Answers: ACL Drill Set 2

By certskills July 27, 2015 09:05

Today’s post lists the answers to ACL drill set 2. What’s that? Check out this post that explains the details. No stopwatch, no speed requirement for these, unlike the subnetting speed practice. Answers are below the fold!

First, use this figure as the backdrop:

Next, I’ve left the problem statements for easier reference, with the answer to follow each:

1) Host C ( attempts to connect to Telnet server S3 ( Your ACL will be applied outbound on R2’s S0/0/1 interface. Permit traffic from host C to telnet services on S3. However, also prevent access from Host C to Telnet server S4 (, as well as telnet services on all servers in that same subnet. Permit all other traffic.

In this case, with a requirement, instead of matching the telnet traffic that should be permitted, the solution just uses the permit all at the end of the list to match that traffic. The first statement matches the traffic that the problem statement asked to be denied.

On R2:

2) Host B ( pings the four servers in the network: S1 (, S2 (, S3 (, and S4 ( The configuration will enabled an ACL on R1’s F0/0 interface, inbound. Configure an ACL so that host B can still successfully ping servers in the same subnets as S1 and S4, but filter so that the pings to servers in the same subnet as S2 and S3 fail.

In this case, the answer relies on the implied deny all at the end of the list to filter the ping traffic to servers S2 and S3, simply permitting the traffic to server S4’s subnet.

On R1:

3) Repeat #1, but for an ACL that will be placed on R1’s F0/1 as an inbound ACL, and match all packets in Host C’s subnet and in servers S3’s subnet.

On R1:


ACL Drill Set 2
An STP Root Question with No Direct Link to the Root
By certskills July 27, 2015 09:05
Write a comment


  1. Jeff August 4, 23:58

    One of your requirements on problem # 1 is that the access list “prevent access from Host C to server S4 (” But although your access list prevents Host C from using S4’s telnet service, it does not prevent it from accessing other services on that particular host.

    Reply to this comment
    • CCENTSkills August 6, 05:56

      Hi Jeff,
      You’re right. I had intended that statement to be specifically about Telnet services, but the words didn’t say that. I’ve edited both the problem statement here and in the problem statement post to clarify. Thanks for the heads up!

      Reply to this comment
  2. Dias October 22, 03:24

    Hi Wendell,

    For the second question, you have permitted traffic to server S4’s subnet right ?
    So, for S4 subnet (, subnet id is
    Can I use access-list 112 permit icmp host ?

    Reply to this comment
  3. Dias October 22, 05:50

    Hi Wendell,

    Sorry, I made a typing mistake in the previous comment. I meant this
    access-list 112 permit icmp host

    Reply to this comment
  4. CCENTSkills October 26, 20:52

    Hi Dias,
    You are indeed correct. I just edited the answer to #2 to match you suggestion. Thanks!

    Reply to this comment
  5. Christine November 20, 23:26

    Hi Wendell,
    There’s a couple typos above: This one in the answer for #2 isn’t a big deal “access-list 112 permit icmp host 10.255.1288.0” Extra 8 in the destination IP.
    The answer for the 3rd one though wouldn’t work at all on Host C’s subnet since it’s on the wrong interface F0/0 instead of F0/1. It’s correct in the Drill on the previous post, just not in the answer.
    Thanks for the blog – good practice.

    Reply to this comment
  6. vfylyk November 26, 03:14

    Hi Wendell,

    As I see the question and answer for drill 2, it looks to me that although host B and server S1 are physically on the same LAN by the diagram, they actually have addresses that are not on the same subnet.

    Host B subnet:
    S1 subnet:

    Then, the only way I see those two communicating is via router R1, maybe as ROAS. This means that an additional rule is needed to allow pings destined to S1’s subnet, e.g. access-list 112 permit icmp host Is that right?

    Also, unless I’m mistaken, on the questions blog post you required named ACLs: “Here are the requirements. Your job: create a named ACL, with one or more lines, and enabled on the correct interface, to implement the requirements.” but here I only see answers with numbered ACLs. Is there a reason why you’re using the numbered ACLs?

    Anyway, thank you for all the drills!

    Reply to this comment
  7. HectorJ February 9, 21:54

    Hi, Wendell. These are my comments:

    1) Before the listed requierements there’s a previous one: “Here are the requirements. Your job: create a named ACL”
    However, it seems like somehow, it changed to a numbered ACL on the answers section.

