Extended ACL Placement
Lab Objectives
- Understand where to place extended access control lists (ACLs) and why they should be placed close to the source of traffic.
- Configure an extended ACL to block a source subnet from reaching a public destination and compare placing that ACL on the source-side router vs. the destination-side router.
- Verify ACL placement and interpret verification output.
ASCII Topology (use this EXACT topology; IPs shown on every router interface):
[Internet]
203.0.113.1
|
R1 (Gateway)
Gi0/0: 10.10.10.1
Gi0/1: 10.10.20.1
Gi0/2: 10.10.30.1
/ | \
R2 R3 R4
Gi0/0: 10.10.10.2 | Gi0/0: 10.10.30.2
Gi0/1: 10.10.40.1 |
/ \ |
S1 S2 S3
/ \ | /
PC1 PC2 PC3 PC4 PC5
Device table and addressing (exact):
| Device | Interface | IP Address |
|---|---|---|
| R1 | Gi0/0 | 10.10.10.1 |
| R1 | Gi0/1 | 10.10.20.1 |
| R1 | Gi0/2 | 10.10.30.1 |
| R2 | Gi0/0 | 10.10.10.2 |
| R2 | Gi0/1 | 10.10.40.1 |
| Internet | - | 203.0.113.1 |
Tip: Think of an extended ACL as a fine-grained gatekeeper — it can match source IP, destination IP, and layer 4 ports. Because it can decide based on the source, place it close to the source to stop unwanted traffic before it uses network resources.
Lab Tasks (Try It Yourself First!)
Complete these tasks WITHOUT looking at the solution below. Use
?andshowcommands to figure it out.
Task 1: Configure base IPs and routes
Configure R1 and R2 interface IP addresses exactly as in the topology, and add static routes on R1 so R1 can reach 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24 via 10.10.10.2. On R2 add a default route to 10.10.10.1.
Task 2: Create and apply an extended ACL close to the source
Create an extended ACL numbered 110 that denies traffic from 192.168.1.0/24 to the Internet subnet 203.0.113.0/24, then permit everything else. Apply it outbound on R2 Gi0/0 (toward R1).
Task 3: Move the ACL to the destination side and compare
Remove the ACL from R2 Gi0/0 and apply the same ACL inbound on R1 Gi0/0 (toward the internal network). Observe and record the differences (traffic path, CPU and bandwidth considerations).
Think About It: Why does placing the extended ACL on R2 (source side) conserve bandwidth and processing compared to placing it on R1 (destination side)?
Lab Solution
Task 1 Solution: Configure base IPs and routes
What we are doing: Bring up R1 and R2 interfaces and add static routes so the routers know how to reach internal subnets and how internal routers reach the Internet.
! On R1
hostname R1
interface GigabitEthernet0/0
ip address 10.10.10.1 255.255.255.0
no shutdown
interface GigabitEthernet0/1
ip address 10.10.20.1 255.255.255.0
no shutdown
interface GigabitEthernet0/2
ip address 10.10.30.1 255.255.255.0
no shutdown
ip route 192.168.1.0 255.255.255.0 10.10.10.2
ip route 192.168.2.0 255.255.255.0 10.10.10.2
ip route 192.168.3.0 255.255.255.0 10.10.10.2
What just happened:
- Each
interfacecommand assigns the specified IP and enables the interface; this establishes connectivity between routers per the topology. - The
ip routecommands tell R1 how to reach the internal 192.168.x.0/24 networks via R2 (10.10.10.2). This is necessary so R1 can forward return traffic to those networks.
Verify:
show ip interface brief
Expected output (abridged for relevance):
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.10.10.1 YES manual up up
GigabitEthernet0/1 10.10.20.1 YES manual up up
GigabitEthernet0/2 10.10.30.1 YES manual up up
show ip route
Expected to include:
S 192.168.1.0/24 [1/0] via 10.10.10.2
S 192.168.2.0/24 [1/0] via 10.10.10.2
S 192.168.3.0/24 [1/0] via 10.10.10.2
! On R2
hostname R2
interface GigabitEthernet0/0
ip address 10.10.10.2 255.255.255.0
no shutdown
interface GigabitEthernet0/1
ip address 10.10.40.1 255.255.255.0
no shutdown
interface Loopback10
ip address 192.168.1.1 255.255.255.0
interface Loopback20
ip address 192.168.2.1 255.255.255.0
interface Loopback30
ip address 192.168.3.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.10.10.1
What just happened:
- R2 interfaces are configured and loopbacks represent the 192.168.x.0 networks for lab simplicity.
- The default route on R2 sends unknown-destination traffic to R1 (toward the Internet).
