ACL Drill Set 1

 In 200-301 V2 Ch02: Standard ACLs, 200-301 V2 Part 1: IP ACLs, ACL Drill, CCENT-OLD

Here’s the first ACL drill set. What’s that? Check out this post that explains the details. No stopwatch, no speed requirement for these, unlike the subnetting speed practice. Just focus on getting the right answer. Questions are below the fold!

First, use this figure as the backdrop:

Here are the questions. Your job for this drill: Treat each requirement as a completely separate problem. For each, create a 1 line ACL, with either a “permit” or “deny” action, to do what the requirement asks.

1) Host A ( attempts to connect to Telnet server S3 ( Your ACL will be applied outbound on R1’s S0/0/0 interface. Permit traffic from host A to telnet services on S3, as well as telnet services on all servers in that same subnet.

2) Host C ( attempts to connect to web server S4 ( Your ACL will be applied outbound on R3’s F0/0 interface. Deny hosts in host C’s subnet from communicating with web services on web server S4.

3) Repeat #2, but for an ACL that will be placed on R1’s F0/1 as an outbound ACL.

Enjoy! Answers in a few days.

ACL Practice Drills
Question: STP and Choosing a Root Port
Notify of

Newest Most Voted
Inline Feedbacks
View all comments

permit tcp host 0 eq 23


permit tcp host 0 0.0.31 eq 23


2) deny tcp host eq www


1)access-list 101 permit tcp host eq telnet
2)access-list 101 deny tcp host eq www
3)access-list 101 deny tcp host eq www


Hi Dexter and Samir. The answer post is up! Should be the next post in chronological sequence, linked near where you see this post. But I like your answers! 🙂


if I whrite like this woud it be correct answer to :

permit tcp host eq 23

deny tcp host eq 80

deny tcp host eq 80
Or i need to use subnet address as destination!! thanks for Reply


Hi Starter,
Thanks for the post.
Your logic is pretty good. The one issue with your answers is that when you match a subnet, you’re still using the specific IP address along with the wildcard masks. You picked the correct wildcard masks, but you also need to use the subnet ID rather than the specific IP address.

EG, on your first command:
permit tcp host eq 23

Note the link at the bottom of the post to the post that lists the answers as well. 🙂


Question #3 is confusing to me. Looking at other people’s take on the question, it is filtering mostly the return/reverse message from S1. After looking at it that way, I understand how the ACL command would be configured but I did not get to that conclusion from the question alone. Must just be me.

Would love your thoughts, please comment.x