ACL Practice Drills

 In 200-301 V2 Ch02: Standard ACLs, 200-301 V2 Part 1: IP ACLs, ACL Drill, CCENT-OLD

You need practice with ACLs for CCENT and CCNA R/S. Some of that practice should focus on putting a complete ACL together, with multiple Access Control Entries (ACE) (that is, multiple permit and deny commands) to meet a set of requirements. But even before building complete ACLs, you need to master the basics of building a single ACE (that is, a single command).

This post introduces a type of exercise in this blog: the ACL Drill. These exercises let you practice the various steps of creating ACL commands. This post describes the basic process, with some advice on how to approach creating ACL commands, both for these drills and for the exams.


In Cisco-speak, one line in an ACL is called an Access Control Entry (ACE).

Some of the drills give you practice with building an ACL with a single ACE, keeping the focus of the discussion on one command (ACE) at a time. Basically, for each stated problem, you have to create one ACE – specifically either a permit or deny command for a named ACL – that meets the criteria.


Example One ACE ACL Drill

For the ACL practice drills in this blog, we will frequently use the following diagram. The IP addresses and subnets will change, even from question to question. In some cases, you will match traffic going from a client to a server, and sometimes you will stop traffic as it goes from a server to a client. In those cases, you will need to think about the placement of the port number fields.

For example, a drill question might state:

Host A ( attempts to connect to web server S4 ( Your ACL will be applied outbound on R2’s S0/0/0 interface. Permit traffic from host A’s subnet to reach the web service on S4.

First, consider the location of the ACL. The problem statement asks that you enable it outbound on R2’s S0/0/0. That placement means it will filter packets as they pass from host A to server S4. So, any matching of host A’s IP address should happen as the source IP address, and any matching of server S4 should happen as the destination address. If the requirement stated that the ACL was inbound on that same interface, you could still permit the traffic, but you must do so by matching traffic sourced from the server, sent back to host A.


Matching Subnets

Next, consider the requirements of “from host A’s subnet”. The problem statement tells you A’s IP address/mask ( You need to somehow match all addresses in the resident subnet, and put that in the source IP address field of the command. Specifically, it needs to be a permit command (that part’s pretty obvious.) So, just from that analysis, the command will start as follows:

permit <protocol>


Matching Transport Ports

So far, the source address field matches all packets with source IP address in subnet Looking further, the requirements mention “web services on server S4”. If the wording had simply stated “server S4”, I personally would interpret that to mean that we should match IP packets sent to that server. But “web services…” tells me that we should filter TCP traffic to that host, specifically, to the well-known TCP port for web (port 80). You can match port 80, or use the “www” keyword, either way. And in this case, to match the port, note that you cannot use the protocol type of “IP”, because IOS requires us to use either “TCP” or “UDP” when matching port numbers. Here’s the updated command:

permit tcp host eq www

And that’s it. For these exercises, I will list a handful of problem statements and the diagram. Later, I’ll post the answers. Your job: do the drills, and if you have questions, ask them. (It really is ok to ask questions.)


Drill to Build Complete ACLs

To move beyond thinking about a single ACE in a single ACL, you have to start thinking about the order of ACEs in the ACL, how they might impact each other. You also have to think about the default action to deny all other traffic, and whether you need to configure an alternative permit statement at the end of an ACL, for instance, the commonly used explicit permit all with the named ACL command permit ip any any.

Some of the ACL drills ask you to make multiline ACLs. In particular, these exercises make you consider:

  • Do my configuration commands match some of the same packets? If so, what’s the correct order to use when adding the ACEs to the ACL?
  • What is the impact of the implicit deny all at the end of each ACL? Can you take advantage of it?
  • Should you configure an explicit permit all at the end of the ACL?


Drill to Interpret ACEs in an Editor

A third style for these drills is to interpret what other ACLs would match. The idea is simple: the question blog post lists a series of ACEs, and you have to describe with words and numbers what types of packets would match that ACE. Basically, it’s what you would do on the exam when you see a pre-configured ACL in a Sim, Simlet, or multi choice question.

These drills also have a small twist: the problem statement says that the commands exist in a text editor. Why? Well, it is possible for you to paste the command into a router, and the router then changes the values in the address fields. For example, with an address and wildcard mask of:

The address range is – Simple enough.

However, if the command included an address field like this:

When the command was copied into configuration mode, the router does some math that determines that is actually not the beginning number in that range of addresses, but is. So, IOS would change the parameters to:

Basically, if the address in an address/wildcard pair does NOT list the first IP address in that range, then IOS changes the command to use the first number.

So, your job in these drills is to think about the address ranges, but also to predict whether the command has the correct first value in that range, and if not, state what that value should be.


Summary and Link to the Questions

That’s it! Go forth and practice. You can find the current set of ACL Drills at this link.


Question: Frame Relay Terms and Concepts
ACL Drill Set 1
Notify of

Newest Most Voted
Inline Feedbacks
View all comments

That was really helpful, thanks a lot.


Sure thing Osama!


Mr. Odom Thanks again for your lecture. When will post the answers for the questions related to this?


Hi Dexter,
My habit has been to put 2-3 days between the question and answer. That gives a little time for people to notice it online and take a look before being tempted to see the answer. At least that’s always been my logic! 🙂 I’ll probably roll a couple of Q/A pairs in the next two weeks.
Thanks for playing…

David Folksman

Thanks for this, having studied ICND2 material for a long time, I was looking for an ACL refresher and this is just the ticket! Nice work!


Very helpful thank you!

[…] Look below the fold for the questions. For more information about how an ACL or ACE might change once copied into configuration mode on a router, check out the launch post for the ACL Drills in this blog. […]

[…] post lists the answers to ACL drill set 2. What’s that? Check out this post that explains the details. No stopwatch, no speed requirement for these, unlike the subnetting speed practice. Answers are […]


4.6 Configure, verify, and troubleshoot IPv4 standard numbered and named access list for
routed interfaces

Why are there extended ACL questions here?


The ACL content has moved to and from ICND1 and ICND2 over the years. Also, from a learning perspective, learning extended ACLs vs. stopping with learning only standard ACLs only adds about 20% more effort to the learning process. so I choose to keep it all together to make the learning process better. But I agree, as literally stated, extended ACLs aren’t in the ICND1 exam topics.


Hello Wendell

I noticed a small typo in the text: “drills to to think”


Another typo…

The scenario states the server’s IP address is but the ACL is written with 1.254.


Thanks to you both! Fixed.

Would love your thoughts, please comment.x