CCNA and CCENT Tutorial: Intro To Standard ACLs
In the previous installment of this ACL tutorial series, we learned how to calculate a wildcard mask in seconds. Now we’ll take a look at the two major ACL types, starting with standard ACLs.
A standard ACL is concerned only with the source IP address of the packet. That’s literally the only value that can be configured when writing a standard ACL.
You have two numeric ranges to choose from when writing standard ACLs, and I’ve bolded those for you in this IOS Help readout. Don’t concern yourself with all of these ranges, but know the standard and extended ACL ranges by heart.
R1(config)#access-list ? <1-99> IP standard access list <100-199> IP extended access list <1000-1099> IPX SAP access list <1100-1199> Extended 48-bit MAC address access list <1200-1299> IPX summary address access list <1300-1999> IP standard access list (expanded range) <200-299> Protocol type-code access list <2000-2699> IP extended access list (expanded range) <2700-2799> MPLS access list <300-399> DECnet access list <700-799> 48-bit MAC address access list <800-899> IPX standard access list <900-999> IPX extended access list
dynamic-extended Extend the dynamic ACL absolute timer rate-limit Simple rate-limit specific access list
IOS Help will make no mention of which address you’re matching on (source or destination, that is) with a standard ACL, so we need to know it’s a source IP address. If this doesn’t come up on your exam in one way or another, I’ll grow a full head of hair.
R1(config)#access-list 5 permit ? Hostname or A.B.C.D Address to match any Any source host host A single host address
Follow the source IP with the wildcard mask, and you’re gold. Let’s write a line matching the 220.127.116.11 255.255.255.0 subnet.
R1(config)#access-list 5 permit 18.104.22.168 ? /nn or A.B.C.D Wildcard bits log Log matches against this entry <cr> R1(config)#access-list 5 permit 22.214.171.124 0.0.0.255
Some IOSes give you the choice of using the traditional dotted decimal wildcard mask or entering the mask in prefix notation. We’ll use dotted decimal here and use prefix notation in a later lab.
I want to show you the challenges that await when using standard ACLs. In this demo, R1’s Serial IP is 126.96.36.199 /24 and R3’s is 188.8.131.52 /24.
The requirements for this lab:
On R1, block traffic sourced from 184.108.40.206 /24 if it’s destined for 220.127.116.11 /24.
R1 should allow packets from 18.104.22.168 /24 if intended for any other subnet, including any subnets added in the future.
If we use a standard ACL, we can block traffic sourced from 22.214.171.124 /24 destined for 126.96.36.199 /24 with no problem. That’s the good news. The bad news is that we’ll block all traffic coming from 188.8.131.52 /24, since a standard ACL doesn’t allow us to specify the destination IP address of the packets to be blocked.
Standard ACLs can be handy for identifying traffic, but for most situations involving permitting and denying traffic, you’re better off using an extended ACL. Let’s head to the next tutorial and see what extended ACLs are all about!
Next Tutorial: Introduction To Extended ACLs
Previous Tutorial: Wildcard Masking Made Easy
First Tutorial: ACL Rules and the Implicit Deny