Standard ACL Challenge
Lab Objectives
- Configure standard IP access lists to allow or deny entire subnets.
- Apply ACLs to the correct interfaces and directions to enforce policy while preserving required connectivity.
- Verify ACL operation using show commands and interpret the output.
Lab Tasks (Try It Yourself First!)
Complete these tasks WITHOUT looking at the solution below. Use
?andshowcommands to figure it out.
ASCII topology (use this exact topology and IPs):
[Internet]
203.0.113.1
|
R1 (Gateway)
Gi0/0: 10.10.10.1
Gi0/1: 10.10.20.1
Gi0/2: 10.10.30.1
/ | \
R2 R3 R4
Gi0/0: 10.10.10.2 | Gi0/0: 10.10.30.2
Gi0/1: 10.10.40.1 |
/ \ |
S1 S2 S3
/ \ | /
PC1 PC2 PC3 PC4 PC5
IP scheme (use these exact networks):
- 10.10.10.0/24 — R1–R2 link
- 10.10.20.0/24 — R1–R3 link
- 10.10.30.0/24 — R1–R4 link
- 10.10.40.0/24 — R2–S1 link
- 192.168.1.0/24 — VLAN 10 (Sales)
- 192.168.2.0/24 — VLAN 20 (Engineering)
- 192.168.3.0/24 — VLAN 30 (Management)
- 203.0.113.0/24 — Public/Internet simulation
Task 1: Create and apply a standard ACL on R2
Deny the entire Engineering subnet (192.168.2.0/24) from reaching R1/Internet while permitting all other subnets. Apply the ACL on R2's interface toward R1 so the filter is enforced as traffic leaves R2 toward R1.
Task 2: Create and apply a standard ACL on R4
Deny the Sales subnet (192.168.1.0/24) but explicitly permit the Management subnet (192.168.3.0/24); allow other traffic. Apply the ACL on R4's interface toward R1.
Task 3: Create and apply a host-based standard ACL on R1
Deny a single host from Sales (example: 192.168.1.5) from reaching upstream (Internet), but permit all other hosts. Apply the ACL on R1 on the interface facing R2 (Gi0/0) in the appropriate direction.
Think About It: Why are standard ACLs typically placed "close to the destination" rather than the source? How does that guideline affect your choice of interface and direction for these tasks?
Lab Solution
Task 1 Solution: Create and apply a standard ACL on R2
What we are doing: We create a standard ACL (numbered 10) that denies the entire 192.168.2.0/24 network and permits everything else. We then apply it on R2's GigabitEthernet0/0 interface in the outbound direction (toward R1). Standard ACLs match only source addresses, so placing this ACL on the interface leaving the local area ensures the ACL sees the original source IPs.
R2(config)# access-list 10 deny 192.168.2.0 0.0.0.255
R2(config)# access-list 10 permit any
R2(config)# interface GigabitEthernet0/0
R2(config-if)# ip access-group 10 out
- access-list 10 deny 192.168.2.0 0.0.0.255
- What it does: creates an entry that denies any packet whose source IP is in 192.168.2.0/24.
- Why it matters: standard ACLs filter by source only; the wildcard 0.0.0.255 matches the full /24.
- access-list 10 permit any
- What it does: permits all other source addresses not matched by the deny entry.
- Why it matters: ACLs have an implicit "deny all" at the end. Explicitly permitting the rest avoids accidentally blocking legitimate traffic.
- interface GigabitEthernet0/0 / ip access-group 10 out
- What it does: applies ACL 10 to packets leaving R2 on Gi0/0 (toward R1).
- Why it matters: placing a standard ACL close to the destination (R1) ensures it filters traffic destined for R1/Internet while allowing internal switching/routing to function normally.
Verify:
R2# show access-lists
Standard IP access list 10
10 deny 192.168.2.0 0.0.0.255
20 permit any
R2# show ip interface GigabitEthernet0/0
GigabitEthernet0/0 is up, line protocol is up
Internet address is 10.10.10.2/24
Broadcast address is 255.255.255.255
IP access list is 10, direction out
Task 2 Solution: Create and apply a standard ACL on R4
What we are doing: Build ACL 11 that first denies Sales (192.168.1.0/24), then permits Management (192.168.3.0/24), then permits any remaining traffic. Apply it outbound on R4's Gi0/0 (toward R1). Ordering matters: ACLs are processed top-to-bottom.
