies the source network or host address to filter.Use the any keyword to specify all networks.Use the host ip-address keyword or simply enter an ip-address (without the host keyword) to identify a specific IP address. source-wildcard(Optional) A 32-bit wildcard mask that is applied to the source. log(Optional) Keyword generates and sends an informational message whenever the ACE is matched.Message includes ACL number, matched condition (i.e., permitted or denied), source address, and number of packets. Message is generated for the first matched packet.Keyword should only be implemented for troubleshooting or security reasons.
Parameter Description
access-list-number
  • This is the decimal number of the ACL.
  • Standard ACL number range is 1 to 99 or 1300 to 1999.
deny
This denies access if the condition is matched.
permit
This permits access if the condition is matched.
remark text
  • (Optional) This adds a text entry for documentation purposes.
  • Each remark is limited to 100 characters.
source
  • This identifies the source network or host address to filter.
  • Use the any keyword to specify all networks.
  • Use the host ip-address keyword or simply enter an ip-address (without the host keyword) to identify a specific IP address.
source-wildcard
(Optional) This is a 32-bit wildcard mask that is applied to the source. If omitted, a default 0.0.0.0 mask is assumed.
log
  • (Optional) This keyword generates and sends an informational message whenever the ACE is matched.
  • Message includes ACL number, matched condition (i.e., permitted or denied), source address, and number of packets.
  • This message is generated for the first matched packet.
  • This keyword should only be implemented for troubleshooting or security reasons.
5.1.3

Named Standard IPv4 ACL Syntax

Naming an ACL makes it easier to understand its function. To create a named standard ACL, use the following global configuration command:

Router(config)# ip access-list standard access-list-name

This command enters the named standard configuration mode where you configure the ACL ACEs.

ACL names are alphanumeric, case sensitive, and must be unique. Capitalizing ACL names is not required but makes them stand out when viewing the running-config output. It also makes it less likely that you will accidentally create two different ACLs with the same name but with different uses of capitalization.

Note: Use the no ip access-list standard access-list-name global configuration command to remove a named standard IPv4 ACL.

In the example, a named standard IPv4 ACL called NO-ACCESS is created. Notice that the prompt changes to named standard ACL configuration mode. ACE statements are entered in the named standard ACL sub configuration mode. Use the help facility to view all the named standard ACL ACE options.

The three highlighted options are configured similar to the numbered standard ACL. Unlike the numbered ACL method, there is no need to repeat the initial ip access-list command for each ACE.

R1(config)# ip access-list standard NO-ACCESS
R1(config-std-nacl)# ?
Standard Access List configuration commands:
  <1-2147483647>  Sequence Number
  default         Set a command to its defaults
  deny            Specify packets to reject
  exit            Exit from access-list configuration mode
  no              Negate a command or set its defaults
  permit          Specify packets to forward
  remark          Access list entry comment
R1(config-std-nacl)#
5.1.4

Apply a Standard IPv4 ACL

After a standard IPv4 ACL is configured, it must be linked to an interface or feature. The following command can be used to bind a numbered or named standard IPv4 ACL to an interface:

Router(config-if) # ip access-group {access-list-number | access-list-name} {in | out}

To remove an ACL from an interface, first enter the no ip access-group interface configuration command. However, the ACL will still be configured on the router. To remove the ACL from the router, use the no access-list global configuration command.

5.1.5

Numbered Standard IPv4 ACL Example

The topology in the figure will be used to demonstrate configuring and applying numbered and named standard IPv4 ACLs to an interface. This first example shows a numbered standard IPv4 ACL implementation.

Assume only PC1 is allowed out to the internet. To enable this policy, a standard ACL ACE could be applied outbound on S0/1/0, as shown in the figure.

R1(config)# access-list 10 remark ACE permits ONLY host 192.168.10.10 to the internet
R1(config)# access-list 10 permit host 192.168.10.10
R1(config)# do show access-lists
Standard IP access list 10
    10 permit 192.168.10.10
R1(config)#

Notice that the output of the show access-lists command does not display the remark statements. ACL remarks are displayed in the running configuration file. Although the remark command is not required to enable the ACL, it is strongly suggested for documentation purposes.