Verify:
show ip interface brief
Expected output:
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.10.10.2 YES manual up up
GigabitEthernet0/1 10.10.40.1 YES manual up up
Loopback10 192.168.1.1 YES manual up up
Loopback20 192.168.2.1 YES manual up up
Loopback30 192.168.3.1 YES manual up up
show ip route
Expected to include:
S* 0.0.0.0/0 [1/0] via 10.10.10.1
C 192.168.1.0/24 is directly connected, Loopback10
C 192.168.2.0/24 is directly connected, Loopback20
C 192.168.3.0/24 is directly connected, Loopback30
Task 2 Solution: Create and apply extended ACL close to the source
What we are doing: Create an extended ACL 110 that denies any IP from the Sales VLAN 192.168.1.0/24 to the Internet subnet 203.0.113.0/24 and permits everything else. Apply it outbound on R2 Gi0/0 (this is "close to source").
access-list 110 deny ip 192.168.1.0 0.0.0.255 203.0.113.0 0.0.0.255
access-list 110 permit ip any any
interface GigabitEthernet0/0
ip access-group 110 out
What just happened:
access-list 110 deny ip 192.168.1.0 0.0.0.255 203.0.113.0 0.0.0.255blocks traffic with a source in 192.168.1.0/24 destined to 203.0.113.0/24. The wildcard masks (0.0.0.255) are the inverse of a /24 mask.access-list 110 permit ip any anyensures other traffic is permitted; extended numbered ACLs have no implicit "permit" beyond their entries (there is an implicit deny at the end), so you must explicitly permit what is allowed.ip access-group 110 outapplies the ACL on Gi0/0 going out toward R1 so packets leaving R2 toward R1 are filtered — i.e., filtering occurs very close to the source network.
Why this matters:
- Placing the ACL here prevents unwanted traffic from traversing the R2→R1 link and any upstream bandwidth/processing. In production, this saves transit links and reduces load on core devices.
Verify:
show access-lists 110
Expected output:
Extended IP access list 110
10 deny ip 192.168.1.0 0.0.0.255 203.0.113.0 0.0.0.255 (hitcnt=0)
20 permit ip any any (hitcnt=0)
Note: After a user from 192.168.1.x attempts to reach 203.0.113.x, the
hitcntfor the deny line will increment. Use the sameshow access-liststo verify the counter change.
show ip interface GigabitEthernet0/0
Expected output (relevant excerpt):
GigabitEthernet0/0 is up, line protocol is up
IP access list is 110 outbound
Task 3 Solution: Move same ACL to R1 (destination-side) and compare
What we are doing: Remove the ACL from R2 and apply it inbound on R1 Gi0/0 (close to destination) to observe the placement difference.
! On R2: remove ACL from interface
interface GigabitEthernet0/0
no ip access-group 110 out
! On R1: create same ACL and apply inbound
access-list 110 deny ip 192.168.1.0 0.0.0.255 203.0.113.0 0.0.0.255
access-list 110 permit ip any any
interface GigabitEthernet0/0
ip access-group 110 in
What just happened:
- Removing
ip access-groupon R2 stops filtering at the source; traffic from 192.168.1.0/24 will now travel across the link to R1 before being evaluated. - Applying the same ACL inbound on R1 means traffic is filtered when it reaches R1 (closer to destination). Functionally the deny still blocks the traffic, but it used network bandwidth and resources upstream of R1.
Verify:
show access-lists 110
Expected output on R1:
Extended IP access list 110
10 deny ip 192.168.1.0 0.0.0.255 203.0.113.0 0.0.0.255 (hitcnt=0)
20 permit ip any any (hitcnt=0)
show ip interface GigabitEthernet0/0
Expected excerpt:
GigabitEthernet0/0 is up, line protocol is up
IP access list is 110 inbound
Real-world point: If many hosts in 192.168.1.0/24 generate traffic that should be blocked, placing the ACL on R2 prevents that traffic from consuming R1 CPU and the WAN link. This is why the rule of thumb for extended ACLs is: place them as close to the source as possible.
Troubleshooting Scenario
Scenario: ACL applied in wrong direction
Symptom: Hosts in 192.168.1.0/24 cannot browse the Internet; pings to 203.0.113.1 fail for some hosts and succeed for others.
Your task: Find and fix the issue.
Hint: Check both routers for where ACL 110 is applied and the ACL order.
Solution:
- Run
show ip interface briefandshow ip interface GigabitEthernet0/0on both R1 and R2 to see whether ACL 110 is applied and in which direction. - If ACL 110 is inbound on R1 and also outbound on R2, the ACL might be blocking return traffic inadvertently or double-filtering. Remove the ACL from the wrong interface using:
interface GigabitEthernet0/0
no ip access-group 110 in ! or out, depending where it is wrong
- Reapply only on R2 outbound if your goal is to filter at the source.
Verification Checklist
- R1 and R2 interfaces configured per topology (use
show ip interface brief) - R1 has static routes to 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24 (use
show ip route) - ACL 110 present with a deny for 192.168.1.0/24 -> 203.0.113.0/24 and a permit any any (use
show access-lists 110) - ACL is applied outbound on R2 Gi0/0 (use
show ip interface GigabitEthernet0/0)
Common Mistakes
| Symptom | Cause | Fix |
|---|---|---|
| ACL has no effect | Applied in wrong direction or wrong interface | Check show ip interface to confirm direction and interface, then apply correctly (ip access-group 110 out) |
| Legitimate traffic blocked | ACL missing permit ip any any or deny is too broad | Add explicit permit statements after denies; double-check wildcard masks |
| ACL appears not to match | Incorrect wildcard mask used (confusing mask with subnet mask) | Use wildcard 0.0.0.255 for /24 networks; verify with show access-lists |
Challenge Task
Using what you learned, create an extended ACL that allows only HTTP (tcp/80) and HTTPS (tcp/443) from 192.168.2.0/24 to the Internet 203.0.113.0/24, denies everything else from that subnet to the Internet, and apply it close to the source. Verify with show access-lists and explain why this placement is preferred in a busy production network.