R4(config)# access-list 11 deny 192.168.1.0 0.0.0.255
R4(config)# access-list 11 permit 192.168.3.0 0.0.0.255
R4(config)# access-list 11 permit any
R4(config)# interface GigabitEthernet0/0
R4(config-if)# ip access-group 11 out
- access-list 11 deny 192.168.1.0 0.0.0.255
- What it does: drops packets with source in Sales subnet.
- Why it matters: prevents Sales hosts behind R4 from reaching R1/Internet.
- access-list 11 permit 192.168.3.0 0.0.0.255
- What it does: allows Management subnet hosts to pass.
- Why it matters: demonstrates selective allowing using the ACL order.
- access-list 11 permit any
- What it does: permits any other source addresses.
- Why it matters: ensures other networks are not implicitly blocked.
- ip access-group 11 out on Gi0/0
- What it does: applies this policy as traffic leaves R4 to R1.
- Why it matters: standard ACL sees the actual source IPs and enforces policy.
Verify:
R4# show access-lists
Standard IP access list 11
10 deny 192.168.1.0 0.0.0.255
20 permit 192.168.3.0 0.0.0.255
30 permit any
R4# show ip interface GigabitEthernet0/0
GigabitEthernet0/0 is up, line protocol is up
Internet address is 10.10.30.2/24
IP access list is 11, direction out
Task 3 Solution: Create and apply a host-based standard ACL on R1
What we are doing: Create ACL 12 that denies a single Sales host (192.168.1.5) and permits everyone else. Applying it on R1 on Gi0/0 inbound will stop that host's traffic as it arrives at R1 from R2.
R1(config)# access-list 12 deny host 192.168.1.5
R1(config)# access-list 12 permit any
R1(config)# interface GigabitEthernet0/0
R1(config-if)# ip access-group 12 in
- access-list 12 deny host 192.168.1.5
- What it does: denies any packet with source 192.168.1.5.
- Why it matters: host-level blocking is a common operational task (e.g., compromised host).
- access-list 12 permit any
- What it does: permits all other hosts.
- Why it matters: prevents the implicit deny from blocking legitimate traffic.
- ip access-group 12 in on Gi0/0
- What it does: evaluates packets as they come into R1 from R2.
- Why it matters: placing the ACL here ensures the deny applies before R1 forwards packets upstream.
Verify:
R1# show access-lists
Standard IP access list 12
10 deny 192.168.1.5
20 permit any
R1# show ip interface GigabitEthernet0/0
GigabitEthernet0/0 is up, line protocol is up
Internet address is 10.10.10.1/24
IP access list is 12, direction in
Tip: A wildcard mask (like 0.0.0.255) is the inverse of a subnet mask. Think of it as a “don’t care” map — 0 bits must match, 1 bits can vary.
Troubleshooting Scenario
Scenario: ACL blocks too much traffic
Symptom: After applying ACL 10 on R2, users from Management (192.168.3.0/24) cannot reach R1/Internet.
Your task: Find and fix the issue.
Hint: Check ACL content and order; remember the implicit deny at the end of every ACL.
Solution: Use show access-lists to verify ACL 10. If ACL 10 was created as:
access-list 10 deny 192.168.2.0 0.0.0.255
but no permit any exists, the implicit deny will block all other subnets. Fix by adding:
R2(config)# access-list 10 permit any
This restores traffic for networks not explicitly denied.
Verification Checklist
- ACLs exist with the correct number and entries: use
show access-lists. - ACLs are bound to the correct interface and direction: use
show ip interface <interface>. - Blocked sources cannot ping R1/Internet while permitted sources can (perform pings/traceroutes).
Common Mistakes
| Symptom | Cause | Fix |
|---|---|---|
| All hosts cannot reach R1 after ACL applied | Forgetting to add a final permit any (implicit deny) | Add access-list <n> permit any or reorder entries appropriately |
| ACL has no effect | ACL applied on wrong interface or wrong direction | Use show ip interface to confirm `IP access list is |
| Intended host still blocked | ACL order incorrect (deny placed after permit that already matches) | Reorder ACL entries so deny comes before broader permits (remove and recreate entries in correct order) |
Challenge Task
Using only standard ACLs and the provided topology, create an ACL scheme that:
- Prevents all Sales (192.168.1.0/24) hosts from reaching the Internet,
- Allows Engineering (192.168.2.0/24) only to reach a specific internal server at 192.168.3.10,
- Allows all other traffic normally.
Do this without using extended ACLs or other features — plan ACL placement and direction carefully and document your reasoning. (Hint: Because standard ACLs match only source, think about where you can place filters so the destination is implied by the interface/direction.)