Answers: ACL Drill Set 1

By certskills July 20, 2015 09:05

Today’s post lists the answers to ACL drill set 1. What’s that? Check out this post that explains the details. No stopwatch, no speed requirement for these, unlike the subnetting speed practice. Answers are below the fold!

First, use this figure as the backdrop:

Next, I’ve left the problem statements for easier reference, with the answer to follow each:

1) Host A ( attempts to connect to Telnet server S3 ( Your ACL will be applied outbound on R1’s S0/0/0 interface. Permit traffic from host A to telnet services on S3, as well as telnet services on all servers in that same subnet.

permit tcp host eq telnet

2) Host C ( attempts to connect to web server S4 ( Your ACL will be applied outbound on R3’s F0/0 interface. Deny hosts in host C’s subnet from communicating with web services on web server S4.

deny tcp host eq www

(Note: I’m looking for one statement to match what’s listed. You can assume the implied deny all at the end of the ACL, or an explicit permit all at the end; the focus is on getting this one command to match exactly.)

3) Repeat #2, but for an ACL that will be placed on R1’s F0/1 as an outbound ACL.

deny tcp host eq www

(Note: this one just reverses the source and destination parts of the matching logic compared to #2.)

Question: STP and Choosing a Root Port
Answer to an Earlier STP Question
By certskills July 20, 2015 09:05
Write a comment


  1. adrikayak November 29, 14:14

    Hello Wendell

    I was wondering whether using a host’s IP address + wildcard mask instead the host subnet’s Subnet ID + wildcard mask (when one means the whole subnet) is considered as correct in the exams when issuing these ACL commands. I am aware of the fact that IOS automatically corrects my command should I use the host’s IP address but I keep wondering if this practice will cost me points in the exam.

    Thanks in advance

    Reply to this comment
  2. PedroT August 29, 14:12

    Actually, #3 could be configured as “deny tcp host eq www any”, since outgoing F0/1 interface, only C’s subnet exists.

    Reply to this comment
  3. Bav December 16, 07:41

    Hi Wendell,

    Although not mentioned here I assume it would be acceptable to use the well known port number instead of the well known service name?

    e.g. deny tcp host eq 80

    Reply to this comment
  4. Asia January 11, 11:56

    Hi Wendell,

    In question #3, the config is reversed. Why that way as opposed to writing it out as “ip access-list xxx deny tcp host eq 80?”

    Reply to this comment
    • CCENTSkills January 12, 15:47

      Because of the direction of the ACL. The ACL for #3 is outbound on R1’s F0/1, so the traffic is going TO host C (subnet, not from it. So the matching of the destination subnet has to list Similar reason for listing server S4 as source, because of the direction.

      Reply to this comment
      • Marcin February 13, 15:59

        Does it mean that the trafic from host C will leave R1 and reach S4 then come back but in this point acl on R1 will block it ??

        Reply to this comment
        • CCENTSkills February 14, 09:21

          To one level of depth of thinking, the short answer is yes. To a level deeper, the answer is no. That is…
          TheACL does not examine packets sent from host C to reach S4. Those packets reach S4, and then S4 generates new/different packets in reply. Those will flow back to host C. Those packets will exit R1’s F0/1, which will cause R1 to process the ACL.

          Reply to this comment
          • Marcin March 1, 13:58

            Thank you !

View comments

Write a comment

Comment; Identify w/ Social Media or Email


Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.