How to Configure a Standard ACL on Cisco (with Examples)
A standard ACL is the simplest access list on Cisco IOS: it filters purely on the SOURCE IP address and nothing else — not the destination, not the protocol, not the port. That simplicity is the whole appeal, and also the one gotcha you have to design around. Because a standard ACL can't see where a packet is headed, you place it as close to the DESTINATION as possible, so it only filters traffic bound for the thing you're actually protecting. Here's the full flow on Cisco IOS — write the list, apply it in the right place, switch to a named ACL when you need to edit or deny-then-permit, and account for the invisible deny any that ends every list.
Part of the Access Control Lists (ACLs) learning hub
Step 1 — Write a numbered standard ACL
Numbered standard ACLs live in the ranges 1-99 (and 1300-1999 if you run out of the first block). Each line is a permit or deny matched against the packet's source address, followed by a wildcard mask — the inverse of a subnet mask — that says which bits to check. 0.0.0.255 matches a whole /24; 0.0.0.0 matches one exact host. Here we permit the HR subnet, 192.168.10.0/24, and nothing else.
Two shortcuts save you the wildcard math: 'host 192.168.10.5' is identical to '192.168.10.5 0.0.0.0' (one address), and 'any' is identical to '0.0.0.0 255.255.255.255' (every address). The router reads the list top-down and stops at the first match, so order your lines from most specific to most general.
R1(config)# access-list 10 remark Permit HR subnet only
R1(config)# access-list 10 permit 192.168.10.0 0.0.0.255Step 2 — Apply it close to the destination
This is the rule that sets standard ACLs apart from extended ones. Because a standard ACL matches only the source, applying it near the source would block that source from reaching everything, not just the one place you care about. Put it on the interface closest to the destination instead — here, the interface R1 uses to reach the protected server subnet — and apply it outbound so it filters traffic on its way out to that segment.
One ACL applies per interface, per direction. With ACL 10 permitting only the HR subnet, everything else — including any Guest traffic — is dropped on its way to the server, which is exactly the whitelist behavior we want here.
Verify right away: 'show access-lists 10' prints each line with a hit counter so you can watch the right traffic match, and 'show ip interface' confirms the ACL is bound in the direction you intended.
R1(config)# interface gigabitethernet0/1
R1(config-if)# ip access-group 10 out
R1(config-if)# end
R1# show access-lists 10
R1# show ip interface gigabitethernet0/1Step 3 — Use a named ACL to deny, then permit
When the policy is a blacklist — block one subnet, allow everyone else — a named standard ACL reads better and is far easier to change later. 'ip access-list standard <name>' drops you into a sub-mode where each line gets an automatic sequence number, so you can insert or remove a single entry by number instead of rebuilding the whole list the way a classic numbered ACL forces you to.
Here we deny the Guest subnet and then explicitly permit everyone else. That trailing 'permit any' is not optional padding — it's load-bearing, for the reason we cover in Step 4.
R1(config)# ip access-list standard BLOCK-GUEST
R1(config-std-nacl)# deny 192.168.20.0 0.0.0.255
R1(config-std-nacl)# permit anyStep 4 — Account for the implicit deny any
Every ACL you write — standard or extended, numbered or named — ends with an invisible 'deny any' that never appears in the configuration. You won't see it in 'show run' or 'show access-lists', but it's always there as the final line, and it's why an ACL can never 'fall through' to permit: anything that matches no explicit line is dropped.
That implicit deny cuts both ways. In Step 1's HR list it's doing exactly what we want: after 'permit 192.168.10.0 0.0.0.255', the invisible 'deny any' silently drops every other source, so only HR reaches the server. But flip the goal to Step 3's — block just the Guest subnet and leave everyone else alone — and that same invisible deny becomes a trap: a list containing only 'deny 192.168.20.0 0.0.0.255' would drop all traffic that wasn't the Guest subnet right along with it, including hosts you never meant to filter. That's why Step 3 finished with 'permit any' — without it, denying Guest would silently deny the entire network.
