Standard Access Control List (ACL)

Standard Access Control List - Introduction

A standard control list is used to control traffic with access to the network and its resources. It basically filters and classifies the traffic. Filtering of traffic means to execute a rule to permit or deny the packets that flow through the selected interface of the router, multilayer switch, or firewall.

Standard ACLs are simple but quite efficient. However, they have some limitations, as they are based only on the IP source address from transmitting packets. Correspondingly, the extended ACLs are more flexible and can use more packet header features like IP destination address, port addresses, and protocol type. We will discuss extended ACLs later in the article, here.

A standard access control list can be numbered from 1 to 99, with an extended range of 1300 to 1999. The standard access list can also be named. Numbered or named, they tend to be easily recognised and managed on the device, for example, a router.

Before we go further in the ACL topic, we need to know a few important rules when creating and installing a standard or extended ACL in the network. Therefore, a network engineer needs to know a few things.

First, determine the location on the device and its interface for the ACL statement.

Second, the packets flow in either an inbound or outbound direction.

Below is the command line structure for setting up a standard Access Control List (ACL) on a Cisco router or switch.

access-list {ACL Number} {permit | deny} {source IP address} {wildcard mask}

Let's go through each element of the access list statement for the standard ACL:

The ACL number falls within the range of 1 to 99 for standard ACLs and 1300 to 1999 for extended ACLs. For the named ACLs (statements), we are not limited by numbers but by the device resources like memory and CPU. Instead of the rules of prioritised ACL numbers, the named ACLs are prioritised in their order of entry. The ACL entries (or lines) are evaluated in the same sequential order that they are written, from top to bottom, and once a match is found, the corresponding action (permit or deny) is taken.

Permit and deny are two phases used to manage the traffic.In networking, 'permit' is used to allow traffic, while 'deny' is used to block traffic.

The fourth element of the ACL list is the IP address of the device the traffic comes from.

The fifth element of this statement is a wildcard mask that defines which bits of the source IP address must match (a wildcard mask is the inverse of a subnet mask). There is an exception to this rule when the IP source in the statement relates to a single IP address rather than a subnet. For example, a statement access-list 11 permit 172.16.10.1 does not need a wildcard mask as it refers to a single IP address. We are specifying a single IP address (172.16.10.1) as the source, and we intend to match only that exact IP address; a wildcard mask of 0.0.0.0 is implicitly assumed. This means we are matching a specific IP address exactly, with no flexibility in the address range.

Below, let's examine another example of a standard ACL general command:

access-list deny 192.168.1.0 0.0.0.255

In this case, all traffic from the 192.168.1.0 subnet is blocked. It indicates that no addresses from the designated network 192.168.1.0 will be permitted.

Now we can go further into the ACL configuration details.

The initial stage is to draft a generic statement. Next, we must assign our created statement(s) to the router's chosen interface. To accomplish this, we must type the expression directly from the interface port: ip access-group {number of ACL} {in | out}

We'll go over each component of this expression:

The 'ip access group' command assigns the created ACL group to the interface.

{number of ACL} This number confirms what ACL list is assigned to the selected interface.

The word "in" specifies inbound traffic, and the word "out" specifies the outbound traffic.

Now that we understand a typical ACL structure, let's move on to a lab example.

Example 1.

In figure 1, we see a small topology with the two subnets (192.168.100.024 and 172.16.20.024) on the left from router 1 and three servers configured on three subnets, 10.1.1.124, 10.1.2.024, and 10.1.3.024, respectively. The access control list is configured on router 1 on serial port interface s0\3\0 for the outgoing packet flow. Here is a specific example of a restricted standard ACL that focuses only on the source IP address.

Figure 1 -

Allocated IPv4 addresses

Before we go further with ACL configuration on router 1, we need to set up interfaces on both routers. I made this setting and shown results underneath two scripts for router 1 and router 2.

Router 1: Interfaces brief summary.

