Creating Standard Access Control Lists (ACLs)

By Edward Tetz

Access Control Lists are used to manage network security and can be created in a variety of ways. Standard ACLs, which have fewer options for classifying data and controlling traffic flow than extended ACLs.

Standard ACLs are easier and simpler to use than extended ACLs. However, in their simplicity, you lose some functionality, such as managing access based on Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) ports. Standard ACLs are numbered from 1–99 and from 1300–1999 (expanded range). They only permit or deny access based on the source IP addresses.

Wildcard masks

When you create a standard ACL or an extended ACL, you use a wildcard mask to identify the devices or addresses that will be affected by the ACL.

In a subnet mask, the bit pattern has ones separated from zeros with the ones on the left of the number and the zeros on the right. This scenario is more concerned with the network that devices are on and less concerned with the actual hosts on that network.

Therefore, the focus on the number is where the ones are, not where the zeros are located. The same is true of the wildcard mask, where you are dealing with the access of hosts to a resource. Because you are now concerned with the hosts, the focus is reversed; therefore, the bits are reversed. In the wildcard mask, you are less concerned with the networks and more concerned with the hosts on that network.

Therefore, the wildcard mask still has zeros and ones separated, but now the ones are on the right and the zeros are on the left.

With that said, for a Class C network block, such as 192.168.5.0/24, where you are looking at the subnet mask of 255.255.255.0, for a wildcard mask you would be looking at 0.0.0.255 (which would still focus on the network address and the hosts found on that network block).

The table below shows a breakdown of comparable subnet masks and wildcard masks. Although you use CIDR notation to simplify writing subnet masks (with 255.0.0.0 becoming /8), this notation does not apply to wildcard masks.

Wildcard Masks by the Bit
CIDR Notation Subnet Mask Wildcard Mask
/8 255.0.0.0 0.255.255.255
/9 255.128.0.0 0.127.255.255
/10 255.192.0.0 0.63.255.255
/11 255.224.0.0 0.31.255.255
/12 255.240.0.0 0.15.255.255
/13 255.248.0.0 0.7.255.255
/14 255.252.0.0 0.3.255.255
/15 255.254.0.0 0.1.255.255
/16 255.255.0.0 0.0.255.255
/17 255.255.128.0 0.0.127.255
/18 255.255.192.0 0.0.63.255
/19 255.255.224.0 0.0.31.255
/20 255.255.240.0 0.0.15.255
/21 255.255.248.0 0.0.7.255
/22 255.255.252.0 0.0.3.255
/23 255.255.254.0 0.0.1.255
/24 255.255.255.0 0.0.0.255
/25 255.255.255.128 0.0.0.127
/26 255.255.255.192 0.0.0.63
/27 255.255.255.224 0.0.0.31
/28 255.255.255.240 0.0.0.15
/29 255.255.255.248 0.0.0.7
/30 255.255.255.252 0.0.0.3
/31 255.255.255.254 0.0.0.1
/32 255.255.255.255 0.0.0.0

Access Control Entries

The Access Control List is made up of a series of entries. Each ACL is numbered, and all entries in the same list are equally numbered. By default, when you add entries to the list, the new entries appear at the bottom. The only exception is the implicit entry at the bottom of every list, which is a deny all. Each Access Control Entry (ACE) has the following structure in your configuration:

access-list <number> <access> <source network or host ID> <wildcard mask>

If you create a single entry ACL permitting all hosts on the Class C network of 192.168.8.0, then the complete ACL would be:

access-list 10 permit 192.168.8.0 0.0.0.255
access-list 10 deny any

In the previous ACL, however, the last line would not actually appear in the ACL. If you used the show command to view this ACL you would actually see:

Switch1>enable
Password:
Switch1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch1(config)#access-list 50 permit 192.168.8.0 0.0.0.255
Switch1(config)#end
Switch1#show access-list 50
Standard IP access list 50
    permit 192.168.8.0, wildcard bits 0.0.0.255

So what happens if you want to add another entry to your list? You would use the same command. The following code shows how to add the 192.168.9.0/24 block to ACL with a permit:

Switch1>enable
Password:
Switch1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch1(config)#access-list 50 permit 192.168.9.0 0.0.0.255
Switch1(config)#end
Switch1#show access-list 50
Standard IP access list 50
    permit 192.168.8.0, wildcard bits 0.0.0.255
    permit 192.168.9.0, wildcard bits 0.0.