ItsyourIP.com

How to add/modify Standard Access Control List (ACL) Cisco router

Written by

admin

in

ACLs in Cisco IOS can be used to control traffic flow and to use it as a simple list to define another function like NATing or Route-Maps. Standard Access List (ACL) in Cisco IOS are the simplest and oldest type of ACLs. Standard ACLs simply compare the Source IP Address on the packet against the IP Address defined on the ACL and decides whether to permit or deny the traffic as per the definition in the ACL.

When used to control traffic, it is recommended that the ACLs in general are applied to the interface closest to the segment where the traffic originates.

Define a Standard ACL

From the global configuation mode run the access-list command as follows

ciscorouter(config)# access-list 10 permit 10.1.1.1

ciscorouter(config)# access-list 10 permit 10.1.1.2

ciscorouter(config)# access-list 10 permit 10.1.2.0 0.0.0.255

In the above example, the access-list permits IP 10.1.1.1 & 10.1.1.2 and the network 10.1.2.0 network and everything else is denied. The Access list by default has an explicit "deny any" statement which denies everthing except from the permitted IPs and Networks. This is why there should be atleast one permit statement in an ACL when applied to an interface else you run the danger of blocking all traffic.

To display the ACL

ciscorouter# show access-lists
Standard IP access list 2
    10 permit 10.1.1.1
    20 permit 10.1.1.2
    30 permit 10.1.2.0, wildcard bits 0.0.0.255

Please note that the order in which the rules are processed are in descending order of IP Address and not using the statement numbers. Another thing worth mentioning is the "inverse mask" used in the ACLs.

Lets take a look at the last statement in the ACL

ciscorouter(config)# access-list 10 permit 10.1.2.0 0.0.0.255

Normally, when defining a network we would defining it as 10.1.2.0/255.255.255.0. Here, in the ACL, it is the inverse. To cut a long story short, "0" indicates the bits in the address to exactly match and "1" are don't care. So, to match the network, 10.1.2.0, we mark the 1st 3 octets of the mask as "0" to indicate that they need to match while the 4th octet is "255" meaning all bits are "1" indicating all hosts in that network.

Apply ACL to Interface

Once the ACL is defined, apply it to an interface as follows from the interface config mode.

ciscorouter(config)# int fast ethernet 0/0

ciscorouter(config-if)# ip access-group 10 in

The above command applies for all the incoming traffic on the interface (defined by "10" in the command). To see the ACL used in NATing, click here

Modify the ACL

Need to be careful when modifying the ACL especially deleting an entry from the ACL can remove the complete Standard ACL. Adding a new entry to the list can be done very much the same way as earlier

For example,

ciscorouter(config)# access-list 10 permit 10.1.3.0 0.0.0.255

However, to delete an entry from the ACL, the ACL configuration mode and then delete the ACL entry using the "no" form of the command.

ciscorouter(config)# ip access-list standard 10

ciscorouter(config-std-nacl)# no permit 10.1.3.0 0.0.0.255

This should remove the entry we just added from the ACL. Else, if you try to remove from the ACL from the Global Configuration mode, you risk losing the complete ACL. Alternatively, copy the ACL onto a notepad and remove the lines you wanted to and then add the ACL back onto the router.

For Extended ACLs, click here

Comments

7 responses to “How to add/modify Standard Access Control List (ACL) Cisco router”

  1. Eddie Ayala Avatar
    Eddie Ayala

    Excellent, simple and very technical information.

    Thanks,

    EA

  2. ratibhan upadhyay Avatar
    ratibhan upadhyay

    hi sir i want full command of acl configuration

  3. ratibhan upadhyay Avatar
    ratibhan upadhyay

    how i can configure frame relay

  4. shiva Avatar
    shiva

    very easy information taken by you ………thank u

  5. rajmul Avatar
    rajmul

    you have given info in a easiest way to understand… Thank you..

  6. bhushan Avatar
    bhushan

    i want to add an ip address in my ip permit list in a switch2950.how it possible.plz explain brief…
    my switch config is like as follow:

    enable password 7 072C285F4D06

    sername switch-una privilege 15 password 7 15011C05102923693D3D3461405547
    sername cisco-una privilege 15 password 7 0307521805006C594008
    p subnet-zero

    panning-tree mode pvst
    o spanning-tree optimize bpdu transmission
    panning-tree extend system-id

    nterface FastEthernet0/1
    spanning-tree portfast

    nterface FastEthernet0/2

    nterface FastEthernet0/3
    description “connected to hub”
    ip access-group port3 in

    nterface FastEthernet0/4

    nterface FastEthernet0/5
    shutdown

    nterface FastEthernet0/6
    shutdown

    nterface FastEthernet0/7
    shutdown

    nterface FastEthernet0/8
    shutdown

    nterface FastEthernet0/9
    description “connected to vc camera”
    ip access-group port9 in