R1#show ip int brief

Interface IP-Address OK? Method Status Protocol

GigabitEthernet0/0 192.168.100.1 YES manual up up

GigabitEthernet0/1 172.16.20.1 YES manual up up

GigabitEthernet0/2 unassigned YES unset administratively down down

Serial0/3/0 192.50.10.1 YES manual up up

Serial0/3/1 unassigned YES unset administratively down down

Vlan1 unassigned YES unset administratively down down

Router 2: interfaces brief summary.

Interface IP-Address OK? Method Status Protocol

GigabitEthernet0/0 10.1.1.254 YES manual up up

GigabitEthernet0/1 10.1.2.254 YES manual up up

GigabitEthernet0/2 10.1.3.254 YES manual up up

Serial0/3/0 192.50.10.254 YES manual up up

Serial0/3/1 unassigned YES unset administratively down down

Vlan1 unassigned YES unset administratively down down

As we see on both routers, the interfaces are active (opened) with running protocols (up). So, we are ready to configure the static routes.

Static route configuration

The router 1 has the following static routes defined. This indicates that in order to transfer packets to subnets that are not directly connected to router 1, we must add routes. The other article, which can be found here, explains static routes.

R1#conf t

Enter configuration commands, one per line. End with CNTL/Z.

R1(config)#ip route 10.1.1.0 255.255.255.0 192.50.10.254

R1(config)#ip route 10.1.2.0 255.255.255.0 192.50.10.254

R1(config)#ip route 10.1.3.0 255.255.255.0 192.50.10.254

R1(config)#

Similar routing of static routes we must create on the router 2. We configured static routes on both routers to guarantee that packets can move forward and backward.

R2(config)#

R2(config)#ip route 192.168.100.0 255.255.255.0 192.50.10.1

R2(config)#ip route 172.16.20.0 255.255.255.0 192.50.10.1

R2(config)#

Checking routes

A good manner is to check the routing tables after route configuration. For more details, look at the code legend from the script below. Letter S is assigned to the static router, where letter C indicates a direct connection with the router interface.

R2#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks

C 10.1.1.0/24 is directly connected, GigabitEthernet0/0

L 10.1.1.254/32 is directly connected, GigabitEthernet0/0

C 10.1.2.0/24 is directly connected, GigabitEthernet0/1

L 10.1.2.254/32 is directly connected, GigabitEthernet0/1

C 10.1.3.0/24 is directly connected, GigabitEthernet0/2

L 10.1.3.254/32 is directly connected, GigabitEthernet0/2

172.16.0.0/24 is subnetted, 1 subnets

S 172.16.20.0/24 [1/0] via 192.50.10.1

192.50.10.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.50.10.0/24 is directly connected, Serial0/3/0

L 192.50.10.254/32 is directly connected, Serial0/3/0

S 192.168.100.0/24 [1/0] via 192.50.10.1

The same check we perform for router 1. The command "show ip route" is often used with the troubleshooting actions. during routing problems.

R1#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/24 is subnetted, 3 subnets

S 10.1.1.0/24 [1/0] via 192.50.10.254

S 10.1.2.0/24 [1/0] via 192.50.10.254

S 10.1.3.0/24 [1/0] via 192.50.10.254

172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks

C 172.16.20.0/24 is directly connected, GigabitEthernet0/1

L 172.16.20.1/32 is directly connected, GigabitEthernet0/1

192.50.10.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.50.10.0/24 is directly connected, Serial0/3/0

L 192.50.10.1/32 is directly connected, Serial0/3/0

192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.100.0/24 is directly connected, GigabitEthernet0/0

L 192.168.100.1/32 is directly connected, GigabitEthernet0/0

Create access list statement

The first and second lines of the statement allow the traffic from PC-1 and PC-3 to connect with servers. The third line denies all the rest of the traffic and is only written for demonstration purposes. As we explained in the top part of this article, each statement has an "invisible" by default to discard the packets if they do not match the logic of the statements. So, it is not visible there, but it is working well! Therefore, some people like to place "deny any in the access list to minimise the confusion and count the matches.

