ACLs in Cisco IOS can be used to control traffic flow and to use it as a simple list to define another function like NATing or Route-Maps. Standard Access List (ACL) in Cisco IOS are the simplest and oldest type of ACLs. Standard ACLs simply compare the Source IP Address on the packet against the IP Address defined on the ACL and decides whether to permit or deny the traffic as per the definition in the ACL.
When used to control traffic, it is recommended that the ACLs in general are applied to the interface closest to the segment where the traffic originates.
Define a Standard ACL
From the global configuation mode run the access-list command as follows
ciscorouter(config)# access-list 10 permit 10.1.1.1
ciscorouter(config)# access-list 10 permit 10.1.1.2
ciscorouter(config)# access-list 10 permit 10.1.2.0 0.0.0.255
In the above example, the access-list permits IP 10.1.1.1 & 10.1.1.2 and the network 10.1.2.0 network and everything else is denied. The Access list by default has an explicit "deny any" statement which denies everthing except from the permitted IPs and Networks. This is why there should be atleast one permit statement in an ACL when applied to an interface else you run the danger of blocking all traffic.
To display the ACL
ciscorouter# show access-lists
Standard IP access list 2
10 permit 10.1.1.1
20 permit 10.1.1.2
30 permit 10.1.2.0, wildcard bits 0.0.0.255
Please note that the order in which the rules are processed are in descending order of IP Address and not using the statement numbers. Another thing worth mentioning is the "inverse mask" used in the ACLs.
Lets take a look at the last statement in the ACL
ciscorouter(config)# access-list 10 permit 10.1.2.0 0.0.0.255
Normally, when defining a network we would defining it as 10.1.2.0/255.255.255.0. Here, in the ACL, it is the inverse. To cut a long story short, "0" indicates the bits in the address to exactly match and "1" are don't care. So, to match the network, 10.1.2.0, we mark the 1st 3 octets of the mask as "0" to indicate that they need to match while the 4th octet is "255" meaning all bits are "1" indicating all hosts in that network.
Apply ACL to Interface
Once the ACL is defined, apply it to an interface as follows from the interface config mode.
ciscorouter(config)# int fast ethernet 0/0
ciscorouter(config-if)# ip access-group 10 in
The above command applies for all the incoming traffic on the interface (defined by "10" in the command). To see the ACL used in NATing, click here
Modify the ACL
Need to be careful when modifying the ACL especially deleting an entry from the ACL can remove the complete Standard ACL. Adding a new entry to the list can be done very much the same way as earlier
For example,
ciscorouter(config)# access-list 10 permit 10.1.3.0 0.0.0.255
However, to delete an entry from the ACL, the ACL configuration mode and then delete the ACL entry using the "no" form of the command.
ciscorouter(config)# ip access-list standard 10
ciscorouter(config-std-nacl)# no permit 10.1.3.0 0.0.0.255
This should remove the entry we just added from the ACL. Else, if you try to remove from the ACL from the Global Configuration mode, you risk losing the complete ACL. Alternatively, copy the ACL onto a notepad and remove the lines you wanted to and then add the ACL back onto the router.
For Extended ACLs, click here
Excellent, simple and very technical information.
Thanks,
EA
hi sir i want full command of acl configuration
how i can configure frame relay
very easy information taken by you ………thank u
you have given info in a easiest way to understand… Thank you..
