Back
Lesson 3 of 5

Named Extended ACLs

Lab Objectives

  • Create a named extended ACL to control traffic from private VLANs to other networks for readability and easier management.
  • Edit ACL entries using sequence numbers and remove unwanted lines.
  • Resequence ACL entries to tidy ordering and demonstrate the effect on processing.

Topology (BASE LAB TOPOLOGY — exact IPs on every interface)

                    [Internet]
                   203.0.113.1
                        |
                   R1 (Gateway)
                  Gi0/0: 10.10.10.1
                  Gi0/1: 10.10.20.1
                  Gi0/2: 10.10.30.1
                  /     |     \
               R2      R3      R4
   Gi0/0: 10.10.10.2   |   Gi0/0: 10.10.30.2
   Gi0/1: 10.10.40.1   |
              /  \      |
           S1    S2    S3
          /  \    |   /  \
        PC1  PC2 PC3 PC4  PC5

IP SCHEME:
- 10.10.10.0/24 — R1-R2 link
- 10.10.20.0/24 — R1-R3 link
- 10.10.30.0/24 — R1-R4 link
- 10.10.40.0/24 — R2-S1 link
- 192.168.1.0/24 — VLAN 10 (Sales)
- 192.168.2.0/24 — VLAN 20 (Engineering)
- 192.168.3.0/24 — VLAN 30 (Management)
- 203.0.113.0/24 — Public/Internet simulation

Lab Tasks (Try It Yourself First!)

Complete these tasks WITHOUT looking at the solution below. Use ? and show commands to figure it out.

Task 1: Create a named ACL to block HTTP from Sales to Internet

Create a named extended ACL called SALES_BLOCK that denies TCP port 80 from 192.168.1.0/24 (VLAN 10) to 203.0.113.0/24 and permits all other traffic. Apply the ACL inbound on R1 GigabitEthernet0/0.

Task 2: Insert an ICMP denial and add a remark

Edit the named ACL to add a remark explaining the ACL purpose, then insert a rule to deny ICMP from 192.168.3.0/24 (VLAN 30) to 192.168.1.0/24 (VLAN 10) before the general permit.

Task 3: Remove the HTTP deny using sequence number and resequence

Remove the original HTTP deny entry by its sequence number, then resequence the ACL so entries use tidy increments (start 10, increment 10).

Think About It: Why is the order of lines in an extended ACL important? How does the implicit "deny ip any any" at the end influence how you write rules?

Lab Solution

Task 1 Solution: Create a named ACL to block HTTP from Sales to Internet

What we are doing: We create a named extended ACL so rules are readable (names instead of numbers). We deny TCP port 80 from the Sales subnet to the Internet subnet, permit other traffic, and attach the ACL inbound on R1 Gi0/0 so traffic arriving from R2 (where Sales sits) is filtered before routing.

R1# configure terminal
R1(config)# ip access-list extended SALES_BLOCK
R1(config-ext-nacl)# remark Block HTTP from Sales to Internet
R1(config-ext-nacl)# deny tcp 192.168.1.0 0.0.0.255 203.0.113.0 0.0.0.255 eq 80
R1(config-ext-nacl)# permit ip any any
R1(config-ext-nacl)# exit
R1(config)# interface GigabitEthernet0/0
R1(config-if)# ip access-group SALES_BLOCK in
R1(config-if)# end

What each command does and why it matters:

  • ip access-list extended SALES_BLOCK — creates/enters a named extended ACL called SALES_BLOCK. Named ACLs are more readable than numeric ACLs and easier to manage.
  • remark ... — adds a human-readable comment (helps operators quickly understand purpose).
  • deny tcp 192.168.1.0 0.0.0.255 203.0.113.0 0.0.0.255 eq 80 — denies HTTP from Sales to Internet. Extended ACLs let us filter by protocol and port.
  • permit ip any any — allows all other traffic; without this you would block everything because of the implicit deny at the end.
  • interface GigabitEthernet0/0 then ip access-group SALES_BLOCK in — applies the ACL inbound on the interface where traffic from Sales first arrives at R1. Applying ACLs as close to the source as possible is a best practice to reduce unnecessary traffic across the network.

Verify:

R1# show access-lists SALES_BLOCK
Extended IP access list SALES_BLOCK
    10  remark Block HTTP from Sales to Internet
    20  deny tcp 192.168.1.0 0.0.0.255 203.0.113.0 0.0.0.255 eq 80
    30  permit ip any any
R1# show running-config interface GigabitEthernet0/0
interface GigabitEthernet0/0
 ip address 10.10.10.1 255.255.255.0
 ip access-group SALES_BLOCK in

Task 2 Solution: Insert ICMP denial and add a remark

What we are doing: We add a rule to deny ICMP from Management (192.168.3.0/24) to Sales (192.168.1.0/24). We insert it with a sequence number so it evaluates before the general permit. This demonstrates how sequence numbers let you control ordering.