R1#CONF T

Enter configuration commands, one per line. End with CNTL/Z.

R1(config)#ACCESS-list 1 permit 192.168.100.10

R1(config)#ACCESS-list 1 permit 192.168.100.30

R1(config)#access-list 1 deny any

R1(config)#

We need to assign the general ACL statement to the interface S/0/3/0 on the router 1, as has been done in s script line below.

R1(config-if)#ip access-group 1 out

We can check created list using "show ip access-list" command.

R1#show ip access-list

Standard IP access list 1

10 permit host 192.168.100.10

20 permit host 192.168.100.30

30 deny any

Checking connectivity

Just establish a test connection between PCs and servers to confirm ACL configuration. I completed it for every end point (PC), but only the results for PCs 1 and 2 were displayed in the lab.

PC-1 successfully established a connection to server 1. PC-2 was unable to connect to server 1 because it was blocked.

C:\>ping 10.1.1.100

Pinging 10.1.1.100 with 32 bytes of data:

Reply from 10.1.1.100: bytes=32 time=28ms TTL=126

Reply from 10.1.1.100: bytes=32 time=2ms TTL=126

Reply from 10.1.1.100: bytes=32 time=3ms TTL=126

Reply from 10.1.1.100: bytes=32 time=1ms TTL=126

Ping statistics for 10.1.1.100:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 1ms, Maximum = 28ms, Average = 8ms

C:\>ping 10.1.2.100

Pinging 10.1.2.100 with 32 bytes of data:

Reply from 10.1.2.100: bytes=32 time=27ms TTL=126

Reply from 10.1.2.100: bytes=32 time=21ms TTL=126

Reply from 10.1.2.100: bytes=32 time=1ms TTL=126

Reply from 10.1.2.100: bytes=32 time=17ms TTL=126

Ping statistics for 10.1.2.100:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 1ms, Maximum = 27ms, Average = 16ms

C:\>ping 10.1.3.100

Pinging 10.1.3.100 with 32 bytes of data:

Reply from 10.1.3.100: bytes=32 time=42ms TTL=126

Reply from 10.1.3.100: bytes=32 time=1ms TTL=126

Reply from 10.1.3.100: bytes=32 time=20ms TTL=126

Ping statistics for 10.1.3.100:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 1ms, Maximum = 42ms, Average = 16ms

As mentioned above, the packets from PC-2 are dropped from router 1, as we intended in the ACL statement.

C:\>ping 10.1.1.100

Pinging 10.1.1.100 with 32 bytes of data:

Reply from 192.168.100.1: Destination host unreachable.

Ping statistics for 10.1.1.100:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\>ping 10.1.2.100

Pinging 10.1.2.100 with 32 bytes of data:

Reply from 192.168.100.1: Destination host unreachable.

Ping statistics for 10.1.2.100:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\>ping 10.1.3.100

Pinging 10.1.3.100 with 32 bytes of data:

Reply from 192.168.100.1: Destination host unreachable.

Ping statistics for 10.1.3.100:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\>

Setting up a standard ACL on a single interface with outgoing traffic is demonstrated in exercise 1. An interface in ACL can only have one ACL list set to it. Given that the standard ACL is based on a single source IP address parameter, it does not offer a great deal of flexibility. Extended ACL, which depends on additional criteria such as the destination IP address, protocol type, destination, and source port number, alters the scenario.

Example 2.

To practice standard ACL, let's make another exercise where the standard ACL list is set up on router 2 bonded to the ports directly connected to servers 1, 2, and 3. There we can note three subnets.

We need to raise the following condition statement as shown below:

PC-1 and PC-3 are connected to server 1.

PC-4 and PC-5 are connected to server 2.

Only PC-5 is allowed to be connected to the service 3.

