Standard IPv4 ACLs

Configure Standard IPv4 ACLs

Standard ACL Configuration Procedures

After a standard ACL is configured, it is linked to an interface using the ip access-group command in interface configuration mode:

Router(config-if)# ip access-group { access-list-number | access-list-name } { in | out }

To remove an ACL from an interface, first enter the no ip access-group command on the interface, and then enter the global no access-list command to remove the entire ACL.

Figure 1 lists the steps and syntax to configure and apply a numbered standard ACL on a router.

Figure 2 shows an example of an ACL to permit a single network.

This ACL allows only traffic from source network 192.168.10.0 to be forwarded out of interface S0/0/0. Traffic from networks other than 192.168.10.0 is blocked.

The first line identifies the ACL as access list 1. It permits traffic that matches the selected parameters. In this case, the IPv4 address and wildcard mask identifying the source network is 192.168.10.0 0.0.0.255. Recall that there is an implicit deny all statement that is equivalent to adding the line access-list 1 deny 0.0.0.0 255.255.255.255.

The ip access-group 1 out interface configuration command links and ties ACL 1 to the Serial 0/0/0 interface as an outbound filter.

Therefore, ACL 1 only permits hosts from the 192.168.10.0/24 network to exit router R1. It denies any other network including the 192.168.11.0 network.