CCNA and CCENT Tutorial: Intro To Standard ACLs

In the previous installment of this ACL tutorial series, we learned how to calculate a wildcard mask in seconds.    Now we’ll take a look at the two major ACL types, starting with standard ACLs.

A standard ACL is concerned only with the source IP address of the packet.  That’s literally the only value that can be configured when writing a standard ACL.

You have two numeric ranges to choose from when writing standard ACLs, and I’ve bolded those for you in this IOS Help readout.   Don’t concern yourself with all of these ranges, but know the standard and extended ACL ranges by heart.

R1(config)#access-list ?

  <1-99>            IP standard access list

  <100-199>         IP extended access list

  <1000-1099>       IPX SAP access list

  <1100-1199>       Extended 48-bit MAC address access list

  <1200-1299>       IPX summary address access list

  <1300-1999>       IP standard access list (expanded range)

  <200-299>         Protocol type-code access list

  <2000-2699>       IP extended access list (expanded range)

  <2700-2799>       MPLS access list

  <300-399>         DECnet access list

  <700-799>         48-bit MAC address access list

  <800-899>         IPX standard access list

  <900-999>         IPX extended access list
  dynamic-extended  Extend the dynamic ACL absolute timer

     rate-limit        Simple rate-limit specific access list

IOS Help will make no mention of which address you’re matching on (source or destination, that is) with a standard ACL, so we need to know it’s a source IP address.  If this doesn’t come up on your exam in one way or another, I’ll grow a full head of hair.

R1(config)#access-list 5 permit ?

  Hostname or A.B.C.D  Address to match

  any                  Any source host

  host                 A single host address

Follow the source IP with the wildcard mask, and you’re gold.  Let’s write a line matching the subnet.

R1(config)#access-list 5 permit ?

  /nn or A.B.C.D  Wildcard bits

  log             Log matches against this entry


R1(config)#access-list 5 permit

Some IOSes give you the choice of using the traditional dotted decimal wildcard mask or entering the mask in prefix notation.  We’ll use dotted decimal here and use prefix notation in a later lab.

I want to show you the challenges that await when using standard ACLs.    In this demo, R1’s Serial IP is /24 and R3’s is /24.

Standard ACL Lab Topology

The requirements for this lab:

On R1, block traffic sourced from /24 if it’s destined for /24. 

R1 should allow packets from /24 if intended for any other subnet, including any subnets added in the future.

If we use a standard ACL, we can block traffic sourced from /24 destined for /24 with no problem.   That’s the good news.   The bad news is that  we’ll block all traffic coming from /24, since a standard ACL doesn’t allow us to specify the destination IP address of the packets to be blocked.

Standard ACL Blocks ALL Traffic

Standard ACLs can be handy for identifying traffic, but for most situations involving permitting and denying traffic, you’re better off using an extended ACL.  Let’s head to the next tutorial and see what extended ACLs are all about!

Next Tutorial:  Introduction To Extended ACLs

Previous Tutorial:  Wildcard Masking Made Easy

First Tutorial:   ACL Rules and the Implicit Deny