As you already know, understanding access lists will help you not only to pass Cisco exams but also in your real life job. So in this article, we are going to see how access lists can be applied in a Cisco router. Access lists are used as a form of firewall security on a router. Access lists are statements that a router will use to check traffic against, and if there is a match, the router can filter that traffic by either permitting or denying the packets based on the access list statement.

Cisco routers can be configured to utilize a variety of access lists like the most basic being the standard ACL, or access list. The standard access list number range is 1 to 99 and 2000 to 2699. The basic access lists in the Cisco CCNA curriculum are the standard access list, the extended access list and the named access list. The named access list is given a name instead of a number and is configured to be either a standard or extended access list.

Access lists are written and read line-by-line, each line in the access list is a statement or rule for the router. At the end of the access list is an implicit “deny all” or “deny any,” meaning even though you cannot see it, there is a “deny all” at the end of the access list. This can cause a problem because many people assume that, by default, an access list is permissive, and that you only have to write statements that deny the traffic you want to filter, and that everything else will be permitted, but this is not true.

In order to apply Access List in the router, you have to follow two Steps to configure it

1. Create the access list (standard or extended)

2. Apply the access list to an interface (inbound or outbound)

1. Create the ACL

Cisco IOS CLI Commands

access-list<1-99><deny | permit> host <source ip address>/* for a individual host
access-list<1-99><deny | permit><source ip address><wildcard bits>/* for a network

2. Apply the ACL: Before applying it, we should know where to apply an ACL.

A Standard ACL is applied inbound or outbound on the router interface that is closest to the destination of the traffic.

An Extended ACL is applied inbound or outbound on the router interface that is closest to the source of the traffic.

Lets’ explore an example for standard ACL:

Deny or permit a class c network:

router(config)#access-list 1 deny 192.168.1.0 0.0.0.255
router(config)#access-list 1 permit 192.168.2.0 0.0.0.255

Deny or permit a host:

router(config)#access-list 1 deny 192.168.1.100 0.0.0.0
router(config)#access-list 1 deny host 192.168.1.100

Deny or permit all hosts:

router(config)#access-list 1 deny any
router(config)#access-list 1 permit any

Apply the access list to a router interface outbound and inbound

router(config)#interface fastethernet 0/0
router(config-if)#ip access-group 1 out
router(config)#interface fastethernet 0/1
router(config-if)#ip access-group 1 in

I hope that the description above helped you recall all the ACL fundamentals. Now you can’t make an excuse for any mistake while implementing Access-List .

Again, I have a scenario for ACL, as shown below

(Click here for Packet Tracer files)

Scenario ACL 1

Tasks to Perform:

1. Hosts connected to Houston Router should not communicate with Server 192.168.1.11 connected to New York Router.

Hint : Apply Standard ACL

2. Any host connected to Chicago Router should not telnet (but must ping to each other) to Houston Router but can telnet Hosts connected to New York.

Hint: Apply Extended ACL

Note: All IP addressing and OSPF routing is preconfigured; you just have to perform ACL task as mentioned above. Enable password is cisco.

I have attached a solution file in this article to tally your solutions with mine. After completing the scenario above, you can Apply ACLs with your desired communication to other hosts/networks for eg. host connected to Chicago Router should not telnet (But must ping) to Houston Router but can telnet Hosts connected to New York but not ping.

I hope this tutorial will help you have a better understanding of Access Lists and prepare you for the exams. Again, I will suggest you to do some practise, either in packet tracer or in real Cisco device. If you have any questions regarding this or have any suggestions to improve your preparation for Cisco exams, then please let me know. Your valuable feedback always encourages me to provide you a better solution than the previous one. Thanks for your time and consideration; see you soon with a new tutorial.