Answers: ACL Drill Set 2

 In 200-301 V2 Ch02: Standard ACLs, 200-301 V2 Part 1: IP ACLs, ACL Drill, CCENT-OLD

Today’s post lists the answers to ACL drill set 2. What’s that? Check out this post that explains the details. No stopwatch, no speed requirement for these, unlike the subnetting speed practice. Answers are below the fold!

First, use this figure as the backdrop:

Next, I’ve left the problem statements for easier reference, with the answer to follow each:

1) Host C ( attempts to connect to Telnet server S3 ( Your ACL will be applied outbound on R2’s S0/0/1 interface. Permit traffic from host C to telnet services on S3. However, also prevent access from Host C to Telnet server S4 (, as well as telnet services on all servers in that same subnet. Permit all other traffic.

In this case, with a requirement, instead of matching the telnet traffic that should be permitted, the solution just uses the permit all at the end of the list to match that traffic. The first statement matches the traffic that the problem statement asked to be denied.

On R2:

interface S0/0/1
 ip access-group out
access-list 111 deny tcp eq telnet host
access-list 111 permit ip any any

2) Host B ( pings the four servers in the network: S1 (, S2 (, S3 (, and S4 ( The configuration will enabled an ACL on R1’s F0/0 interface, inbound. Configure an ACL so that host B can still successfully ping servers in the same subnets as S1 and S4, but filter so that the pings to servers in the same subnet as S2 and S3 fail.

In this case, the answer relies on the implied deny all at the end of the list to filter the ping traffic to servers S2 and S3, simply permitting the traffic to server S4’s subnet.

On R1:

interface F0/0
 ip access-group 112 in
access-list 112 permit icmp host

3) Repeat #1, but for an ACL that will be placed on R1’s F0/1 as an inbound ACL, and match all packets in Host C’s subnet and in servers S3’s subnet.

On R1:

interface F0/1
 ip access-group 113 in
access-list 113 deny tcp eq telnet
access-list 113 permit ip any any


ACL Drill Set 2
An STP Root Question with No Direct Link to the Root
Notify of

Newest Most Voted
Inline Feedbacks
View all comments

One of your requirements on problem # 1 is that the access list “prevent access from Host C to server S4 (” But although your access list prevents Host C from using S4’s telnet service, it does not prevent it from accessing other services on that particular host.


Hi Jeff,
You’re right. I had intended that statement to be specifically about Telnet services, but the words didn’t say that. I’ve edited both the problem statement here and in the problem statement post to clarify. Thanks for the heads up!


Hi Wendell,

For the second question, you have permitted traffic to server S4’s subnet right ?
So, for S4 subnet (, subnet id is
Can I use access-list 112 permit icmp host ?


Hi Wendell,

Sorry, I made a typing mistake in the previous comment. I meant this
access-list 112 permit icmp host


Hi Dias,
You are indeed correct. I just edited the answer to #2 to match you suggestion. Thanks!


Hi Wendell,
There’s a couple typos above: This one in the answer for #2 isn’t a big deal “access-list 112 permit icmp host 10.255.1288.0” Extra 8 in the destination IP.
The answer for the 3rd one though wouldn’t work at all on Host C’s subnet since it’s on the wrong interface F0/0 instead of F0/1. It’s correct in the Drill on the previous post, just not in the answer.
Thanks for the blog – good practice.


Hi Christine,
Thanks! Made both edits. Appreciate the help finding the errors.


Hi Wendell,

As I see the question and answer for drill 2, it looks to me that although host B and server S1 are physically on the same LAN by the diagram, they actually have addresses that are not on the same subnet.

Host B subnet:
S1 subnet:

Then, the only way I see those two communicating is via router R1, maybe as ROAS. This means that an additional rule is needed to allow pings destined to S1’s subnet, e.g. access-list 112 permit icmp host Is that right?

Also, unless I’m mistaken, on the questions blog post you required named ACLs: “Here are the requirements. Your job: create a named ACL, with one or more lines, and enabled on the correct interface, to implement the requirements.” but here I only see answers with numbered ACLs. Is there a reason why you’re using the numbered ACLs?

Anyway, thank you for all the drills!


Hi, Wendell. These are my comments:

1) Before the listed requierements there’s a previous one: “Here are the requirements. Your job: create a named ACL”
However, it seems like somehow, it changed to a numbered ACL on the answers section.

2) I’m really aware about what you traying to show with this drill set: the way that an
implicit deny and an explicit permit from any to any works. However, like in the previous
drill set, I thought that intention this time was explicitly write down every asked requierement
This means that, for instance, at the first question I explicitly permit telnet communication
between host and host

permit tcp host eq telnet host

I must say that besides of what I’m saying, I actually included the lines of configurations
you wrote down on every answer (so, at least, that was ok).

If it had been a CCNA exam question, what should’ve done?
Would it be considered a wrong answer if I had explicitly include such a requirements (as I said)?

3) Third requierement says “match all packets in Host C’s subnet”:

deny tcp

doesn’t restrict udp packets.

Thanks on advance for paying attention to these concerns
May be is a kind of missunderstanding, beacuse of the way the requirement was written down.
In my opinion “match all packets” overrides any telnet restriction (or telnet traffic permission)


I was thinking the same thing as Hector here!


Hi Wendell –

two things

1. Shouldn’t problem #3 be “ip access-group 113 in”?


Hi Jon,
Oops. Changed. Thanks! Wendell


Hi Wendell,

Shouldn’t the answer to problem #1 contain

interface S0/0/1
ip access-group 111 out


hello wendell ,
I’m confused with the word “match” in ur statement..

