Configuring Numbered Standard IPv4 ACLs

To configure numbered standard IPv4 ACLs on a Cisco router, you must create a standard IPv4 ACL and activate an ACL on an interface. The access-list command creates an entry in a standard IPv4 traffic filter list.

The ip access-group command links an existing ACL to an interface. Only one ACL per protocol, per direction, and per interface is allowed.

NOTE To remove an IP ACL from an interface, first enter the no ip access-group name/ number [in|out]command on the interface; then enter the global no access-list name/number command to remove the entire ACL.

The following provides an example of the steps that are required to configure and apply a numbered standard ACL on a router:

Step 1 Use the access-list global configuration command to create an entry in a standard IPv4 ACL.

RouterX(config)# access-list 1 permit 172.16.0.0 0.0.255.255

Enter the global no access-list access-list-number command to remove the entire ACL. The example statement matches any address that starts with 172.16.x.x. You can use the remark option to add a description to your ACL.

Step 2 Use the interface configuration command to select an interface to which to apply the ACL.

RouterX(config)# interface ethernet 1

After you enter the interface command, the command-line interface (CLI) prompt changes from (config)# to (config-if)#.

Step 3 Use the ip access-group interface configuration command to activate the existing ACL on an interface.

RouterX(config-if)# ip access-group 1 out

To remove an IP ACL from an interface, enter the no ip access-group access-list-number command on the interface.

This step activates the standard IPv4 ACL 1 on the interface as an outbound filter.

Example: Numbered Standard IPv4 ACL—Permit My Network Only

For the network shown in Figure 6-13, you want to create a list to prevent traffic that is not part of the internal networks (172.16.0.0/16) from traveling out either of the Ethernet interfaces.

Figure 6-13 Standard ACL Permitting a Specific Network

172.16.3.0

172.16.4.0

172.16.4.0

172.16.4.13

The configuration in Example 6-2 provides a solution for this example.

Example 6-2 Access List Preventing All Non-172.16.0.0 Traffic

RouterX(config)# access-list 1 permit 172.16.0.0 0.0.255.255

(implicit deny all - not visible in the list) (access-list 1 deny 0.0.0.0 255.255.255.255) RouterX(config)# interface ethernet 0 RouterX(config-if)# ip access-group 1 out RouterX(config)# interface ethernet 1 RouterX(config-if)# ip access-group 1 out

Table 6-2 describes the command syntax that is presented in Example 6-2. Table 6-2 Numbered Standard IPv4 ACL Example Permitting a Specific Network

access-list Command Parameters

Description

1

ACL number that indicates that this ACL is a standard list

permit

Indicates that traffic that matches the selected parameters is forwarded

172.16.0.0

IP address that is used with the wildcard mask to identify the source network

0.0.255.255

Wildcard mask; 0s indicate positions that must match, and 1s indicate "don't care" positions

ip access-group 1 out

Links the ACL to the interface as an outbound filter

This ACL allows only traffic from source network 172.16.0.0 to be forwarded out on E0 and E1. Traffic from networks other than 172.16.0.0 is blocked.

Example: Numbered Standard IPv4 ACL—Deny a Specific Host

For the network shown in Figure 6-14, you want to create a list to prevent traffic that originates from host 172.16.4.13 from traveling out Ethernet interface E0.

Figure 6-14 Standard ACL Denying a Specific Host

172.16.3.0

172.16.4.0

Figure 6-14 Standard ACL Denying a Specific Host

172.16.3.0

172.16.4.0

172.16.4.13

Typical Routing Table

172.16.4.13

The configuration in Example 6-3 provides a solution for this example.

Example 6-3 Access List Preventing Traffic Originating from a Specific Host

RouterX(config)# access-list 1 deny 172.16.4.13 0.0.0.0 RouterX(config)# access-list 1 permit 0.0.0.0 255.255.255.255

(implicit deny all)

(access-list 1 deny 0.0.0.0 255.255.255.255) RouterX(config)# interface ethernet 0 RouterX(config-if)# ip access-group 1 out

Table 6-3 describes the command syntax that is presented in Example 6-3.

Table 6-3 Numbered Standard IPv4 ACL Example Denying a Specific Host

access-list Command Parameters

Description

1

ACL number that indicates that this ACL is a standard list.

deny

Indicates that traffic that matches the selected parameters is not forwarded.

172.16.4.13

IP address of the source host.

0.0.0.0

A mask that requires the test to match all bits. (This is the default mask.)

permit

Indicates that traffic that matches the selected parameters is forwarded.

0.0.0.0

IP address of the source host; all 0s indicate a placeholder.

255.255.255.255

Wildcard mask; 0s indicate positions that must match, and 1s indicate "don't care" positions.

All 1s in the mask indicate that all 32 bits are not checked in the source address. In other words, any address will match.

This ACL is designed to block traffic from a specific address, 172.16.4.13, and to allow all other traffic to be forwarded on interface Ethernet 0. The 0.0.0.0 255.255.255.255 IP address and wildcard mask combination permits traffic from any source. This combination can also be written using the keyword any.

Example: Numbered Standard IPv4 ACL—Deny a Specific Subnet

In Figure 6-15, the goal is to create a list to prevent traffic that originates from the subnet 172.16.4.0/24 from traveling out Ethernet interface E0.

Figure 6-15 Standard ACL Denying a Specific Subnet

172.16.3.0

Was this article helpful?

+1 0

Responses

  • kalle viinikainen
    Which command is used to create a standard numbered IPv4 ACL?
    1 year ago
  • walter
    How do you modify a standard ipv4 acl using sequencing numbers?
    3 months ago

Post a comment