Now assume that a new network policy states that hosts in LAN 2 should also be permitted to the internet. To enable this policy, a second standard ACL ACE could be added to ACL 10, as shown in the output.

R1(config)# access-list 10 remark ACE permits all host in LAN 2
R1(config)# access-list 10 permit 192.168.20.0 0.0.0.255
R1(config)# do show access-lists
Standard IP access list 10
    10 permit 192.168.10.10
    20 permit 192.168.20.0, wildcard bits 0.0.0.255
R1(config)#

Apply ACL 10 outbound on the Serial 0/1/0 interface.

R1(config)# interface Serial 0/1/0
R1(config-if)# ip access-group 10 out
R1(config-if)# end
R1#

The resulting policy of ACL 10 will only permit host 192.168.10.10 and all host from LAN 2 to exit the Serial 0/1/0 interface. All other hosts in the 192.168.10.0 network will not be permitted to the internet.

Use the show running-config command to review the ACL in the configuration, as shown in the output.

R1# show run | section access-list
access-list 10 remark ACE permits host 192.168.10.10
access-list 10 permit 192.168.10.10
access-list 10 remark ACE permits all host in LAN 2
access-list 10 permit 192.168.20.0 0.0.0.255
R1#

Notice how the remarks statements are also displayed.

Finally, use the show ip interface command to verify if an interface has an ACL applied to it. In the example output, the output is specifically looking at the Serial 0/1/0 interface for lines that include “access list” text.

R1# show ip int Serial 0/1/0 | include access list
  Outgoing Common access list is not set
  Outgoing access list is 10
  Inbound Common access list is not set
  Inbound  access list is not set
R1#
5.1.6

Named Standard IPv4 ACL Example

This second example shows a named standard IPv4 ACL implementation. The topology is repeated in the figure for your convenience.

Assume only PC1 is allowed out to the internet. To enable this policy, a named standard ACL called PERMIT-ACCESS could be applied outbound on S0/1/0.

Remove the previously configured named ACL 10 and create a named standard ACL called PERMIT-ACCESS, as shown here.

R1(config)# no access-list 10
R1(config)# ip access-list standard PERMIT-ACCESS
R1(config-std-nacl)# remark ACE permits host 192.168.10.10
R1(config-std-nacl)# permit host 192.168.10.10
R1(config-std-nacl)#

Now add an ACE permitting only host 192.168.10.10 and another ACE permitting all LAN 2 hosts to the internet.

R1(config-std-nacl)# remark ACE permits host 192.168.10.10
R1(config-std-nacl)# permit host 192.168.10.10
R1(config-std-nacl)# remark ACE permits all hosts in LAN 2
R1(config-std-nacl)# permit 192.168.20.0 0.0.0.255
R1(config-std-nacl)# exit
R1(config)#

Apply the new named ACL outbound to the Serial 0/1/0 interface.

R1(config)# interface Serial 0/1/0
R1(config-if)# ip access-group PERMIT-ACCESS out
R1(config-if)# end
R1#

Use the show access-lists and show running-config command to review the ACL in the configuration, as shown in the output.

R1# show access-lists
Standard IP access list PERMIT-ACCESS
    10 permit 192.168.10.10
    20 permit 192.168.20.0, wildcard bits 0.0.0.255
R1# show run | section ip access-list
ip access-list standard PERMIT-ACCESS
 remark ACE permits host 192.168.10.10
 permit 192.168.10.10
 remark ACE permits all hosts in LAN 2
 permit 192.168.20.0 0.0.0.255
R1#

Finally, use the show ip interface command to verify if an interface has an ACL applied to it. In the example output, the output is specifically looking at the Serial 0/1/0 interface for lines that include “access list” text.

R1# show ip int Serial 0/1/0 | include access list
  Outgoing Common access list is not set
  Outgoing access list is PERMIT-ACCESS
  Inbound Common access list is not set
  Inbound  access list is not set
R1#

 

 

Modify IPv4 ACLs