There are two types of Access Control Lists on which the CCENT focuses on: standard and extended access control lists. Even though the syntax differs quite a bit between the two, the basic configuration steps to apply them are the same: create the ACL and apply it to the relevant interfaces.

Standard Access Control Lists

From global configuration mode:

access-list  < deny | permit | remark > < any | $ip_address $wildcard | $host $ip_address >

$wildcard is simply the flipped netmask in binary. The concept is similar to what you would use in the OSPF network command: every time the router sees a 0, this tells it to actually check the value of that octet.

If you want to use a named access list instead:

ip access-list standard $acl_name

Named access lists also allow you to specify the sequence number of each ACL entry.

Now apply the access list to the correct interface from interface configuration mode:

ip access-group $acl_name_or_number < in | out >

To check if it has been correctly applied, run

show ip access-lists

Extended Access Control Lists

The high-level structure of an extended ACL looks like this: action protocol source destination. The source and destination parts follow the same syntax used in standard access lists.

From global configuration mode:

access-list  < deny | dynamic | permit | remark > $protocol < any | $ip_address $wildcard | $host $ip_address > < any | $ip_address $wildcard | $host $ip_address >

Applying the extended access lists to an interface uses the same ip access-group command used to apply standard access lists.

Also, should you want to create a named access list instead, use the same command used for standard access lists, but specifying extended instead:

ip access-list extended $acl_name