    2) I’m really aware about what you traying to show with this drill set: the way that an
    implicit deny and an explicit permit from any to any works. However, like in the previous
    drill set, I thought that intention this time was explicitly write down every asked requierement
    This means that, for instance, at the first question I explicitly permit telnet communication
    between host and host

    permit tcp host eq telnet host

    I must say that besides of what I’m saying, I actually included the lines of configurations
    you wrote down on every answer (so, at least, that was ok).

    If it had been a CCNA exam question, what should’ve done?
    Would it be considered a wrong answer if I had explicitly include such a requirements (as I said)?

    3) Third requierement says “match all packets in Host C’s subnet”:

    deny tcp

    doesn’t restrict udp packets.

    Thanks on advance for paying attention to these concerns
    May be is a kind of missunderstanding, beacuse of the way the requirement was written down.
    In my opinion “match all packets” overrides any telnet restriction (or telnet traffic permission)

    Reply to this comment
  8. Jon May 29, 11:39

    Hi Wendell –

    two things

    1. Shouldn’t problem #3 be “ip access-group 113 in”?

    Reply to this comment
  9. Jon June 11, 11:41

    Hi Wendell,

    Shouldn’t the answer to problem #1 contain

    interface S0/0/1
    ip access-group 111 out

    Reply to this comment
  10. nancy June 18, 03:26

    hello wendell ,
    I’m confused with the word “match” in ur statement..

    ‘3) Repeat #1, but for an ACL that will be placed on R1’s F0/1 as an inbound ACL, and match all packets in Host C’s subnet and in servers S3’s subnet.’.

    In the #1 acl ,it allows the traffic from C(only) to S3 with the permit command.
    Then in the #3 acl , “match all packets from C’s subnet” , does it mean that it should deny the traffic from C to S3 ? It can also allow the access…right?

    Reply to this comment
    • CCENTSkills June 19, 07:27

      Hi Nancy,
      The differences in the requirements for #3 are:
      The location of the ACL has changed
      Instead of host C, it’s host C’s subnet
      Instead of server 3, it’s server 3’s subnet

      #3 doesn’t mention any change to the deny/permit action best I can tell. But I could have spelled it out a little better (maybe like the above).

      That work?

      Reply to this comment
  11. troyl July 15, 01:27

    Hi Wendall,
    your assignment starts out with “Here are the requirements. Your job: create a named ACL…..”

    wouldn’t the answers start with:

    ip access-list extended name1
    then subcommands

    to get for the first answer:

    Extended IP access list name1
    10 deny tcp eq telnet host
    20 permit ip any any

    Reply to this comment
    • CCENTSkills July 21, 09:40

      Hi Troy,
      Yep, you’re right. It was easier for me to change the word “named” to “numbered” in the problem statement, though. 🙂 Done. Sorry about that!

      Reply to this comment
  12. Bav December 16, 09:07

    Hi Wendell,

    I don’t think the requirements were clear enough for this one. If you intended to make use of the implicit deny then the question may have been better worded to highlight this and say something like, in as few lines as possible.

    To me it looked like you wanted us to list out all the individual permit/deny statements.

    I suppose in the exam there won’t be any ambiguity as it’s mutiple choice.

    Reply to this comment
    • CCENTSkills December 18, 10:44

      Hi Bav,
      I’ll take a look. Thanks for the input.
      Yep, here in the blog, I do want to be as clear as possible. However, the importance of learning far outweighs any other goal for blog content, so I allow myself some freedom to show posts that allow more freedom than say a typical exam question. Exam questions need to remove ambiguity, while some ambiguity in learning exercises triggers useful confusion (yes, a real learning theory idea), exploration, and better mastery. But I can’t recall if that particular point of ambiguity was intentional or not. 🙂

      Reply to this comment
      • RN March 3, 20:01

        Wendell, I understand what you are saying, but I also found question 2 and it’s answer very unclear.

        In your answer you only allow specific icmp traffic and drop all other traffic whatsoever, rendering the host unusable.

        Also, notice that host B and S1 are connected to the same subnet, but the ip scheme does not much the topology, which also contribute to the confusion.

        I do agree though that this is an interesting question, and so is the answer.

        My answer included five statements: Two permit, two deny, and finally a ‘permit ip any any’ statement.

        Reply to this comment
  13. RN March 3, 19:48

    Hi Wendell,

    In the answer to question 3, you specified the network It should be S3’s subnet.

