Table of Contents
1. Introduction
2. What is a Standard Access Control List (ACL)?
3. Types of Standard ACLs
Named Standard ACLs
Numbered Standard ACLs
4. Configuration Steps
Configuring Named Standard ACLs
Configuring Numbered Standard ACLs
5. Example Configurations
Named Standard ACL Example
Numbered Standard ACL Example
6. Best Practices
4. Conclusion
1. Introduction
Access Control Lists (ACLs) are crucial for network security, enabling administrators to control traffic flow and restrict unauthorized access. This blog focuses on Standard ACLs, which are the simplest form of ACLs, filtering traffic based solely on source IP addresses.
2. What is a Standard Access Control List (ACL)?
A Standard ACL evaluates only the source IP address of packets. It can use keywords like 'host' and 'any' or apply wildcard masks to specify permitted or denied IP addresses. Unlike Extended ACLs, Standard ACLs do not evaluate port numbers or protocols.
3. Types of Standard ACLs
Standard ACLs can be classified into two types:
Named Standard ACLs
Numbered Standard ACLs
Named Standard ACLs
Named Standard ACLs use a descriptive name instead of a number, making them easier to manage and understand.
Numbered Standard ACLs
Numbered Standard ACLs use numbers (1-99 and 1300-1999) to identify the ACL.
4. Configuration Steps
Configuring Named Standard ACLs
To configure a Named Standard ACL, use the ip access-list standard command followed by the ACL name.
Enter ACL Configuration Mode:
R-1(config)# ip access-list standard NAME
Deny a Specific Host and Log Matches:
R-1(config-std-nacl)# deny host 192.168.20.5 log
Permit an Entire Subnet:
R-1(config-std-nacl)# permit 192.168.20.0 0.0.0.255
Deny All Other IP Addresses:
R-1(config-std-nacl)# deny any
Configuring Numbered Standard ACLs
To configure a Numbered Standard ACL, use the access-list command followed by the list number.
Deny a Specific Host:
R-1(config)# access-list 25 deny host 192.168.20.5
Permit an Entire Subnet:
R-1(config)# access-list 25 permit 192.168.20.0 0.0.0.255
Deny All Other IP Addresses:
R-1(config)# access-list 25 deny any
5. Example Configurations
Named Standard ACL Example
Here is a complete example of configuring a Named Standard ACL on Router R-1:
R-1(config)# ip access-list standard BLOCK_HOST_20_5
R-1(config-std-nacl)# deny host 192.168.20.5 log
R-1(config-std-nacl)# permit 192.168.20.0 0.0.0.255
R-1(config-std-nacl)# deny any
Apply the ACL to an interface:
R-1(config)# interface gigabitEthernet 0/0
R-1(config-if)# ip access-group BLOCK_HOST_20_5 in
Numbered Standard ACL Example
Here is a complete example of configuring a Numbered Standard ACL on Router R-1:
R-1(config)# access-list 25 deny host 192.168.20.5
R-1(config)# access-list 25 permit 192.168.20.0 0.0.0.255
R-1(config)# access-list 25 deny any
Apply the ACL to an interface:
R-1(config)# interface gigabitEthernet 0/0
R-1(config-if)# ip access-group 25 in
6. Best Practices
- Use Descriptive Names: When using Named ACLs, choose descriptive names that clearly indicate the purpose of the ACL.
- Document ACLs: Maintain detailed documentation for each ACL, including the rationale for each rule and any changes made.
- Test ACLs: Before deploying ACLs in a production environment, test them in a lab setup to ensure they work as intended.
- Apply ACLs Properly: Apply Standard ACLs as close to the destination as possible to minimize unnecessary traffic filtering.
- Monitor and Review: Regularly monitor ACL performance and review the rules to ensure they still meet security requirements.
7. Conclusion
Standard Access Control Lists are fundamental tools for network security, offering a straightforward method to control traffic based on source IP addresses. By understanding and properly configuring both Named and Numbered Standard ACLs, network administrators can effectively manage access and protect network resources.
Feel free to reach out with any questions or comments about Standard ACL configurations!
