Standard Access List

Written on by admin on. Posted in ACLs

In previous article we discussed about Access Control Lists, generally. Here we’ll focus on Standard Access Lists on Cisco devices and will give you an example.

With standard ACLs you can permit or deny traffic from source IP addresses. The destination of the packet and the port doesn’t matter. They can be named or numbered. The ranges used by numbered ACLs are from 1 to 99 and from 1300 to 1999.

A good practice is to place them closer to the destination.

To understand better how they work let’s take an example.

Standard ACL

In the picture above we have R1 and R2. On R1’s fa0/0 interface will apply an Inbound ACL to filter some of R2’s loopback interfaces networks. For now, will configure on R1 and R2 interfaces, without ACL.

R1

interface FastEthernet0/0
 ip address 10.0.0.1 255.255.255.0

ip route 192.168.0.0 255.255.255.0 FastEthernet0/0
ip route 192.168.1.0 255.255.255.0 FastEthernet0/0
ip route 192.168.2.0 255.255.255.0 FastEthernet0/0

R2

interface Loopback0
 ip address 192.168.0.1 255.255.255.0
interface Loopback1
 ip address 192.168.1.1 255.255.255.0
interface Loopback2
 ip address 192.168.2.1 255.255.255.0
interface FastEthernet0/0
 ip address 10.0.0.2 255.255.255.0

On R1 we’ve added 3 static routes to reach R2’s loopback interfaces. Further, we’ll configure a numbered Access List on R1.

access-list 1 deny   192.168.0.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 remark Manage Traffic From R2

Configuration must be entered in global configuration mode. In ACL’s statements we have:

Number “1”
This is the number used by this ACL
“deny” keyword
With this keyword will be denied network matched by this statement
“permit” keyword
With this keyword will be permited network matched by this statement
“192.168.0.0”
This is network that will be matched by the statement
“0.0.0.255”
This is wildcard mask that tells the router which parts of the subnet number to look at.
With Wildcard mask bit 0 – will match the corresponding bit value in the address;
With Wildcard mask bit 1 – will ignore the corresponding bit value in the address.
If we take this in binary we will get: 00000000.00000000.00000000.11111111. Results that first 24 positions in IP address will be mathed and last 8 will be ignored. If we take first statement from ACL we get that all packets with source IP address which start with 192.168.0 will be matched, and will be denied, the last 8 bits don’t matter.
“remark” KEYWORD
The string that comes after this keyword represents a description which can help you at a later time what is the purpose of the ACL
At the end of every ACL there is an “implicit deny” which will deny all packets that aren’t matched in ACL.
You can add at the end of ACL a statement with “permint any” keywords, thus, permitting all packets unmatched by the ACL

Next step is to bound Standard Access List to an interface as inbound or outbound. ACL doesn’t act on packets generated by itself, that’s why there is no reason to use it here as outbound ACL. We’ll bound it to R1’s fa0/0 as inbound Access List.

R1

interface FastEthernet0/0
 ip access-group 1 in

We have got the next result:

  •  Packets with R2’s Loopback 0 source IP address (192.168.0.1) will be denied by first statement;
  •  Packets with R2’s Loopback 1 source IP address(192.168.1.1) will be permited by second statement;
  •  Packets with R2’s Loopback 2 source IP address (192.168.2.1) will be denied by “implicit deny” because it is not matched by any of the other statements.

Let’s check this out with some pings from R2’s Loopback interfaces.

R2#ping 10.0.0.1 source loopback 0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.1 
U.U.U
Success rate is 0 percent (0/5)
R2#                               
R2#ping 10.0.0.1 source loopback 1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/23/36 ms
R2#
R2#ping 10.0.0.1 source loopback 2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1 
U.U.U
Success rate is 0 percent (0/5)
R2#

From the output you can see that only ping from Loopback 1 succeeded. You can check ACL’s statements with one of these commands

show access-lists 
show ip access-lists

To delete an this Access List use this command

no access-list 1

The named version of this Access List will look like this

ip access-list standard FIRST
 deny   192.168.0.0 0.0.0.255
 permit 192.168.1.0 0.0.0.255
 remark Manage Traffic From R2

See You !

5416 views

Comments (2)

  • Erich

    |

    How can I make an access-list for outgoing traffic?

    Reply

    • admin

      |

      Hi,
      Standard Access Lists can be used to manipulate packets based on source IP address. To filter based on destination or other criteria, you can use Extended Access Lists.

      Reply

Leave a comment


2 × five =