Scroll To Top

Configure Standard Access List On Cisco Router

Posted in Articles, CCNA2 years ago • Written by Shais5 Comments

The Standard Access List (ACL) on Cisco router works to permit or deny the entire network protocols of a host from being distinguishing. These decisions are all based on source IP address which filter network traffic by examining the source IP address in a packet. We can create the standard IP access list by using the access-list command with numbers 1 to 99 or in the expanded range of 1300 to 1999.

I’m using Cisco Packet Tracer to do this task. You can create your own network topology within Cisco packet tracer or using the best network simulator GNS3. If you are new in GNS3, I recommanded to read the topics of GNS3 installation “Install GNS3 Network Simulator Step by Step in Windows” and the configuration article “Essential GNS3 Configuration for Cisco Lab“, these will help you to find your way in using GNS3.

Here I share my own created topology for standard IP access list with packet tracer. Download and test it. Download CCNA Lab: Configure Standard Access List.

CCNA Lab - Standard Access List

CCNA Lab – Standard Access List

Try to configure it with any routing protocol you want. Static route, RIP, or OSPF. This article “Configure Static Routing in Packet Tracer” can help you to configure static routing for CCNA.

 Configure Standard Access List on Cisco Router

Let’s test the standard access list on our network with preventing access from subnet 192.168.10.0 to network 192.168.0.0 which connected directory to router R1 and just allow PC2 can get access to the network 192.168.0.0/24.

Standard Access List - Technig

Standard Access List – Technig

In the router R1, create an access list “access-list 10 permit 192.168.10.3 0.0.0.0” and then set it on the fastEthernet 0/0 which is the gateway of network.

R1>enable
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#access-list 10 permit 192.168.10.3 0.0.0.0
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip access-group 10 out
R1(config-if)#exit

The command ” access-list 10 permit 192.168.10.3 0.0.0.0” deny all host on the network 192.168.10.0 but permit only PC3. We use the wildcard 0.0.0.0 for PC3. It’s only allowed the exact host with 192.168.10.3 IP address.

The command “ip access-group 10 out” just apply this outbound traffic to this network.

Remember, we set the access list command on the global configuration and set the ip access-gorup to interface configuration.

Now test the with ping from PC3 to any host on the network 192.168.0.0/24. It must ping successfully but not allowed for other PCs of the network 192.168.10.0/24.

You can configure it with the following configuration also.

R1>enable
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#access-list 10 deny 192.168.10.3 0.0.0.0
R1(config)#access-list 10 permit any
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip access-group 10 out

Working with Standard access list on Cisco router is easy and simple. Just try to do some more practice to get expert. If you want to know and test more access list commands, simply type question mark (?) in front of your command.

R2(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
R2(config)#access-list 10 ?
deny Specify packets to reject
permit Specify packets to forward
remark Access list entry comment
R2(config)#access-list 10 permit ?
A.B.C.D Address to match
any Any source host
host A single host address
R2(config)#access-list 10 permit any ?
<cr>

Hope it would be helping you to understand the Standard IP access list on Cisco routers.


TAGS: , , ,
About this Author
Shais

I'm a network and Information Security instructor. Here is my online pictorial notebook. I would like to write and share my experience through this website for computer enthusiasts and technology geeks.

Like us on Facebook
on Facebook
Shais

Follow me on Twitter
Follow @technigs on Twitter
Shais
Add me on Google+
on Google+
Shais

5 Comments so far. Feel free to join this conversation.

  1. nayibzadaMay 2, 2015 at 11:15 am - Reply

    Great. It works fine.

  2. amanullahMay 10, 2016 at 7:30 pm - Reply

    OF course it works properly I tested that

  3. AhmadJune 29, 2016 at 8:48 pm - Reply

    Hi Shais,

    not quite get on the second option:
    R1>enable
    R1#configure terminal
    Enter configuration commands, one per line. End with CNTL/Z.
    R1(config)#access-list 10 deny 192.168.10.3 0.0.0.0
    R1(config)#access-list 10 permit any
    R1(config)#interface fastEthernet 0/0
    R1(config-if)#ip access-group 10 out

    should it be :
    R1(config)#access-list 10 deny 0.0.0.0

  4. AhmadJune 29, 2016 at 8:50 pm - Reply

    Look like missing my line there:

    R1(config)#access-list 10 deny CP2_IP 0.0.0.0

    • Shais
      ShaisJune 30, 2016 at 3:13 pm - Reply

      Hi Ahmad,

      That is exactly the problem?

Leave A Response