access-list [1-99] permit|deny [source]
Creates a standard numbered access list (1-99) to permit or deny traffic based on source IP address, used to filter packets entering or leaving a router interface.
access-list [1-99] permit|deny [source]When to Use This Command
- Restrict traffic from a specific host or subnet on a LAN segment
- Block traffic from a known malicious source IP address
- Permit only specific source networks while denying all others in a security policy
- Control management access to a router by filtering source addresses
Command Examples
Deny a specific host and permit all other traffic
access-list 10 deny host 192.168.1.100
access-list 10 permit anyThe first line denies any packet with source IP 192.168.1.100. The second line permits all other traffic. Since ACLs have an implicit deny at the end, the permit any is necessary to allow other traffic.
Permit a subnet and deny all others
access-list 20 permit 10.0.0.0 0.255.255.255This ACL permits traffic from the 10.0.0.0/8 network using a wildcard mask of 0.255.255.255. All other traffic is implicitly denied.
Understanding the Output
Standard ACLs do not produce output when configured; they are applied to interfaces with the 'ip access-group' command. To verify ACLs, use 'show access-lists' or 'show ip interface'. The 'show access-lists' output lists each ACL with its entries, showing permit/deny, source address/wildcard, and match counters. A good ACL will have increasing match counts for expected traffic; zero counts may indicate misapplication or incorrect ordering. Watch for implicit deny at the end, which drops unmatched traffic.
CCNA Exam Tips
Standard ACLs (1-99) filter only on source IP; extended ACLs (100-199) filter on source, destination, protocol, and port.
ACL entries are processed top-down; order matters. Place more specific entries before general ones.
The implicit deny any at the end of every ACL is a common exam trap; remember to include a permit statement if needed.
Standard ACLs should be placed as close to the destination as possible to avoid unintended filtering.
Common Mistakes
Forgetting the implicit deny, causing all traffic to be blocked after applying the ACL.
Using the wrong wildcard mask (e.g., 255.255.255.0 instead of 0.0.0.255).
Applying a standard ACL in the wrong direction (e.g., inbound vs outbound) on an interface.
Related Commands
access-list [100-199] permit|deny [proto] [src] [dst]
Configures an extended access list (100-199) to permit or deny traffic based on protocol, source, and destination, used for granular traffic filtering on Cisco routers.
ip access-group [acl] [in|out]
Applies an access control list (ACL) to an interface to filter inbound or outbound traffic based on the ACL rules.
show access-lists
Displays all configured access control lists (ACLs) on the device, including their entries and match counters, used to verify ACL configuration and traffic filtering.
show ip interface
Displays the status and configuration of all IP interfaces on a Cisco router, including IP address, protocol status, and interface statistics, used for verifying interface IP configuration and troubleshooting connectivity issues.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions