Back
Lesson 4 of 5

ACL Placement

Lab Objectives

  • Understand where to place a Standard ACL in a routed topology and why placement matters.
  • Configure a numbered standard IPv4 ACL and apply it to an interface.
  • Verify ACL behavior with show commands and interpret hit counters to confirm correct placement.

Topology (base lab topology — exact IPs on every interface)

                [Internet]
               203.0.113.1
                    |
               R1 (Gateway)
              Gi0/0: 10.10.10.1
              Gi0/1: 10.10.20.1
              Gi0/2: 10.10.30.1
              /     |     \
           R2      R3      R4

Gi0/0: 10.10.10.2 | Gi0/0: 10.10.30.2 Gi0/1: 10.10.40.1 | / \ | S1 S2 S3 / \ | /
PC1 PC2 PC3 PC4 PC5

IP scheme (networks referenced in exercises)

  • 10.10.10.0/24 — R1-R2 link
  • 10.10.20.0/24 — R1-R3 link
  • 10.10.30.0/24 — R1-R4 link
  • 10.10.40.0/24 — R2-S1 link
  • 192.168.1.0/24 — VLAN 10 (Sales)
  • 192.168.2.0/24 — VLAN 20 (Engineering)
  • 192.168.3.0/24 — VLAN 30 (Management)
  • 203.0.113.0/24 — Public/Internet simulation

Tip: Think of a Standard ACL as a filter that looks only at the source address of a packet — like a bouncer checking the ID of a person entering a building but never asking where they’re going. This limitation drives the placement recommendation.

Lab Tasks (Try It Yourself First!)

Complete these tasks WITHOUT looking at the solution below. Use ? and show commands to figure it out.

Task 1: Create & Apply Standard ACL at the destination

Create a numbered standard ACL (ACL 10) that permits the Sales network (192.168.1.0/24) and denies the other internal VLANs from reaching the Internet. Apply the ACL on R1’s Internet-facing interface (Gi0/0) in the direction that filters traffic leaving the internal network toward the Internet.

Task 2: Misplace the same ACL near source (do NOT leave it this way)

Apply the same ACL on R2’s interface connected to R1 (Gi0/0) in the inbound direction so it filters traffic before it leaves the local segment. Observe the difference in effect compared to Task 1.

Task 3: Verify counters & effect of placement

Use show access-lists and show running-config interface (or show ip interface) to inspect ACL counters and to confirm which interface has the ACL applied. Explain why the hit counters show where traffic is actually being filtered.

Think About It: If a Standard ACL only checks source addresses, why do network designers recommend putting it close to the destination rather than the source? Consider what happens when traffic from multiple sources is destined to multiple destinations.

Lab Solution

Task 1 Solution: Create & Apply Standard ACL at the destination

What we are doing: We create a numbered standard ACL that permits the Sales subnet (192.168.1.0/24) and implicitly denies everything else, then apply it on R1’s Internet-facing interface Gi0/0 outbound so the ACL filters internal-to-internet traffic as it leaves the network — this is "close to the destination" (the Internet).

R1# configure terminal
R1(config)# access-list 10 permit 192.168.1.0 0.0.0.255
R1(config)# interface GigabitEthernet0/0
R1(config-if)# ip access-group 10 out
R1(config-if)# end
  • access-list 10 permit 192.168.1.0 0.0.0.255 — Creates numbered standard ACL 10 permitting source addresses in 192.168.1.0/24. Standard ACLs match only the source IP.
  • interface GigabitEthernet0/0 — Enters configuration for the interface connected toward the Internet.
  • ip access-group 10 out — Applies ACL 10 to traffic going out of Gi0/0 (toward 203.0.113.1). Placing the ACL here means packets heading to the Internet are checked when they reach the network edge — close to the destination.

Verify:

R1# show running-config interface GigabitEthernet0/0
interface GigabitEthernet0/0
 ip address 10.10.10.1 255.255.255.0
 ip access-group 10 out
 duplex auto
 speed auto

R1# show access-lists
Standard IP access list 10
    10 permit 192.168.1.0 0.0.0.255 (hitcnt=0)
  • The show running-config interface output confirms the ACL is applied to Gi0/0 outbound.
  • show access-lists displays the ACL entries and hitcnt (match counters). Initially zero; after traffic flows, the hit count should increase for matching entries.

Real-world context: In production, applying a standard ACL at the edge prevents internal hosts from using the Internet unless permitted, while avoiding unnecessary blocking of intra-site traffic.

Task 2 Solution: Misplaced ACL near source on R2

What we are doing: We intentionally apply the same ACL on R2’s Gi0/0 inbound so it filters traffic before leaving the local segment. This demonstrates how a standard ACL can unintentionally block traffic to other destinations because it filters based solely on source.

R2# configure terminal
R2(config)# access-list 10 deny 192.168.1.0 0.0.0.255
R2(config)# access-list 10 permit any
R2(config)# interface GigabitEthernet0/0
R2(config-if)# ip access-group 10 in
R2(config-if)# end
  • access-list 10 deny 192.168.1.0 0.0.0.255 — On R2 we created/modified ACL 10 to deny Sales (this is an example misconfiguration to demonstrate effect).
  • access-list 10 permit any — Ensure other traffic is permitted (order matters for numbered ACLs).
  • interface GigabitEthernet0/0 & ip access-group 10 in — Apply ACL inbound on the R2-to-R1 link. Because this ACL inspects source addresses as traffic enters R2, it blocks Sales traffic for all destinations reachable via that interface.

