Standard Access-List Example On Cisco Router
Standard Access-List Example On Cisco Router
Search …
Let’s con gure some access-lists so I can demonstrate to you how this is done on Cisco IOS routers. In this Course Contents
lesson we’ll cover the standard access-list. Here’s the topology:
CCNA 200-301
Unit 1: Introduction
Unit 4: IP Connectivity
Unit 5: IP Services
Unit 6: IPv6
Two routers and each router has a loopback interface. I will use two static routes so that the routers can
Unit 7: Security Fundamentals
reach each other’s loopback interface:
7.1 Access-Lists
Introduction to Access-Lists
R1(config)#ip route 2.2.2.0 255.255.255.0 192.168.12.2
Wildcard Bits
Standard Access-List
Extended Access-List
R2(config)#ip route 1.1.1.0 255.255.255.0 192.168.12.1
Time-based Access-List
7.2 Misc
Now let’s start with a standard access-list! I’ll create something on R2 that only permits tra c from network Unit 11: Cloud Computing
This single permit entry will be enough. Keep in mind at the bottom of the access-list is a “deny any”. We
don’t see it but it’s there. Let’s apply this access-list inbound on R2:
Use the ip access-group command to apply it to an interface. I applied it inbound with the in keyword.
You can verify that the access-list has been applied with the show ip interface command. Above you see
that access-list 1 has been applied inbound.
R1#ping 192.168.12.2
R2#show access-lists
Standard IP access list 1
10 permit 192.168.12.0, wildcard bits 0.0.0.255 (27 matches)
As you can see the access-list shows the number of matches per statement. We can use this to verify our
access-list. Let me show you something useful when you are playing with access-lists:
When you send a ping you can use the source keyword to select the interface. The source IP address of
this IP packet is now 1.1.1.1 and you can see these pings are failing because the access-list drops them.
R2#show access-lists
Standard IP access list 1
10 permit 192.168.12.0, wildcard bits 0.0.0.255 (27 matches)
You won’t see them with the show access-list command because the “deny any” is dropping them.
What if I wanted something di erent? Let’s say I want to deny tra c from network 192.168.12.0 /24 but
permit all other networks? I can do something like this:
I’ll create a new access-list and the rst statement will deny network 192.168.12.0 /24. The second
statement is a permit any. Because of this permit any nothing will ever hit the invisible “deny any” with the
exception of 192.168.12.0 /24. Let’s apply the new access-list:
R2(config-if)#no ip access-group 1 in
R2(config-if)#ip access-group 2 in
R1#ping 2.2.2.2
R2#show access-lists 2
Standard IP access list 2
10 deny 192.168.12.0, wildcard bits 0.0.0.255 (11 matches)
20 permit any
These pings are hitting the rst statement and are dropped….
R2#show access-lists 2
Standard IP access list 2
10 deny 192.168.12.0, wildcard bits 0.0.0.255 (11 matches)
20 permit any (15 matches)
And pings from the loopback0 interface of R1 are hitting the second statement and are allowed.
If I want to remove a statement from an access-list, you will await a nice surprise:
Let’s say I want to remove the statement above. I’ll type no access-list and this is what you’ll discover:
R2#show access-lists 2
The whole access-list is gone…ouch! You can’t use no access-list to remove a statement. Your router will
just accept “no access-list 2” and remove the whole access-list. Fun to discover in a lab, not so much fun on
a production network. I’ll show you how to deal with this in a bit.
Besides applying an access-list inbound or outbound you can also apply them to the VTY lines. This is
useful if you want to secure telnet or SSH access to your router. Let’s con gure R1 so telnet access is only
allowed from network 192.168.12.0 /24:
Above you can see that I created access-list 3 but I used the access-class command on the VTY lines. On
interfaces we use the “access-group” command but on VTY lines you need to use “access-class” to apply
them.
R2#telnet 192.168.12.1
Trying 192.168.12.1 ... Open
It says “open” which means that it connects. The connection is closed because I didn’t con gure a
password for telnet but the access-list should work:
R1#show access-lists
Standard IP access list 3
10 permit 192.168.12.0, wildcard bits 0.0.0.255 (2 matches)
You can see that the packets have matched the statement in access-list 3.
Con gurations R1 R2
Want to take a look for yourself? Here you will nd the nal con guration of each device.
That’s all for now. You have now learned how to con gure standard access-lists and how to apply them to
your interfaces or VTY line. I hope you learned something from this lesson, if you have any questions
please leave a comment!
« Previous Lesson
Wildcard Bits
Next Lesson
Extended Access-List »
Tags: ACL, Security
Forum Replies
system
interface FastEthernet0/1
ip access-group 5 in
When I ping PC2 from PC1 I get "Reply from 20.1.1.2: Destination ho
hussien.samer
!
access-list 100 permit icmp host 192.168.45.4 host 192.168.45.5
!
!
class-map match-all 1
match access-group 100
!
policy-map 1
class 1
drop
!
control-plane
service-policy output 1
!
rodriarz
Hello Scott! Thanks for the answering! What do you mean about “the right image”? There is images on switches that cannot analyze the acces list before the switching proccess?
wellerk.scott
I try to answer as many questions as I can to expand my knowledge , and to help others and maybe one day they can return the favor when I need help. Anywho there are di erent
images that can be used on a switch for example lan lite and lan base. The di erences between the two are their features. For example the lan lite can do ACLs but only for virtual
interfaces not physical ones. Below is a link to a cisco article explaining ACLs on a switch and what di erent features the di erent images support.
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalys
rodriarz
Thank you so much scott!! I really appreciate it! Now I have a better understanding about acl on switches
47 more replies! Ask a question or join the discussion by visiting our Community Forum