Standard ACLs also make a clean tool for restricting remote management: apply one to the VTY lines with 'access-class <acl> in' instead of 'ip access-group', so only your admin subnet can open a Telnet or SSH session to the device. Notice in the output below that neither list shows the implicit deny — it's enforced but never printed.
R1# show access-lists
Standard IP access list 10
10 permit 192.168.10.0, wildcard bits 0.0.0.255
Standard IP access list BLOCK-GUEST
10 deny 192.168.20.0, wildcard bits 0.0.0.255
20 permit anyCommon mistakes (and the fix)
Placing the ACL near the source. A standard ACL only knows the source address, so applied near the source it blocks that host from reaching every destination, not just the one you meant to protect. Move it to the interface closest to the destination and apply it there.
An all-deny list that blocks everything. Because of the implicit 'deny any', a standard ACL that contains only deny statements permits nothing at all — the denies match their targets and the invisible deny catches everyone else. If you mean 'block these, allow the rest,' you must end with an explicit 'permit any'.
Using a subnet mask where a wildcard mask belongs. IOS reads the second value as a wildcard (inverse) mask, so typing 255.255.255.0 instead of 0.0.0.255 matches the wrong bits entirely. Wildcard equals the inverse of the subnet mask — a /24 is 0.0.0.255.
Order that shadows a line. The router stops at the first match, so a broad 'permit any' placed above a specific 'deny' means the deny never runs. List specific entries first, general ones last.
Applying it in the wrong direction. 'ip access-group ... in' versus 'out' matters — use 'show ip interface' to confirm the ACL is bound in the direction the traffic actually flows relative to that interface.
Trying to edit a classic numbered ACL in place. 'no access-list 10' removes the entire ACL at once, not a single line. Reach for a named standard ACL (or sequence numbers) whenever a list will change over time, so you can add or delete one entry without disturbing the rest. Building and grading this against a known-good answer key on real IOS is the fastest way to catch a wildcard or placement slip before it costs you on the exam.
Frequently asked questions
Standard vs. extended ACL — when should I use each?
A standard ACL matches only the source IP address, so you place it close to the destination to avoid dropping traffic you didn't intend to filter. An extended ACL matches source and destination addresses plus protocol and port, so you place it close to the source to discard unwanted traffic early. Reach for a standard ACL when the rule is simply "who is allowed to reach this resource," and an extended ACL when you need to control specific services or destinations.
What number ranges identify a standard ACL?
Numbered standard ACLs use 1–99, with the expanded range 1300–1999 on modern IOS; extended ACLs use 100–199 and 2000–2699. The number you pick is what tells IOS which type of list it is, so you can't put an extended-style rule in a 1–99 list. Named ACLs avoid the ranges entirely and are usually preferred because you can edit individual lines by sequence number.
How does the wildcard mask work in a standard ACL?
A wildcard mask is bit-inverted from a subnet mask: a 0 bit means "this bit must match exactly" and a 1 bit means "ignore this bit." So 0.0.0.0 matches a single host (the keyword "host" is shorthand for it) and 255.255.255.255 matches everything (the keyword "any"). A whole /24 network is written with wildcard 0.0.0.255.
Do I apply a standard ACL inbound or outbound?
You set the direction with ip access-group {number|name} in|out on the interface, and because a standard ACL belongs near the destination it is often applied outbound on the interface facing the protected network. Direction is relative to the router: "in" filters packets entering the interface and "out" filters packets leaving it. Only one IP ACL can be bound per interface per direction.
Why does traffic still get blocked (or allowed) after I edit my ACL?
IOS reads an ACL top-down and stops at the first match, so a broad deny placed above a more specific permit wins and the later line never runs. Combined with the implicit deny any at the end, leaving out an explicit permit drops everything you didn't match. Run show access-lists to read the per-line match counters and confirm which line your traffic is actually hitting.
Practice this on graded Cisco labs
Reading is step one — build Access Control Lists (ACLs) on real Cisco IOS and grade your own config, or try a free sample lab first.