    S3 IP address and mask is

    So shouldn’t it be



    Reply to this comment
  14. Tobias Larsson December 6, 05:01

    Answer #2 is incorrect, Host B is not on the same subnet as S1, meaning an ACE is required to permit traffic to flow to the S1 subnet, or it would be blocked to the implicit deny rule.

    Reply to this comment
    • CCENTSkills January 16, 11:22

      I agree. the fix though is better if I fix the mistake in the problem post. The problem post shows hosts A, B, and S1 in the same subnet, and the text in the problem post gave an incorrect IP address for host B ( It should have been so B would be in the correct subnet.
      So… I agree, but now that I’ve changed the problem, B is in the same subnet as S1.
      Sorry about the mistake.

      Reply to this comment
  15. Nicola January 11, 08:52

    Hi Wendell,

    In the answer to the 2nd question with that ACL all the traffic will be filtered and instead i was interpreting it as just the ICMP traffic should be filtered. Am i wrong?

    Many thanks for you really great site!

    Reply to this comment
    • CCENTSkills January 21, 10:27

      You are welcome! Glad you’re enjoying it.

      As to your question, two answers.
      1) literally, you are right! Congrats. 🙂
      2) You bring up a point that’s always an issue with ACLs. the requirements were in English. We write the ACL in config. There’s always some room for different interpretation, ambiguity, and so on, so that two people come up with different answers.

      So, on my answer #2, I think we’d agree that the suggested answer does do what the requirements ask – it just does more (filters more traffic). So the listed answer does literally meet the requirement.

      If you’re first thought is something like “But…” – that’s the point. But you are thinking correctly in that the answer filters more.

      Reply to this comment
  16. Austin July 24, 12:44

    I think the questions would be easier to interpret with a bulleted list of requirements. For example, i Filtered ICMP traffic and only ICMP Traffic in my ACL. You filtered ICMP Traffic and everything else (referring to question 2).

    I dont think either of us are wrong, but it takes away from the exercise when there isn’t 1 correct answer.

    Just a suggestion.

    As always thanks for the time and effort you put into these exercises!!!

    Reply to this comment
  17. Edgardo Riccobon January 13, 08:30

    Hello Wendell,

    I’ve got a gripe with answer number 3, specifically:

    access-list 113 deny tcp eq telnet

    The destination address of this ACE should be S3 ( subnet. It looks to me like S3 is in the subnet, with mask, aka /26. So, i think the right ACE should be:

    access-list 113 deny tcp 192.168.2.*192* eq telnet

    I REALLY hope I am right here, else… I’ve got too much work to do.

    Wendell, thank you so much for your time, sometimes it feels like being coached one to one with the effort you put in all of this. I feel like you really care about the people you teach to =D

    Reply to this comment
    • certskills Author January 14, 18:13

      Hi Edgardo,
      First, on the ACL, I think you have the matching logic mastered. I think the issue is parsing the language, which is often the more difficult part. For requirement A:
      – permit from C to Telnet Server S3
      – Deny from C to Telnet server S4
      – permit all other
      – use an ACL outbound on R2’s S0/0/1, which means the source will be S3’s subnet, or S4’s subnet, for matching.
      I think you got all the above, except that I think you read the first dash item above as “deny” from C to Telnet server S3, whereas the lab says “permit”. And as noted in this post’s explanation then, we’re relying on the explicit permit any any at the end of the list to match that traffic. That’s why there’s no ACL matching subnet

      Does that clear it up?

      Second, you’re very welcome! I really do enjoy helping people learn this stuff. Glad it comes across!

      Reply to this comment
  18. GJM April 24, 22:38

    My answers are the literal interpretation of the question without considering the implied deny ip any any at the end. :-/

    access-list 101 permit tcp eq telnet host
    access-list 101 deny tcp eq telnet host
    access-list 101 permit ip any any

    access-list 102 permit icmp host
    access-list 102 permit icmp host
    access-list 102 deny icmp host
    access-list 102 deny icmp host

    access-list 103 permit icmp

    I see now after reading why I got my answers wrong.

    Reply to this comment
    • GJM April 24, 22:48

      Actually I have a follow up question after re-reviewing the requirements for #3 – Shouldn’t S3 destination subnet be and not

      Reply to this comment
      • Wendell Odom April 27, 16:02

        Hi Gabriel,
        If you’re matching S3, yes. But the solution is matching S4 w/ a deny, and then using the permit any at the end of the list to match S3 and everything else.

        Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email