ACL Drill Set 2

By certskills July 24, 2015 09:05

Here’s another ACL drill set. What’s that? Check out this post that explains the details. No stopwatch, no speed requirement for these, unlike the subnetting speed practice. Just focus on getting the right answer. For this post, you will create a small but complete ACL, with one or more ACEs (commands) per ACL. This post has three such exercises. Questions are below the fold!

First, use this same figure as the backdrop:

Here are the requirements. Your job: create a numbered ACL, with one or more lines, and enabled on the correct interface, to implement the requirements.

1) Host C ( attempts to connect to Telnet server S3 ( Your ACL will be applied outbound on R2’s S0/0/1 interface. Permit traffic from host C to telnet services on S3. However, also prevent access from Host C to Telnet server S4 (, as well as telnet services on all servers in that same subnet. Permit all other traffic.

2) Host B ( pings the four servers in the network: S1 (, S2 (, S3 (, and S4 ( The configuration will enabled an ACL on R1’s F0/0 interface, inbound. Configure an ACL so that host B can still successfully ping servers in the same subnets as S1 and S4, but filter so that the pings to servers in the same subnet as S2 and S3 fail.

3) Repeat #1, but for an ACL that will be placed on R1’s F0/1 as an inbound ACL, and match all packets in Host C’s subnet and in servers S3’s subnet.

Answer to an Earlier STP Question
Answers: ACL Drill Set 2
By certskills July 24, 2015 09:05
Write a comment


  1. RN March 3, 19:15

    Hi Wendell,

    Aren’t B and S1 suppose to be on the same subnet?



    Reply to this comment
    • CCENTSkills March 7, 10:30

      They are indeed! 🙂 There’s no need to permit traffic going to the subnet where B and S1 reside, because the router doesn’t process those packets.

      Reply to this comment
  2. Mauricio April 25, 18:30

    Hi Mr. Wendell,

    Readind the stem of this question, I’ve understood that the ACL must allow Host B’s ping to S1 (that’s in the same subnetwork), S2, S3, and S4 IP address and deny Host B’s ping to the others servers in S2 and S3 subnetwork. So I’ve included these two ACEs

    access-list 112 permit icmp host host
    access-list 112 permit icmp host host

    to the ACL before the ACE that allow Host B ping to S4 IP address and all other servers in the same subnetwork,

    access-list 112 permit icmp host

    as the answer that you’ve posted. Is that correct or I didn’t understand the question?

    Thank you,


    Reply to this comment
    • certskills Author May 12, 08:37

      Yeah, I think you’re reading #2 a little differently than I intended it back in 2015 when I wrote this. 🙂
      At least based on the sample answer, looks like I meant:
      permit B to ping all addresses in subnet 1 and subnet 4 (aka the subnets where S1 and S2 reside)
      deny B to ping all addresses in subnet 2 and subnet 3

      I’m thinking you read requirements and attempted to permit for S2 and S3, but to deny for all other addresses in subnet 2 and 3?

      Another proof that the wording in English about ACLs can be more challenging than the ACLs themselves. But yes, I think it was just a reasonable different interpretation. As long as you get how to configure it, I think that’s plenty good.

      Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email


Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.