i want to add an ip address in my ip permit list in a switch2950.how it possible.plz explain brief…
my switch config is like as follow:
enable password 7 072C285F4D06
sername switch-una privilege 15 password 7 15011C05102923693D3D3461405547
sername cisco-una privilege 15 password 7 0307521805006C594008
p subnet-zero
panning-tree mode pvst
o spanning-tree optimize bpdu transmission
panning-tree extend system-id
nterface FastEthernet0/1
spanning-tree portfast
nterface FastEthernet0/2
nterface FastEthernet0/3
description “connected to hub”
ip access-group port3 in
nterface FastEthernet0/4
nterface FastEthernet0/5
shutdown
nterface FastEthernet0/6
shutdown
nterface FastEthernet0/7
shutdown
nterface FastEthernet0/8
shutdown
nterface FastEthernet0/9
description “connected to vc camera”
ip access-group port9 in
nterface FastEthernet0/10
shutdown
nterface FastEthernet0/11
shutdown
nterface FastEthernet0/12
shutdown
nterface FastEthernet0/13
shutdown
nterface FastEthernet0/14
shutdown
nterface FastEthernet0/15
shutdown
nterface FastEthernet0/16
shutdown
nterface FastEthernet0/17
description “connected to pc for router access”
ip access-group port17 in
spanning-tree portfast
nterface FastEthernet0/18
shutdown
nterface FastEthernet0/19
shutdown
nterface FastEthernet0/20
shutdown
nterface FastEthernet0/21
shutdown
nterface FastEthernet0/22
shutdown
nterface FastEthernet0/23
shutdown
nterface FastEthernet0/24
shutdown
nterface GigabitEthernet0/1
no keepalive
duplex full
spanning-tree portfast
nterface GigabitEthernet0/2
no keepalive
spanning-tree portfast
nterface Vlan1
ip address 10.146.153.3 255.255.255.128
no ip route-cache
p http server
p access-list standard vty
permit 10.146.153.11
permit 10.146.153.13
permit 10.146.153.12
permit 10.146.2.14
permit 10.146.2.7
permit 10.146.2.92
permit 10.146.2.81
p access-list extended port17
permit ip host 10.146.153.11 any
deny ip any any
p access-list extended port3
permit ip host 10.146.153.105 any
permit ip host 10.146.153.111 any
permit ip host 10.146.153.112 any
permit ip host 10.146.153.85 any
permit ip host 10.146.153.90 any
permit ip host 10.146.153.13 any
permit ip host 10.146.153.25 any
permit ip host 10.146.153.61 any
permit ip host 10.146.153.16 any
permit ip host 10.146.153.96 any
permit ip host 10.146.153.32 any
permit ip host 10.146.153.18 any
permit ip host 10.146.153.62 any
permit ip host 10.146.153.47 any
permit ip host 10.146.153.51 any
permit ip host 10.146.153.115 any
permit ip host 10.146.153.12 any
permit ip host 10.146.153.35 any
permit ip host 10.146.153.53 any
permit ip host 10.146.153.44 any
permit ip host 10.146.153.59 any
permit ip host 10.146.153.30 any
permit ip host 10.146.153.81 any
permit ip host 10.146.153.10 any
permit ip host 10.146.153.117 any
permit ip host 10.146.153.66 any
permit ip host 10.146.153.23 any
permit ip host 10.146.153.29 any
permit ip host 10.146.153.52 any
permit ip host 10.146.153.123 any
permit ip host 10.146.153.118 any
permit ip host 10.146.153.50 any
permit ip host 10.146.153.120 any
permit ip host 10.146.153.43 any
permit ip host 10.146.153.110 any
permit ip host 10.146.153.36 any
permit ip host 10.146.153.4 any
permit ip host 10.146.153.56 any
permit ip host 10.146.153.95 any
permit ip host 10.146.153.99 any
permit ip host 10.146.153.102 any
permit ip host 10.146.153.100 any
permit ip host 10.146.153.73 any
permit ip host 10.146.153.107 any
permit ip host 10.146.153.75 any
permit ip host 10.146.153.76 any
permit ip host 10.146.153.77 any
permit ip host 10.146.153.78 any
permit ip host 10.146.153.79 any
permit ip host 10.146.153.80 any
permit ip host 10.146.153.86 any
permit ip host 10.146.153.87 any
permit ip host 10.146.153.88 any
permit ip host 10.146.153.89 any
permit ip host 10.146.153.74 any
permit ip host 10.146.153.97 any
permit ip host 10.146.153.98 any
permit ip host 10.146.153.21 any
permit ip host 10.146.153.22 any
permit ip host 10.146.153.24 any
permit ip host 10.146.153.26 any
permit ip host 10.146.153.27 any
permit ip host 10.146.153.28 any
–More–
hey, I want to create standard acl to allow all network to flow from 172.16.10.0 0.0.0.255 to 172.16.20.0 0.0.0.255 and 172.16.30.0 0.0.0.255 but i don’t want network to flow from 172.16.20.0 0.0.0.255 to 172.16.30.0 0.0.0.255 and vice versa, so I created the following acl,
access-list standard 10 permit 172.16.10.0 0.0.0.255
access-list standard 10 deny any.
and also i created sub interfaces on the router for interface fa 0/0
sub interface fa 0/0.1 for 172.16.10.0 0.0.0.255
sub interface fa 0/0.2 for 172.16.20.0 0.0.0.255
sub interface fa 0/0.3 for 172.16.30.0 0.0.0.255
and I have applied the above access list on the sub interface fa 0/0.2 and fa 0/0.3, but its not working. Please help