Why this matters: Standard ACLs applied near the source can accidentally block traffic intended for multiple destinations (not just the intended destination). Because a standard ACL checks only source IP, it will affect any traffic from that source heading out the interface where the ACL is applied.

Verify:

R2# show running-config interface GigabitEthernet0/0
interface GigabitEthernet0/0
 ip address 10.10.10.2 255.255.255.0
 ip access-group 10 in
 duplex auto
 speed auto

R2# show access-lists
Standard IP access list 10
    10 deny 192.168.1.0 0.0.0.255 (hitcnt=12)
    20 permit any (hitcnt=34)
  • The hitcnt values show matches occurring at R2 — Sales traffic is being matched and denied here before it ever reaches R1. That demonstrates over-blocking when the ACL is placed near the source.

Important note: The example on R2 intentionally used deny 192.168.1.0/24 to show the effect. In practice, you should avoid applying a deny for a broad source on a near-source interface unless you truly intend to block that source from all destinations reachable via that interface.

Task 3 Solution: Inspect counters & correct placement

What we are doing: Use verification commands to compare where matches occur and fix placement if needed.

R1# show access-lists
Standard IP access list 10
    10 permit 192.168.1.0 0.0.0.255 (hitcnt=47)

R2# show access-lists
Standard IP access list 10
    10 deny 192.168.1.0 0.0.0.255 (hitcnt=12)
    20 permit any (hitcnt=34)
  • show access-lists on each router reveals where packets are being matched. If the ACL on R2 shows matches (hitcnt), packets are being blocked at R2 — this is how you detect misplacement.

If R2 had the misplaced deny and you want the correct behavior (allow Sales to Internet, deny other VLANs), remove the ACL from R2 and reapply the intended permit-only ACL on R1:

R2# configure terminal
R2(config)# interface GigabitEthernet0/0
R2(config-if)# no ip access-group 10 in
R2(config-if)# end

R1# configure terminal
R1(config)# no access-list 10
R1(config)# access-list 10 permit 192.168.1.0 0.0.0.255
R1(config)# interface GigabitEthernet0/0
R1(config-if)# ip access-group 10 out
R1(config-if)# end

Verify final state:

R2# show running-config interface GigabitEthernet0/0
interface GigabitEthernet0/0
 ip address 10.10.10.2 255.255.255.0
 duplex auto
 speed auto

R1# show running-config interface GigabitEthernet0/0
interface GigabitEthernet0/0
 ip address 10.10.10.1 255.255.255.0
 ip access-group 10 out
 duplex auto
 speed auto

R1# show access-lists
Standard IP access list 10
    10 permit 192.168.1.0 0.0.0.255 (hitcnt=55)
  • After cleanup, the hits should show on R1 only. This confirms the ACL is placed close to the destination (the Internet), and traffic from other VLANs is prevented from reaching that destination without inadvertently impacting internal connectivity.

Troubleshooting Scenario

Scenario: Sales cannot reach Management, but you intended only to block Internet access

Symptom: Ping from a Sales host (192.168.1.x) to a Management host (192.168.3.x) fails. Your task: Find and fix the issue. Hint: Check where standard ACLs are applied — a standard ACL placed near the source can block intra-site traffic.

Solution:

  1. On routers, run:
show access-lists
show running-config interface GigabitEthernet0/0
  1. If you see a deny for 192.168.1.0/24 applied on a near-source interface (for example R2 Gi0/0 inbound), remove the ACL from that interface:
R2(config)# interface GigabitEthernet0/0
R2(config-if)# no ip access-group 10 in
  1. Reapply a permit-only ACL on the edge (R1 Gi0/0 outbound) if needed, then verify again with show access-lists.

Verification Checklist

  • ACL 10 exists and permits 192.168.1.0/24 (Sales).
  • ACL 10 is applied on R1 GigabitEthernet0/0 outbound.
  • show access-lists on R1 shows hit counts for the permit line and no deny lines on intermediate routers.

Common Mistakes

SymptomCauseFix
ACL blocks internal-to-internal traffic unexpectedlyStandard ACL applied too close to source (e.g., on R2 inbound) and contains a deny for a broad sourceRemove ACL from near-source interface; apply correct ACL at edge (destination-facing) if intended to restrict external access
No hits on ACL countersACL applied to wrong interface or wrong directionUse show running-config interface to confirm interface and direction; reapply with correct `ip access-group in
Intended host still reaches InternetACL lacks explicit denies or order is wrong (or ACL not applied)Verify ACL entries and order with show access-lists; ensure ACL applied to correct interface/direction

Challenge Task

Permit only the Engineering subnet (192.168.2.0/24) to access the Internet while still allowing Sales (192.168.1.0/24) to reach internal resources. Implement this using numbered standard ACL(s) placed appropriately. Do not affect internal routing between VLANs.

  • Goal only — discover and implement commands and placement without step-by-step guidance.

Final thought: Because standard ACLs match only source, their placement is crucial. Place them close to the destination you want to protect. If you need to filter by destination as well, use Extended ACLs (learned in another lesson).

Practice with Hands-On Labs

30 step-by-step labs for CCNA, CCNP Enterprise & Security