How to Configure Standard Access Control list on Cisco Routers
Introduction
ACL is a security feature in Cisco devices that either blogs or permits network traffic. Network administrators set the rules and filter the traffic according to the conditions. If the incoming traffic doesn’t meet the criteria, it is automatically discarded through an ACL. There are many types of ACL, but the standard access control list is widely used in organizations.
Standard Access Control List
We use a standard access control list based on the source IP address. It blocks or permits the traffic for entirely IP protocol suit. It doesn’t care about any specific protocol like HTTP, Telnet, FTP, SMTP, etc. This type of ACL either will blog or deny an entire network or specific host.
The range of numbers that identify standard ACL is 1-99 or 1300-1999. It blocks or permits a single IP or the whole network based on the source address. We can’t specify or filter any specific port through standard ACL. Standard ACL is applied as close as possible to the destination. It is applied either inbound or outbound.
Why Standard ACLs Use Two Ranges?
Cisco routers support only the 1-99 range for standard ACL. As the network grew and became more complex, this range became insufficient for managing traffic. To overcome the problem of a shortage of ACL numbers, Cisco introduced an extended range of numbers for Standard ACL, 1300-1999. This allowed network administrators to configure more and more ACLs, which resulted in greater flexibility and scalability in network design and security.
The extended range in standard ACL increased by an additional 700 ACLs, which expanded the capacity to define access controls.
Rules for Standard Access Control List
1. Us Only Source IP Addresses
As we discussed in the definition, the standard ACL filters traffic based on the source IP address. It does not consider ports, protocols, or the destination IP address.
2) Number and Naming Conventions
Use only numbers in the range of 1-99 and 1300-1999, while there are descriptive names used in the case of Named ACL
3) Implicit Deny Rule
If a packet doesn’t meet the required condition, an implicit “deny all” at the end blocks that particular packet. But it’s good.
4) Wildcard Masks
Use wildcard masks to specify the IP address range.
5) Order of Statement
Usually, ACLs are processed from top-to-bottom order. Write more specific statements before general ones to ensure correct traffic filtering.
6) Placement of Standard ACLs
Place the standard access control list close to the destination to avoid unintentional traffic blockages. If we place it close to the source, it will deny traffic early in its path.
Set up Lab for Standard ACL in packet Tracer
We will use the following lab setup for Standard ACL in packet tracer. In this lab, we will block traffic from R1’s LAN network to R3’s 192.168.44.0/24 network.
Configure RIP version 2 on all the routers in the lab for full connectivity.
Check the routing table of the router R1.
Ping the network 192.168.44.0/24 from R1’s LAN network to check connectivity.
Configure a standard ACL on R3 to block traffic from R1’s LAN network to R3’s LAN network 192.168.44.0/24. Apply this ACL on R3’s Fast ethernet 1/0 in the outbound direction.
We will check at R1’s LAN PC1 and PC2, through the Ping command whether it is pinging or not?
We will also ping from R2’s LAN PC (PC3). Is it pinging the network 192.168.44.0/24?
As we deny traffic for R1’s LAN network (PC1 & PC2), but not for R2’s LAN (PC3). Remember, we have discussed earlier in this blog post, that there is “implicit deny all” traffic at the end of the command.
We didn’t mention it in the command to permit the other traffic, so R3 also blocks traffic from R2’s LAN network (PC3). So, We will allow other traffic at the end of the command at R3.
Check the access list at R3.
The above show command clearly mentions that other traffic flowing towards R3 LAN (192.168.44.0/24) is permitted.
Now, we will check the connectivity between PC, PC2, and PC3. But, first, check connectivity from PC3;
Our previous configuration enables PC3 to ping the 192.168.44.0/24 network.
Now, recheck connectivity for PC1 and PC2.
PC1 is unable to ping 192.168.44.0/24, but it can ping network 192.168.33.0/24 network.
Deny Traffic for Specific Host
In the previous configuration, we deny the entire network, e.g., 192.168.11.0/24, to ping or access 192.168.44.0/24. But if we want to block any specific host or IP.
We are going to remove the previous Standard ACL configuration.
Configure standard ACL on R3 again. We will deny a specific IP or host 192.168.11.2 to access 192.168.44.0/24. Apply this ACL on R3 Fastethernet 1/0 in the outbound direction.
Check the access list on R3.
Ping R3’s network 192.168.44.0/24 from PC1.
PC1 is unable to ping the mentioned network because we blocked it from accessing it. However, we will ping the network 192.168.44.0/24 from PC2. PC2 will successfully ping the destination network because we didn’t block it from accessing it.
