Standard Access Control Lists (ACLs): Basic Network Traffic Filtering

Learn about standard access control lists (ACLs) and their use in controlling network traffic based on source IP addresses. This guide explains how standard ACLs work, their simplicity, and their limitations compared to extended ACLs, which offer more granular control.

Standard Access Control Lists (ACLs): Basic Network Traffic Filtering

What is a Standard Access List?

An Access Control List (ACL) is a set of rules that controls network traffic. A standard access list is a simple type of ACL that filters traffic based *only* on the source IP address. It doesn't examine the contents of the packet or look at other factors (like destination address or protocol type). A standard ACL either permits or denies *all* traffic from a given source IP address or range of IP addresses.

Key Features of Standard Access Lists

  • Filter based on source IP address only.
  • Apply to all protocols.
  • Numbered ACLs (1-99, 1300-1999).
  • Rules are processed sequentially; the first match determines the action.
  • Implicit deny at the end of the list (traffic not explicitly permitted is denied).
  • Removing a rule in a numbered list deletes the entire list; named lists allow for individual rule removal.

Example: Blocking Network Traffic with a Standard ACL

Imagine you have three departments (Sales, Finance, Marketing), each on a different subnet:

  • Sales: 172.16.40.0/24
  • Finance: 172.16.50.0/24
  • Marketing: 172.16.60.0/24

You want to block all traffic from the Sales department to the Finance department. You can do this using a standard access list:

1. Configuring the Access List:

Access List Configuration

R1(config)# access-list 10 deny 172.16.40.0 0.0.0.255
Output

Standard Access List 10 configured to block Sales department access.

(The wildcard mask 0.0.0.255 is equivalent to a subnet mask of 255.255.255.0.)

2. Applying the Access List:

Applying the Access List

R1(config)# interface fa0/1
R1(config-if)# ip access-group 10 out
Output

Access list 10 applied outbound on interface fa0/1.

(This applies the ACL outbound on interface fa0/1. The location of ACL application depends on the network design.)

Named Standard Access Lists

Instead of numbered lists, you can use named access lists, which can often simplify management. This allows for easier modification and deletion of individual rules without impacting other rules. Example:

Named Access List Configuration

R1(config)# ip access-list standard block_sales
R1(config-std-nacl)# deny 172.16.40.0 0.0.0.255
R1(config-std-nacl)# permit any

Controlling Telnet Access with Standard ACLs

Standard ACLs can also control Telnet access by applying them to virtual terminal (VTY) lines. Example:

Telnet Access Control

R1(config)# access-list 10 deny any
R1(config)# line vty 0 4
R1(config-line)# access-class 10 out

Conclusion

Standard ACLs provide a basic but useful mechanism for controlling network traffic. They're simple to configure but offer limited filtering capabilities. Extended ACLs provide more granular control over traffic.