R1# configure terminal
R1(config)# ip access-list extended SALES_BLOCK
R1(config-ext-nacl)# 25 deny icmp 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
R1(config-ext-nacl)# exit
R1(config)# end

What each command does and why it matters:

  • 25 deny icmp ... — specifying 25 as the sequence number places this rule between the existing 20 and 30 entries. Sequence numbers allow precise insertion without removing/recreating the ACL.
  • Denying ICMP from Management to Sales may be used in production when you want to prevent management hosts from pinging or probing production systems.

Verify:

R1# show access-lists SALES_BLOCK
Extended IP access list SALES_BLOCK
    10  remark Block HTTP from Sales to Internet
    20  deny tcp 192.168.1.0 0.0.0.255 203.0.113.0 0.0.0.255 eq 80
    25  deny icmp 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
    30  permit ip any any

Tip: Use remarks liberally — they’re invaluable in larger configs when multiple admins are involved.

Task 3 Solution: Remove the HTTP deny and resequence the ACL

What we are doing: We delete the specific entry by its sequence number (20), then resequence the ACL to tidy up the numbers to 10, 20, 30, ... This demonstrates editing and maintenance.

R1# configure terminal
R1(config)# ip access-list extended SALES_BLOCK
R1(config-ext-nacl)# no 20
R1(config-ext-nacl)# exit
R1(config)# ip access-list resequence SALES_BLOCK 10 10
R1(config)# end

What each command does and why it matters:

  • no 20 — removes the entry with sequence number 20. Removing by sequence number is surgical and avoids accidental deletions.
  • ip access-list resequence SALES_BLOCK 10 10 — globally resequences the entries so they start at 10 and increment by 10 (10, 20, 30...). Resequencing makes future insertions simpler and improves readability.

Verify:

R1# show access-lists SALES_BLOCK
Extended IP access list SALES_BLOCK
    10  remark Block HTTP from Sales to Internet
    20  deny icmp 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
    30  permit ip any any

Troubleshooting Scenario

Scenario: ACL prevents all traffic from Sales to Internet

Symptom: After applying the named ACL, users in Sales cannot reach any hosts on 203.0.113.0/24 (not just HTTP).
Your task: Find and fix the issue.
Hint: Check the ACL order and look for a broad deny or missing permit.
Solution: Inspect show access-lists SALES_BLOCK. If you see a deny ip 192.168.1.0 0.0.0.255 203.0.113.0 0.0.0.255 (a broad deny) or the permit ip any any is missing, that will block all traffic. Remove or adjust the broad deny, then add permit ip any any at the end. Example fix:

R1# configure terminal
R1(config)# ip access-list extended SALES_BLOCK
R1(config-ext-nacl)# no 20      ! remove the accidental broad deny
R1(config-ext-nacl)# 30 permit ip any any
R1(config-ext-nacl)# exit
R1(config)# end

Explanation: Extended ACLs process top-down; a broad deny above a permit will short-circuit desired traffic. Always ensure specific denies precede general permits.

Verification Checklist

  • Named extended ACL SALES_BLOCK exists on R1.
  • SALES_BLOCK is applied inbound on GigabitEthernet0/0.
  • ACL entries are in correct order and resequenced (10,20,30...).

Common Mistakes

SymptomCauseFix
ACL blocks all traffic from Sales to InternetNo permit ip any any at end (implicit deny) or a broad deny precedes permitsAdd permit ip any any or remove/adjust the broad deny; resequence if needed
New rule not evaluatedRule inserted after a matching permit/deny (order problem)Use sequence numbers to insert before the matching rule or resequence ACL
ACL applied on wrong interface/directionApplied outbound instead of inbound (or on wrong interface)Move ACL to correct interface and direction (ip access-group NAME in/out)

Challenge Task

Create a second named extended ACL that:

  • Allows only HTTPS (TCP 443) from Engineering (192.168.2.0/24) to a specific Internet host 203.0.113.100,
  • Denies any other TCP from Engineering to the 203.0.113.0/24 network,
  • Permits everything else,
  • Apply it using best-practice direction on the appropriate R1 interface.

(No step-by-step — use what you learned about named ACLs, sequence numbers, and applying ACLs.)

Practice with Hands-On Labs

30 step-by-step labs for CCNA, CCNP Enterprise & Security