Standard access-list example on Cisco Router

Let’s configure some access-lists so I can demonstrate to you how this is done on Cisco IOS routers. In this lesson we’ll cover the standard access-list. Here’s the topology:

standard access list example

Two routers and each router has a loopback interface. I will use two static routes so that the routers can reach each other’s loopback interface:

R1(config)#ip route
R2(config)#ip route
If you choose to use a routing protocol to advertise networks, be careful that your access-list doesn’t block your RIP, EIGRP or OSPF traffic…

Now let’s start with a standard access-list! I’ll create something on R2 that only permits traffic from network /24:

R2(config)#access-list 1 permit

This single permit entry will be enough. Keep in mind at the bottom of the access-list is a “deny any”. We don’t see it but it’s there. Let’s apply this access-list inbound on R2:

R2(config)#interface fastEthernet 0/0
R2(config-if)#ip access-group 1 in

Use the ip access-group command to apply it to an interface. I applied it inbound with the in keyword.

R2#show ip interface fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up
  Internet address is
  Broadcast address is
  Address determined by setup command
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is 1

You can verify that the access-list has been applied with the show ip interface command. Above you see that access-list 1 has been applied inbound.

Now let’s generate some traffic…


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

Our ping is successful; let’s check the access-list:

R2#show access-lists 
Standard IP access list 1
    10 permit, wildcard bits (27 matches)

As you can see the access-list shows the number of matches per statement. We can use this to verify our access-list. Let me show you something useful when you are playing with access-lists:

R1#ping source loopback 0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Packet sent with a source address of 
Success rate is 0 percent (0/5)

When you send a ping you can use the source keyword to select the interface. The source IP address of this IP packet is now and you can see these pings are failing because the access-list drops them.

R2#show access-lists 
Standard IP access list 1
    10 permit, wildcard bits (27 matches)

You won’t see them with the show access-list command because the “deny any” is dropping them.

What if I wanted something different? Let’s say I want to deny traffic from network /24 but permit all other networks? I can do something like this:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 739 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

527 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,

Forum Replies

  1. Good work. I have a question.
    I am using Packet Tracer 6.0.1.
    I have a network with 2 routers, and 2 PC’s, one on each router. They are on three different networks. 15.x.x.x, 17.x.x.x, and 20.x.x.x. PC1 is on the 15.x.x.x network, and PC2 is on the 17.x.x.x network. They can ping each other before I put in the access-list. (I’m using RIP.)
    Then I put in the access list on Router 2

    access-list 5 deny
    access-list 5 permit any
    interface FastEthernet0/1
    ip access-group 5 in

    When I ping PC2 from PC1 I get "Reply from Destination ho

    ... Continue reading in our forum

  2. Locally generated traffic will never be checked by outbound access-lists on your interfaces.

    You might be able to filter some outbound locally originated traffic with CoPP policing. I haven’t tested this but feel free to try it :slight_smile:

    R1(config) control-plane
    R1(config-cp) service-policy output MY_POLICY_MAP 

    Or maybe with some crazy tricks where you redirect traffic like I did in my NAT on a stick example:

  3. Hello Heng

    So, if you create an access list deny and apply it inbound on Fa0/1, any traffic coming INTO Fa0/1 that has a source IP address of 10.10.10.X would be dropped.

    Now, if you have traffic with a source IP address of 10.10.10.X coming into interface Fa0/2 and it is being routed OUT of Fa0/1, then the traffic will NOT be dropped.

    Access lists that are applied to an interface function only in ONE DIRECTION. If you want them to function in both directions, you must apply both an inbound and an outbound access list.

    I hope this has been helpful!


  4. Hello Scott! Thanks for the answering! What do you mean about “the right image”? There is images on switches that cannot analyze the acces list before the switching proccess?

  5. I try to answer as many questions as I can to expand my knowledge , and to help others and maybe one day they can return the favor when I need help. Anywho there are different images that can be used on a switch for example lan lite and lan base. The differences between the two are their features. For example the lan lite can do ACLs but only for virtual interfaces not physical ones. Below is a link to a cisco article explaining ACLs on a switch and what different features the different images support.

    ... Continue reading in our forum

47 more replies! Ask a question or join the discussion by visiting our Community Forum