CCNA · ACLs

Standard ACLs: Control Traffic By Source IP

This topic turns access control from theory into proof. You will understand what a standard ACL checks, where to place it, how to configure it, how to break it, how to fix it, and how to explain it in an interview.

# Where To Study From

SourceWhat to study
CCNA Volume 2 study pathModule 1: Transport, Applications and ACL Thinking. Focus on standard IPv4 ACLs, wildcard masks, placement, direction, permit/deny logic and implicit deny.
CCNA syllabus pageSecurity Fundamentals: configure and verify standard and extended ACLs.
Lab sourcePacket Tracer or GNS3 with two LANs, one router, one server and two PCs.
Study target: do not only memorize syntax. Your goal is to prove why standard ACLs are placed close to the destination.

# Simple Explanation

What is a Standard ACL?

  • A standard ACL filters traffic using the source IP address only.
  • It cannot check destination IP, port number, or application.

Why it matters

  • It lets you block or allow users based on where traffic comes from.
  • It is simple, but dangerous if placed in the wrong location.

Placement rule

  • Place standard ACLs close to the destination.
  • Reason: because they only know source, placing them too early can block more traffic than intended.

Hidden rule

  • Every ACL ends with an invisible deny any.
  • If you do not permit traffic, it is denied by default.

# Diagram To Draw

Draw this before configuring. If you cannot draw the traffic path, the CLI becomes a cave with angry bats.

PC-A: 192.168.10.10/24        Server: 192.168.30.10/24
        │                              │
LAN 10 ─┴─ R1 ───────────────── LAN 30 ┴─ Server Network
        │
PC-B: 192.168.20.10/24

Goal:
- Block PC-A from reaching the server.
- Allow PC-B to reach the server.
- Place the standard ACL near LAN 30, close to the destination.

# Commands To Learn

access-list 10 deny host 192.168.10.10
access-list 10 permit any
interface g0/2
 ip access-group 10 out

show access-lists
show ip interface g0/2
ping 192.168.30.10
traceroute 192.168.30.10
Do not paste blindly: interface names and IP addresses must match your topology.

# Lab Sessions

SESSION 01 — Build The Topology

Create two user LANs and one server LAN. Configure IP addresses and routing. Prove all devices can ping before adding the ACL.

Packet TracerBaseline connectivity

SESSION 02 — Apply Standard ACL

Deny PC-A source IP and permit all others. Apply the ACL outbound on the interface closest to the server network.

Cisco IOSTraffic filtering

SESSION 03 — Break It On Purpose

Apply the ACL on the wrong interface or wrong direction. Observe how the wrong traffic gets blocked. Document the symptom.

TroubleshootingMistake journal

SESSION 04 — Fix And Verify

Move the ACL to the correct place. Verify with ping, show access-lists counters and show ip interface.

VerificationProof

# Practice Questions

QuestionExpected answer
What does a standard ACL match?Source IP address only.
Where should a standard ACL usually be placed?Close to the destination.
Why not place it close to the source?It may block that source from reaching other destinations because it cannot check destination or port.
What happens if no ACL line matches?The implicit deny blocks the traffic.
Which command shows ACL hit counters?show access-lists.

# Proof And Notes

Complete this proof card before marking the topic as lab done or interview-ready.

Proof — Standard ACL lab

Upload proof that you built, broke, fixed and verified a standard ACL.

Not saved yet.

# GitHub Proof Checklist

FileWhere to save it
Packet Tracer filelabs/ccna/acl-standard/acl-standard.pkt
Topology screenshotlabs/ccna/acl-standard/topology.png
Running configlabs/ccna/acl-standard/r1-running-config.txt
Exported notenotes/ccna/acl-standard.md
Mistake notemistakes/ccna/acl-wrong-direction.md

# Interview Answer

Answer: A standard ACL filters traffic based only on source IP address. Because it cannot check destination or application port, I usually place it close to the destination so I do not accidentally block the source from reaching other networks. I verify it using ping tests, show access-lists counters, and show ip interface to confirm where the ACL is applied.