How to Configure Cisco Standard Numbered Access Control List

By | April 24, 2014

Hello guys, it’s really happy to see you here, so far we did many labs regarding Cisco routing configurations. Have you heard about Network security? How to protect your network from Hackers and snoopers? Is your network is secure? As beginner’s guide let me figure out the basic Network Security concepts along with configurations. While talking about Cisco Network Security Access Control Lists (ACLs) comes first. What is Access Control List (ACL)? Simply saying, ACL’s control the traffic after routing process. ACL can prevent undesirable data packets from a particular source to a particular endpoint. It is very important to learn about Cisco access control list basics to provide better security to your enterprise network. This article explains standard numbered access list on Cisco router.

This Cisco access control list configuration guide progresses with many example scenarios.

Different Types of Access Control List in Cisco

  • There are 2 major types of cisco access control list available in Cisco router such as Numbered Access List and Named Access List.
  • Each of this two further classified in to Standard and Extended.

Different-Types-of-Access-Lists Thus totally we have 4 ACLs viz

  1. Standard Numbered Access List
  2. Extended Numbered Access List
  3. Standard Named Access List
  4. Extended Named Access List

Today we will be covering How to configure Standard Numbered Access Lists in Cisco Router.

What is Cisco Numbered Access Control List?

  • Cisco access control list definition says that ACL filters the traffic entering or leaving through an interface.
  • Numbered access list is the basic type of ACL; we can’t edit those access lists for entering new conditions once configured.
  • Understanding Cisco access control lists is so easy if you realize the execution order of access control lists commands.
  • Numbered Access Lists executes line by line. If the 1st line of ACL is true IOS skips all other entries in the access list. If it is false IOS will check 2nd line.
  • If 2nd line is true IOS skips all other lines followed by line 2 and so on…
  • Two common types of Numbered ACLs are Numbered Standard Access List and Numbered Extended Access List.
  • For configuring an access list we have to enter permit and deny commands because there is an ‘implicit deny all’ tagged with the end of all ACLs. So an ACL contain only deny statement will block all traffic. Hence we should use one permit command also to block specific IPs and allow all other IPs.

Setting up access control list of Cisco has 2 steps.

  1. Defining Access Control List
  2. Bind the ACL on an interface
  • Creating ACL will not do anything in the network. In order to perform access list function we should apply or bind it on an interface.
  • Access lists are applied either inbound (when packets received, just before routing) or outbound (when packets leaving, just after routing)

What is Standard Numbered Access List in Networking?

  • This type of ACL permits or denies traffic based on the source address.
  • Valid standard ACLs are 1 to 99.
  • Standard numbered access list format syntax is,

access-list <1-99><permit/deny> <source address> <wildcard mask>

  • Since its filtering based on Source IP, standard numbered access list applied close destination network.

Standard-Numbered-Access List-Destination

  • Usually it binds on the interface as ‘Out

Standard Numbered Access List Example in Packet Tracer

Now let me show you Cisco access control list commands with Packet Tracer network scenario for understanding Standard Numbered Access List. Consider the following network topology. How to configure access control list Cisco? Check out these examples.

Example 1: Deny a Complete Network

I would like to block the network N4 ( accessing the network N1 (


Step 1: Define Access List

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#access-list 10 deny
R1(config)#access-list 10 permit any

Above configuration defines an access list that deny network which is the source network to deny. There is nothing regarding the destination! Defining ACL will not do anything in the network.

So how we will enforce standard numbered access list to destination network? This is done by sticking the ACL in an interface close to the network N1 ( [In this example it is Router 1’s FastEthernet 0/0]

Step 2: Bind Access List on an Interface

We could use FastEthernet 0/0 for binding ACL since it is closer to the destination network N1 (

R1(config)#interface fastEthernet 0/0
R1(config-if)#ip access-group 10 out

Example 2 – Deny a Specific Host and Permit All other Host

In example 1 we blocked a complete network, how to block specific host in a network? Here let me block the host PC (Laptop) accessing the network N1 (

For this we could use standard numbered access list deny host command just like below.


Step 1: Define Access List

R1(config)#access-list 20 deny host
R1(config)#access-list 20 permit any

Step 2: Bind Access List on an Interface

R1(config)#interface fastEthernet 0/0
R1(config-if)#ip access-group 20 out

Example 3 – Permit a Specific Host and Deny all other Host

In this example we will let the host PC access network whereas all other hosts in the network has been blocked to access


Step 1: Define Access List

R1(config)#access-list 30 permit host
R1(config)#access-list 30 deny
R1(config)#access-list 30 permit any

Step 2: Bind Access List on an Interface

R1(config)#interface fastEthernet 0/0
R1(config-if)#ip access-group 30 out

We have completed 3 different examples of Standard Numbered Access List in Cisco router. Next section describes some further commands for administrating ACL networks.

Access List Verification and Testing Commands

As usual some let me figure out some useful commands while dealing with Access list.

#show ip access-lists : Check Access List

How to check the presence of ACL in IOS?

R1#show ip access-lists
Standard IP access list 10
permit any

Check Binding Interface

#show running-config provides where exactly the ACL applied.

R1#show running-config
Building configuration...

Current configuration : 806 bytes
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname R1
spanning-tree mode pvst
interface FastEthernet0/0
ip address
ip access-group 10 out
duplex auto
speed auto

In the above configuration Access list 10 hocked on FastEthernet0/0 as ‘Out’

How to Remove Standard Numbered Access List

How to completely remove an ACL? Use the ‘no’ version on access list command for that

R1(config)#no ip access-list standard 10

Unbind Access List from an Interface

In order to detach an ACL from interface we may use the following command.

R1(config)#interface fastEthernet 0/0
R1(config-if)#no ip access-group 20 out

How to Edit Access Control List Cisco

Unfortunately we could not be able to edit Standard Numbered Access Control List. This is the main drawback of Standard Numbered Access Control List. Use text editor (Notepad, Notepad++) to manage ACL entries and copy paste from it.

Well, Cisco access control list explained here. Try your multiple examples of your own with Packet Tracer. Next article I would like to do Extended Numbered Access List, meanwhile can I have your comments about standard numbered access list tutorial. Keep visiting

Leave a Reply

Your email address will not be published. Required fields are marked *