Saturday, March 19, 2011

Lesson 48 - Standard ACL Examples

Pic. 1 - Topology.
Icons designed by: Andrzej Szoblik -

Task 1
Configure an IP standard ACL that denies packets coming from going towards All other traffic should be allowed.

Task 2
Configure an IP standard ACL that denies packets coming from the host going towards Traffic from other sources should be allowed.

Let's get 'em tiger!

When it comes to configuring ACLs my work flow goes like this:
  1. Which ACL is going to accomplish my goal: Standard or Extended?
  2. Which router and interface should I apply the ACL on?
  3. Which direction should I use: in or out?
Dig this! 
Since as of this moment we talk about standard ACL, the answer to the first question is obvious: standard ACL must be used. In real life examples, the goals you try to accomplish will impose the criteria. If you must filter out some specific TCP traffic (e.g. going towards port 80), an extended ACL must be used as the standard one cannot filter on TCP (source IP only).

The guidelines specify that standard ACL must be placed as close to the destination as possible. Think about it. If I applied the ACL in Task 1 on R3 F1/0 out, the packet with the source could not go anywhere out that interface. We're supposed to filter this source going towards Branch 1 (R4) and not anywhere else. R4 is going to be the router I'm going to apply the ACL on.

As for the last question about the direction, I could use R4's S0/2 inbound or F1/0 outbound. Since there are only two interfaces, I can apply this on s0/2 inbound and it won't make much difference except that the packet will be rejected on the inbound interface. This way, R4 won't have to do layer 3 lookup and waste it resources. If there were more interfaces I would use it on F1/0 interface outbound since the traffic should not be sent to the specific network (

Task 1
Configure an IP standard ACL that denies packets coming from going towards All other traffic should be allowed.

Pic. 2 - Communication Before Applying ACL.
I pinged from the subnet in question (

R4 Configuration:
! Step 1 - Create an ACL statement in the global config
R4(config)#access-list 1 deny
R4(config)#access-list 1 permit any              
! Step 2 - Apply the ACL on the interface
R4(config)#int s0/2
R4(config-if)#ip access-group 1 in

Pic. 3 - Communication After Applying ACL.
Only packets sourced from the are being blocked on R4. The packets from are getting through.

Pic. 4 - R4's ACL counters.

I owe you an explanation here.
R4(config)#access-list 1 deny

access-list 1 - the number 1 implies the standard ACL (1-99)
deny - the packets meeting the criterion that follows will be denied (dropped) - the source IP criterion - the wildcard mask which is the subnet's inversed network mask

The subnet's network mask is: In the binary it looks like:

If we inverse this network mask we get:

That, converted to decimal is:

Easy right?
R4(config)#access-list 1 permit any
permit any - this permits all other source IP. The word 'any' is the alias for:
Try to write an ACL according to the Task 2 description on your own. I will show you the solution in the next post.

In my next post: solution to the Task 2 and extended ACLs. 

Stop by and see what magic they can do! Meanwhile, happy studying!


CCNA Basics | Cisco Advanced | Linux Last Update: 19/02/2019 - eBGP Peering CCNA Lessons: 01 - Connecting to Cisco Cons...