‘3) Repeat #1, but for an ACL that will be placed on R1’s F0/1 as an inbound ACL, and match all packets in Host C’s subnet and in servers S3’s subnet.’.

In the #1 acl ,it allows the traffic from C(only) to S3 with the permit command.
Then in the #3 acl , “match all packets from C’s subnet” , does it mean that it should deny the traffic from C to S3 ? It can also allow the access…right?


Hi Nancy,
The differences in the requirements for #3 are:
The location of the ACL has changed
Instead of host C, it’s host C’s subnet
Instead of server 3, it’s server 3’s subnet

#3 doesn’t mention any change to the deny/permit action best I can tell. But I could have spelled it out a little better (maybe like the above).

That work?


Hi Wendall,
your assignment starts out with “Here are the requirements. Your job: create a named ACL…..”

wouldn’t the answers start with:

ip access-list extended name1
then subcommands

to get for the first answer:

Extended IP access list name1
10 deny tcp eq telnet host
20 permit ip any any


Hi Troy,
Yep, you’re right. It was easier for me to change the word “named” to “numbered” in the problem statement, though. 🙂 Done. Sorry about that!


Hi Wendell,

I don’t think the requirements were clear enough for this one. If you intended to make use of the implicit deny then the question may have been better worded to highlight this and say something like, in as few lines as possible.

To me it looked like you wanted us to list out all the individual permit/deny statements.

I suppose in the exam there won’t be any ambiguity as it’s mutiple choice.


Hi Bav,
I’ll take a look. Thanks for the input.
Yep, here in the blog, I do want to be as clear as possible. However, the importance of learning far outweighs any other goal for blog content, so I allow myself some freedom to show posts that allow more freedom than say a typical exam question. Exam questions need to remove ambiguity, while some ambiguity in learning exercises triggers useful confusion (yes, a real learning theory idea), exploration, and better mastery. But I can’t recall if that particular point of ambiguity was intentional or not. 🙂


Wendell, I understand what you are saying, but I also found question 2 and it’s answer very unclear.

In your answer you only allow specific icmp traffic and drop all other traffic whatsoever, rendering the host unusable.

Also, notice that host B and S1 are connected to the same subnet, but the ip scheme does not much the topology, which also contribute to the confusion.

I do agree though that this is an interesting question, and so is the answer.

My answer included five statements: Two permit, two deny, and finally a ‘permit ip any any’ statement.


Hi Wendell,

In the answer to question 3, you specified the network It should be S3’s subnet.

S3 IP address and mask is

So shouldn’t it be



Michał Krzyszczuk

From my point of view, you’re right. it should be
access-list 113 deny tcp eq telnet

Tobias Larsson

Answer #2 is incorrect, Host B is not on the same subnet as S1, meaning an ACE is required to permit traffic to flow to the S1 subnet, or it would be blocked to the implicit deny rule.


I agree. the fix though is better if I fix the mistake in the problem post. The problem post shows hosts A, B, and S1 in the same subnet, and the text in the problem post gave an incorrect IP address for host B ( It should have been so B would be in the correct subnet.
So… I agree, but now that I’ve changed the problem, B is in the same subnet as S1.
Sorry about the mistake.


Hi Wendell,

In the answer to the 2nd question with that ACL all the traffic will be filtered and instead i was interpreting it as just the ICMP traffic should be filtered. Am i wrong?

Many thanks for you really great site!


You are welcome! Glad you’re enjoying it.

As to your question, two answers.
1) literally, you are right! Congrats. 🙂
2) You bring up a point that’s always an issue with ACLs. the requirements were in English. We write the ACL in config. There’s always some room for different interpretation, ambiguity, and so on, so that two people come up with different answers.

So, on my answer #2, I think we’d agree that the suggested answer does do what the requirements ask – it just does more (filters more traffic). So the listed answer does literally meet the requirement.

If you’re first thought is something like “But…” – that’s the point. But you are thinking correctly in that the answer filters more.


I think the questions would be easier to interpret with a bulleted list of requirements. For example, i Filtered ICMP traffic and only ICMP Traffic in my ACL. You filtered ICMP Traffic and everything else (referring to question 2).

I dont think either of us are wrong, but it takes away from the exercise when there isn’t 1 correct answer.

Just a suggestion.

As always thanks for the time and effort you put into these exercises!!!

Edgardo Riccobon

Hello Wendell,

I’ve got a gripe with answer number 3, specifically:

access-list 113 deny tcp eq telnet

The destination address of this ACE should be S3 ( subnet. It looks to me like S3 is in the subnet, with mask, aka /26. So, i think the right ACE should be:

access-list 113 deny tcp 192.168.2.*192* eq telnet

I REALLY hope I am right here, else… I’ve got too much work to do.

Wendell, thank you so much for your time, sometimes it feels like being coached one to one with the effort you put in all of this. I feel like you really care about the people you teach to =D


My answers are the literal interpretation of the question without considering the implied deny ip any any at the end. :-/

access-list 101 permit tcp eq telnet host
access-list 101 deny tcp eq telnet host
access-list 101 permit ip any any

access-list 102 permit icmp host
access-list 102 permit icmp host
access-list 102 deny icmp host
access-list 102 deny icmp host

access-list 103 permit icmp

I see now after reading why I got my answers wrong.


Actually I have a follow up question after re-reviewing the requirements for #3 – Shouldn’t S3 destination subnet be and not

Wendell Odom

Hi Gabriel,
If you’re matching S3, yes. But the solution is matching S4 w/ a deny, and then using the permit any at the end of the list to match S3 and everything else.

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Would love your thoughts, please comment.x