ip access-list standard [name]
Creates or enters a standard named IP access list to filter traffic based on source IP address, used to permit or deny packets in a Cisco IOS network.
ip access-list standard [name]When to Use This Command
- Restricting management access to a router by allowing only specific source IPs to SSH or Telnet.
- Controlling which networks can be advertised in a routing protocol like EIGRP or OSPF.
- Limiting traffic on an interface to allow only certain source subnets while blocking others.
- Filtering traffic for NAT (Network Address Translation) to define which internal addresses are eligible for translation.
Command Examples
Creating a standard ACL to permit a specific host
ip access-list standard MGMT_ACCESS
permit host 192.168.1.100
deny anyThis command sequence creates a standard named ACL called MGMT_ACCESS. The first line permits traffic from host 192.168.1.100. The second line denies all other traffic. Since there is an implicit deny at the end, the 'deny any' is optional but clarifies the intent.
Applying a standard ACL to a VTY line for SSH restriction
line vty 0 4
access-class MGMT_ACCESS inThis applies the MGMT_ACCESS ACL to the VTY lines (0-4) for inbound connections. Only the host 192.168.1.100 will be allowed to SSH or Telnet into the router. All other source IPs will be denied.
Understanding the Output
The 'ip access-list standard [name]' command does not produce output by itself; it enters ACL configuration mode. To view the ACL, use 'show access-lists [name]'. The output shows entries with sequence numbers, permit/deny action, source IP and wildcard mask, and packet match counts. For example, '10 permit 192.168.1.0 0.0.0.255' matches any source in the 192.168.1.0/24 network. The wildcard mask is the inverse of a subnet mask (0.0.0.255 means match the first 24 bits). A 'deny' entry blocks traffic. The match count increments each time a packet matches the entry. Good values are increasing counts for permitted traffic; unexpected denies indicate blocked legitimate traffic.
CCNA Exam Tips
Standard ACLs should be placed as close to the destination as possible because they only filter on source IP.
Named ACLs are preferred over numbered ACLs in CCNA exams; remember the syntax 'ip access-list standard NAME'.
The implicit deny any at the end of every ACL is a common exam trap; always ensure you have a permit statement if needed.
Standard ACLs use numbers 1-99 and 1300-1999; named ACLs can be any name and are more flexible.
Common Mistakes
Forgetting the implicit deny any at the end of the ACL, causing all traffic to be blocked unintentionally.
Applying a standard ACL in the wrong direction (e.g., using 'out' instead of 'in' on an interface).
Using a subnet mask instead of a wildcard mask in the ACL entry (e.g., 255.255.255.0 instead of 0.0.0.255).
Placing a standard ACL too close to the source, which can filter traffic that should be allowed based on destination.
Related Commands
access-class [acl] in
Restricts incoming or outgoing Telnet/SSH access to a router line (VTY, AUX, console) by applying an ACL that filters source IP addresses.
ip access-group [acl] [in|out]
Applies an access control list (ACL) to an interface to filter inbound or outbound traffic based on the ACL rules.
ip access-list extended [name]
Creates or enters an extended named access list to filter traffic based on source/destination IP, protocol, and port numbers, used for granular traffic control.
show access-lists
Displays all configured access control lists (ACLs) on the device, including their entries and match counters, used to verify ACL configuration and traffic filtering.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions