Standard access lists filter traffic based on source IP only. Numbered standard ACLs use IDs 1-99 and 1300-1999. They are the simplest filter on a Cisco router and a great introduction to the ACL concept: a list of permits and denies, evaluated top-down, with an implicit deny at the end. This lab configures a standard ACL on R1 that denies one specific host and permits the rest of the LAN.
This is the fifth free preview lab in the library.
What you will learn
- Numbered vs named ACLs (we use numbered here; named is next lab)
- Standard vs extended (standard = source-IP only)
- How to apply an ACL inbound or outbound on an interface
- The implicit deny at the end of every ACL
- How to read
show ip access-listsand the line numbers
What this lab does NOT cover
- Extended ACLs (next lab, sec-03)
- Time-based ACLs
- IPv6 ACLs
Topology
Download the CCNA Base Topology .yaml
3 iol-xe routers + 1 alpine + 1 ioll2-xe managed switch + 1 unmanaged switch.
Step 1: Create a numbered standard ACL on R1
R1#configure terminal
R1(config)#access-list 10 deny 10.20.0.99 0.0.0.0
R1(config)#access-list 10 permit 10.20.0.0 0.0.0.255
R1(config)#access-list 10 deny any logThree lines, evaluated top-down:
- Line 10: deny host 10.20.0.99 (wildcard 0.0.0.0 = exactly this host)
- Line 20: permit 10.20.0.0/24 (wildcard 0.0.0.255 = any host in the subnet)
- Line 30: explicit deny + log (matches anything else, including 0.0.0.0/0 traffic)
The explicit deny-log is a hardening pattern - it generates a log message when something gets blocked, useful for audit. Without it, the implicit deny at the end of every ACL silently drops traffic.
Step 2: Apply the ACL inbound on Et0/0
R1(config)#interface Ethernet0/0
R1(config-if)#ip access-group 10 inThe ACL is applied INBOUND on Ethernet0/0. R1 evaluates the ACL against every packet ENTERING that interface.
Step 3: Verify with show ip access-lists
R1#show ip access-lists
Standard IP access list 10
10 deny 10.20.0.99
20 permit 10.20.0.0, wildcard bits 0.0.0.255
30 deny any logIOS auto-numbers lines in increments of 10 (10, 20, 30). This lets you insert lines later without renumbering everything.
Step 4: Insert a new ACE (access-control entry)
To add a permit for 10.20.0.50 before the deny line:
R1(config)#ip access-list standard 10
R1(config-std-nacl)#15 permit 10.20.0.50Line 15 is inserted between line 10 and line 20.
R1#show ip access-lists 10
Standard IP access list 10
10 deny 10.20.0.99
15 permit 10.20.0.50
20 permit 10.20.0.0, wildcard bits 0.0.0.255
30 deny any logWhere standard ACLs should be applied
Best practice for standard ACLs (filtering by source only): apply them CLOSE TO THE DESTINATION. The reason: a standard ACL has no idea where the packet is going. If you apply close to the source, you might block traffic that should reach some destinations.
Extended ACLs (filtering by source AND destination AND protocol) are applied close to the SOURCE - they have all the info to make the right decision.
Wildcard mask gotcha
ACL wildcard masks are INVERSE of subnet masks. The bit positions tell you what to MATCH (0 = exact, 1 = don't care):
| Subnet mask | Wildcard mask | What it matches |
|---|---|---|
| 255.255.255.255 (/32) | 0.0.0.0 | One host exactly |
| 255.255.255.0 (/24) | 0.0.0.255 | Whole /24 subnet |
| 255.255.0.0 (/16) | 0.0.255.255 | Whole /16 |
| n/a | 0.0.0.255 | Same as any within source bits |
Cisco shorthand: host 10.20.0.99 is equivalent to 10.20.0.99 0.0.0.0. any is equivalent to 0.0.0.0 255.255.255.255.
Verification
show ip access-listsshows the ACL with line numbers and counters- 10.20.0.99 cannot communicate through R1; other hosts in 10.20.0.0/24 can
- The deny-log line generates syslog messages when triggered
Troubleshooting matrix
| Symptom | Likely cause | Fix |
|---|---|---|
| ACL doing the opposite of what you expect | Wildcard mask confusion (zeros match) | Re-check; remember 0.0.0.0 = exact host |
| Permit + deny + permit order wrong | ACLs are top-down with first-match | Reorder; specific permits before general denies |
| Standard ACL not blocking traffic to a specific destination | Standard ACL has no destination match | Use extended ACL (sec-03) |
| ACL applied but no counters | Wrong direction (in vs out) | Flip with ip access-group 10 in or out |
Engineer's note: production reality
Standard ACLs are rare in modern production. Extended ACLs cover everything standard ACLs do and more, with finer-grained control. The remaining use cases for standard ACLs: route-map prefix-matching, redistribution filtering, distribute-lists in RIP/OSPF. Otherwise prefer extended.
Related reading on PingLabz
Key takeaways
- Standard ACLs match source IP only. Numbered 1-99 or 1300-1999.
- Top-down first-match. Implicit deny at the end.
- Apply standard ACLs close to the destination.
- Wildcard masks are the INVERSE of subnet masks.
- Use
anyandhost Xshortcuts for clarity.
