Standard Access Lists – ACL

Standard Access Lists Overview

Access lists are used as a form of firewall security on a router. Access lists are statements that a router will use to check traffic against, and if there is a match, the router can filter that traffic by either permitting or denying the packets based on the access list statement. Cisco routers can be configured to utilize a variety of access lists with the most basic being the standard ACL, or access list.  The standard access list number range is 1 to 99 and 2000 to 2699. The basic access lists in the Cisco CCNA curriculum are the standard access list, the extended access list and the named access list. The named access list is given a name instead of a number and is configured to be either a standard or extended access list.

Access lists are written and read line-by-line, each line in the access list is a statement or rule. At the end of the access list is an implicit “deny all” or “deny any,” meaning even though you cannot see it, there is a “deny all” at the end of the access list. This can cause a problem because many people assume that by default an access list is permissive, and that you only have to write statements that deny the traffic you want to filter, and that everything else will be permitted, but this is in fact false.

Two Steps

1. create the access list (standard or extended)
2. apply the access list to an interface (inbound or outbound)

1. Create the ACL

Standard ACL (1-99, and 2000-2699):
denies or permits: 1) source IP address
Extended ACL (100-199):
denies or permits: 1) source IP address, 2) destination IP address, 3) port (service) (optional)

2. Apply the ACL

Where to apply an ACL?
A standard ACL is applied inbound or outbound on the router interface that is closest to the destination of the traffic.
An extended ACL is applied inbound or outbound on the router interface that is closest to the source of the traffic.
{loadposition adposition6}

Cisco IOS CLI Commands

Standard access list command format:  access-list <1-99> <deny | permit> <source ip address> <wildcard bits>
Standard access list command format:  access-list <1-99> <deny | permit> host <source ip address>


Deny or permit a class c network: 
router(config)#access-list 1 deny
router(config)#access-list 1 permit

Deny or permit a host:
router(config)#access-list 1 deny
router(config)#access-list 1 deny host
router(config)#access-list 1 permit
router(config)#access-list 1 permit host

Deny or permit all hosts: 
router(config)#access-list 1 deny any
router(config)#access-list 1 permit any

Apply the access list to a router interface outbound and inbound

router(config)#interface fastethernet 0/0
router(config-if)#ip access-group 1 out

router(config)#interface fastethernet 0/1
router(config-if)#ip access-group 1 in

Video Tutorial

If you want to follow along with the tutorial click here to download the Packet Tracer start file:

In part 1, I cover the basics of writing and applying a standard ACL on a Cisco router

In part 2, I discuss how access lists are executed line-by-line and access list statements need to be written from specific to general  

In part 3, I demonstrate why standard access lists are placed closest to the destination

Author: Dan

Dan teaches computer networking and security classes at Central Oregon Community College.

3 thoughts on “Standard Access Lists – ACL”

  1. could you post the results from the second practice from the standard list . i can figure out what would be the answers

  2. Hi Dan,
    I am a great fan of you and danscourses’ website.
    Congratulation for the awesome work you do on it. I am learning a lot.

    I believe I found an error in the standard ACL description:
    The Standard ACL range is “1-99 and 1300-1999” and not “1-99 and 2000-2699” so the Extended ACL range is “100-199 and 2000-2699” Am I correct?

    I will take CCNA exam in the next few months.
    I would like to thank you very much.

    Greetings from Brazil.

Leave a Reply

Your email address will not be published.