Latest Updates

Why Standard ACL must put closest to the destination

Today we are going to talk about the standard access list (ACL). As per the network diagram, R0 and R1 are connecting each other with the 192.168.3.0/30 network. To ping across the network through PC1 to PC2/3, we need to configure static routes in both R0 and R1 as follows. After configuring below static routes, you will able to ping from PC1 to PC2/3 and vice versa.

 
R0 -> ip route 192.168.2.0 255.255.255.0 192.168.3.2
R1 -> ip route 192.168.1.0 255.255.255.0 192.168.3.1

Now let’s focus on the scenario to apply standard ACL. We are going to deny PC3 to reach PC1 while PC2 will allow to ping PC1. ACL is a method to filter traffic similar to building a firewall on a router. Thus, we can block or allow certain traffic going through the network. From, standard ACL we can deny or permit source IP addresses. 

When talking about the configuration of an ACL, we can create standard or extended ACL on a router. Then we have to apply the access list to an interface either inbound or outbound with respect to the interface. When applying a standard ACL, the access list number should be used between 1-99 and applied closest to the destination. Standard ACL can deny or permit source IP addresses. For extended ACL, the number should be used between 100-199 and applied closest to the source. Extended ACL can deny or permit both source and destination IP addresses/ports (services). 

In our case, we have to deny PC3 reaching PC1. PC3 network is the source here and PC1 is the destination. So the standard ACL can apply here closest to the destination for 192.168.1.1 interface as outbound.  

R0# configure terminal
# access-list 1 deny 192.168.2.101 0.0.0.0
# access-list 1 permit any
# int f0/0
# ip access-group 1 out

After configuring the R0 router with the ACL, then PC3 cannot reach PC1. In every ACL rules, there will be an implicitly deny rule at the end of the ACL. So you have to put a permit statement at the last line to permit everything if you deny a network using ACL. The router reads the ACL rule by rule top to bottom. If any rule matches, it will allow using that rule and other rules will ignore it. Therefore ACL sequence has to be considered when you configuring an ACL to deny or permit traffic.

Let’s find out why standard ACL put closest to the destination.


If we apply the ACL on R1 which means closest to the source, PC2 cannot reach PC1 and PC4 as well. But our requirement is, PC2 should be able to ping PC4. After applying ACL inbound to R1 f0/0 interface deny the traffic going across to both PC1 and PC4 from PC2 which in the previous case can able to ping to PC1/4 workstations. So, if you need to apply ACL to block/permit source or destination IP address, you have to use extended ACL and apply it closest to the source. In a future post, we will talk about the extended ACL. So, be a follower of my blog to subscribe and get the latest article once I post. If you have any doubts regarding the standard ACL configuration, please don’t hesitate to comment below.

No comments