As a result, we will write three brief ACL statements for the interfaces Gig0/0, Gig0/1, and Gig0/2.

Access control list general statement

We assume that static routes and device interfaces are set in place with IPv4 addresses from figure 2. We start creating the general ACL statements on router 2 and assign them to the interface g0/1.

We allow PC-1 and PC-3 to connect to server 1.

R2#conf t

Enter configuration commands, one per line. End with CNTL/Z.

R2(config)#access-list 2 permit 192.168.100.10

R2(config)#access-list 2 permit 192.168.100.30

R2(config)#access-list 2 deny any

R2(config)#

R2(config)#int g0/0

R2(config-if)#ip access-group 2 out

R2(config-if)#end

Checking connectivity

Pinging from PC-1 to Server-1 is possible, but not from PC-2. The packets from the PC-2 are dropped.

C:\>ping 10.1.1.100

Pinging 10.1.1.100 with 32 bytes of data:

Request timed out.

Reply from 10.1.1.100: bytes=32 time=1ms TTL=126

Ping statistics for 10.1.1.100:

Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),

Approximate round trip times in milli-seconds:

Minimum = 1ms, Maximum = 1ms, Average = 1ms

Below, dropped packets from PC-2 to Server-1.

C:\>ping 10.1.1.100

Pinging 10.1.1.100 with 32 bytes of data:

Reply from 192.50.10.254: Destination host unreachable.

Ping statistics for 10.1.1.100:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Let's configure the general statement to allow PC-4 and PC-5 access to server 2.

R2#conf t

Enter configuration commands, one per line. End with CNTL/Z.

R2(config)#access-list 3 permit 192.168.100.40

R2(config)#access-list 3 permit 172.16.20.0 0.0.0.255

R2(config)#access-list 3 deny any

R2(config)#end

Assigning general statement for access list 3 to interface g0/1 with outbound traffic.

R2(config)#int g0/1

R2(config-if)#ip access-group 3 out

Create last access list number 4 with a general statement allowing only PC-5 to access server 3. We could keep this statement simple, but intentionally we used a wildcard mask to demonstrate command line structure.

R2#conf t

Enter configuration commands, one per line. End with CNTL/Z.

R2(config)#access-list 4 permit 172.16.20.0 0.0.0.255

R2(config)#access-list 4 deny 192.168.100.0 0.0.0.255

Access list 4 was assigned to interface g0/2 with outbound traffic.

R2(config)#int g0/2

R2(config-if)#ip access-group 4 out

Verifying interfaces

Naturally, we want to be able to ping between PCs and servers, but to keep this lab brief, I'll just check the interfaces on router 2. However, if the ACL policy is effective, kindly check the connection. I am happy that I did.

Alright, finally examining the interfaces, we can see which ACL group has been allocated to each interface. It is among the few indications that the configuration of our ACL statement is accurate.

R2#show ip interface g0/0

GigabitEthernet0/0 is up, line protocol is up (connected)

Internet address is 10.1.1.254/24

Broadcast address is 255.255.255.255

Address determined by setup command

MTU is 1500 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Outgoing access list is 2

Inbound access list is not set

R2#show ip interface g0/1

GigabitEthernet0/1 is up, line protocol is up (connected)

Internet address is 10.1.2.254/24

Broadcast address is 255.255.255.255

Address determined by setup command

MTU is 1500 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Outgoing access list is 3

R2#show ip interface g0/2

GigabitEthernet0/2 is up, line protocol is up (connected)

Internet address is 10.1.3.254/24

Broadcast address is 255.255.255.255

Address determined by setup command

MTU is 1500 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Outgoing access list is 4

Inbound access list is not set

Conclusion

In summary, the article emphasises that standard ACLs are a fundamental tool for controlling network access based on source IP addresses. While they are straightforward to implement, their simplicity means they lack the granularity of extended ACLs, which can filter traffic based on additional parameters such as destination IP addresses, protocols, and port numbers.