Tutorial: Standard ACL (Access Control List) Basics
Contributed by aaronm 
Tagged: Cisco router This is a BASIC explanation of Standard ACL’s that SHOULD be fairly easy to understand and span the spectrum of most Cisco routers.
The first thing to remember about ACL’s is they read from top to bottom. When a packet comes to a router interface, it is matched against the first line in the ACL, if it doesn’t meet the criteria, then it drops to the next line and so on until it reaches a permit or deny that fits it. The second thing to remember is THERE IS A IMPLICIT DENY underneath the last (bottom) line! Don’t apply an access-list to an interface without at least one permit statement. (Especially an inside interface!) Standard access lists can be numbered 1 – 99 or 1300 – 1999
The basic makeup of a line (statement) is:
permit / deny source_ip
access-list 1 permit 192.168.1.3 0.0.0.0
Depending on the interface and direction the list is applied, will determine its relevance. For example, if this access-list is placed on the inside interface with an “ip access-group 1 in” then the only traffic permitted into that interface will come from 192.168.1.3.
Whew! If I haven’t completely confused you yet, then get ready.
Wildcard masks are an inverse of normal subnet masks, so 0.0.0.0 is equivalent to the 255.255.255.255 of route advertisement, for example.
So if I want to deny the network 10.0.1.0 255.255.255.248 then I would type
access-list 1 deny 10.0.1.0 0.0.0.7.
if I want to permit a single host, I type
access-list 1 permit 192.168.1.1 0.0.0.0
Ridiculous, I know. I’m not going to get into the functionality behind this, we would be reading for an hour.
Finally, when you apply the access-list to an interface, don’t call it a “list” call it a “group”.
i.e.
router(config)# interface fastethernet 0/0
router(config-int)# ip access-group 1 in
P.S. Oh, yeah, and only one ACL per interface, per direction, per protocol.
This is the complete tip-top of the iceberg of ACL’s, several chapters in several large books cover this topic. I keep shaking my head as I write this because I’m leaving out sooooooo much stuff, but hopefully it gives you a base for researching / understanding this topic. Good luck!
You may also like -
Serial Point-to-Point Encapsulation Explained
Increase or change Cisco router log size
Copy Folders and Files While Keeping Ownership and Permissions
Configure IGRP routing on a Cisco router
Configure Cisco router as a basic DHCP serverCisco: How to configure NAT [Network Address Translation]
Cisco HSRP (like VRRP) - Redundant gateway router configuration
How to Get Started Building a Desktop Computer System from Scratch
Atanu Ray said on January 11, 2009
Good.
VENCIO said on February 16, 2009
a litle bit funny but i understood!!
thank you!!
Erika said on May 20, 2009
that was awsome
Anonymous said on August 10, 2009
nice job buddy
Anonymous said on January 2, 2010
YEA A GOOD JOB DONE HERE I THINK IM REALLY CERTIFIED WITH EVERY THING BECAUSE ITS SIMPLE AND EASY TO UNDERSTAND
THANKS.
Anirban said on November 13, 2010
awsome….i really like ur article
mahavir said on February 2, 2011
Really funny! Off-course a useful one.
Baishakhi307 said on April 6, 2011
thnx for it..it really funny and great!!
Gitesh said on July 12, 2011
Very helpful in understanding the ACL… Good one
varshini said on August 22, 2011
Covers the basic idea of ACL.Pls suggest me some links where i can read in detail