    nterface FastEthernet0/10
    shutdown

    nterface FastEthernet0/11
    shutdown

    nterface FastEthernet0/12
    shutdown

    nterface FastEthernet0/13
    shutdown

    nterface FastEthernet0/14
    shutdown

    nterface FastEthernet0/15
    shutdown

    nterface FastEthernet0/16
    shutdown

    nterface FastEthernet0/17
    description “connected to pc for router access”
    ip access-group port17 in
    spanning-tree portfast

    nterface FastEthernet0/18
    shutdown

    nterface FastEthernet0/19
    shutdown

    nterface FastEthernet0/20
    shutdown

    nterface FastEthernet0/21
    shutdown

    nterface FastEthernet0/22
    shutdown

    nterface FastEthernet0/23
    shutdown

    nterface FastEthernet0/24
    shutdown

    nterface GigabitEthernet0/1
    no keepalive
    duplex full
    spanning-tree portfast

    nterface GigabitEthernet0/2
    no keepalive
    spanning-tree portfast

    nterface Vlan1
    ip address 10.146.153.3 255.255.255.128
    no ip route-cache

    p http server

    p access-list standard vty
    permit 10.146.153.11
    permit 10.146.153.13
    permit 10.146.153.12
    permit 10.146.2.14
    permit 10.146.2.7
    permit 10.146.2.92
    permit 10.146.2.81

    p access-list extended port17
    permit ip host 10.146.153.11 any
    deny ip any any
    p access-list extended port3
    permit ip host 10.146.153.105 any
    permit ip host 10.146.153.111 any
    permit ip host 10.146.153.112 any
    permit ip host 10.146.153.85 any
    permit ip host 10.146.153.90 any
    permit ip host 10.146.153.13 any
    permit ip host 10.146.153.25 any
    permit ip host 10.146.153.61 any
    permit ip host 10.146.153.16 any
    permit ip host 10.146.153.96 any
    permit ip host 10.146.153.32 any
    permit ip host 10.146.153.18 any
    permit ip host 10.146.153.62 any
    permit ip host 10.146.153.47 any
    permit ip host 10.146.153.51 any
    permit ip host 10.146.153.115 any
    permit ip host 10.146.153.12 any
    permit ip host 10.146.153.35 any
    permit ip host 10.146.153.53 any
    permit ip host 10.146.153.44 any
    permit ip host 10.146.153.59 any
    permit ip host 10.146.153.30 any
    permit ip host 10.146.153.81 any
    permit ip host 10.146.153.10 any
    permit ip host 10.146.153.117 any
    permit ip host 10.146.153.66 any
    permit ip host 10.146.153.23 any
    permit ip host 10.146.153.29 any
    permit ip host 10.146.153.52 any
    permit ip host 10.146.153.123 any
    permit ip host 10.146.153.118 any
    permit ip host 10.146.153.50 any
    permit ip host 10.146.153.120 any
    permit ip host 10.146.153.43 any
    permit ip host 10.146.153.110 any
    permit ip host 10.146.153.36 any
    permit ip host 10.146.153.4 any
    permit ip host 10.146.153.56 any
    permit ip host 10.146.153.95 any
    permit ip host 10.146.153.99 any
    permit ip host 10.146.153.102 any
    permit ip host 10.146.153.100 any
    permit ip host 10.146.153.73 any
    permit ip host 10.146.153.107 any
    permit ip host 10.146.153.75 any
    permit ip host 10.146.153.76 any
    permit ip host 10.146.153.77 any
    permit ip host 10.146.153.78 any
    permit ip host 10.146.153.79 any
    permit ip host 10.146.153.80 any
    permit ip host 10.146.153.86 any
    permit ip host 10.146.153.87 any
    permit ip host 10.146.153.88 any
    permit ip host 10.146.153.89 any
    permit ip host 10.146.153.74 any
    permit ip host 10.146.153.97 any
    permit ip host 10.146.153.98 any
    permit ip host 10.146.153.21 any
    permit ip host 10.146.153.22 any
    permit ip host 10.146.153.24 any
    permit ip host 10.146.153.26 any
    permit ip host 10.146.153.27 any
    permit ip host 10.146.153.28 any
    –More–

  7. bryan Avatar
    bryan

    hey, I want to create standard acl to allow all network to flow from 172.16.10.0 0.0.0.255 to 172.16.20.0 0.0.0.255 and 172.16.30.0 0.0.0.255 but i don’t want network to flow from 172.16.20.0 0.0.0.255 to 172.16.30.0 0.0.0.255 and vice versa, so I created the following acl,

    access-list standard 10 permit 172.16.10.0 0.0.0.255
    access-list standard 10 deny any.

    and also i created sub interfaces on the router for interface fa 0/0

    sub interface fa 0/0.1 for 172.16.10.0 0.0.0.255

    sub interface fa 0/0.2 for 172.16.20.0 0.0.0.255

    sub interface fa 0/0.3 for 172.16.30.0 0.0.0.255

    and I have applied the above access list on the sub interface fa 0/0.2 and fa 0/0.3, but its not working. Please help

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts