CCNA Packet Tracer Activity Standard

ACLs
In this Free CCNA Lab we will use the provided Packet Tracer activity to Plan, configure, and apply a
standard Access Control List (ACL) to permit or deny specific traffic to flow through the network. We will
then use Ping and Cisco show commands to test the ACL to determine if the desired results were
achieved.

Learning Objectives:
Understand the function of an ACL.
Configure a standard ACL to filter traffic.
Verify the ACL operation.
Standard Access Lists:

Standard access lists match packets by examining the source IP address field in the packet's IP header.
Any bit positions in the 32-bit source IP address can be compared to the access list statements.
However, the matching is flexible and does not consider the subnet mask in use.

Access lists use the inverse mask, sometimes called the wildcard mask or I-mask. This mask is named
because it inverts the meaning of the bits. In a normal mask, ones mean "must match," while zeroes
mean "may vary." For example, for two hosts to be on the same Class C network, the first 24 bits of their
address must match, while the last 8 may vary. Inverse masks swap the rules so that zeroes mean "must
match" and ones mean "may vary."
Planning and implementing an ACL:

The easy way to calculate the inverse mask when you already know the normal mask is to subtract from
all ones. The table that follows shows an example. The normal mask is subtracted, column by column,
from the all-ones mask to determine the inverse mask.

All Ones 255 255 255 255
Normal Mask 255 255 240 0
Inverse Mask 0 0 15 255

The command for configuring a standard access list is as follows:
Router(config)# access-list {1-99} {permit | deny} source-addr [source-mask]

As you can see from the command syntax, the first option is to specify the access list number. The
number range for standard access lists is 1 to 99. The second value that you must specify is to permit or
deny the configured source IP address. The third value is the source IP address that you want to match.
The fourth value is the wildcard mask that you want to apply to the IP address previously configured.

Note: All access lists have an implicit deny, meaning that if a packet does not match any of the criteria
that you have specified in your access list, it will be denied. If you have deny statements in your access
lists, be sure to create permit statements to allow valid traffic.

When the access list has been created, you need to apply it to the appropriate interface. The command
to apply the access list is as follows:
Router(config-if)# ip access-group {number | name [in | out] }

The access list is applied under the interface configuration mode. You must specify only the number or
name and whether it is an incoming or an outgoing access list