Extended IPv4 ACL Drill 1 – Answers

By certskills May 5, 2017 09:05

The previous post listed a set of ACL requirements that require an IPv4 Extended ACL. Your job: using those requirements, configure an extended named ACL. Of course, this post makes no sense without the post that states the requirements, so check out that post first. Answers and comments are below the fold.

Ground Rules

Often times, the words that describe the requirements for an ACL can be interpreted in several ways. So, before reading these answers, consider:

  • Your answer may be correct per your interpretation of the requirements…
  • …while being different from the answer listed here.

For the answer shown here, I tried to work through the requirements one by one, with a line in the ACL for each requirement. Feel free to comment about alternate answers, but FYI, that’s how I came up with these.

On to the answers!


Subnets in Use

All the answers will use the subnets of host A and Server S, so a few words about those first.

To match the subnet of host A, you need to find the subnet ID and the matching wildcard mask. First, calculate the subnet ID:

  1. R1’s G0/1 interface address/mask is
  2. Calculate the subnet ID as

Then, to find the correct wildcard (not subnet) mask to use:

  1. Convert prefix mask /25 to dotted decimal mask
  2. Subtract it from to get
  3. Use as the wildcard mask in the ACL statement.

For subnet 3, using the same logic:

  1. R3’s G0/1 interface address/mask is
  2. To match the subnet, use the subnet ID of
  3. Convert prefix mask /25 to dotted decimal mask
  4. Subtract it from to get
  5. Use as the wildcard mask.



Of note for this particular answer:

  • The ACL is located on R2, in the direction pointing towards the server, so any matching of well-known ports should be a match of the ACL’s destination port number
  • Any ACL statement that matches a port number should use either the tcp or udp keywords.
  • As an outbound ACL, the ACL will no filter any messages created by the router itself. So, the ACL would not consider filtering any ARP or OSPF messages it had generated anyway. (More on this topic in the answers for Option 3.)

Figure 1: Topology Used in the ACL Drill


The answers for requirement set 1, for the explicitly identified applications:

Partial Answer

The requirement about denying all other TCP and UDP packets, while permitting all other IP packets besides those, might be a bit tricky. The logic intended by the combined requirements is this sequence:

  1. Permit packets for apps Telnet, World Wide Web, and SMTP
  2. Deny all other TCP and UDP traffic (that wasn’t already permitted)
  3. Permit all other IP traffic (that wasn’t already denied)

With that in mind, the following answer adds the matching for all other TCP, then UDP, and then IP. Without those final three commands, all other IP packets would have been denied because of the implied deny any any at the end of the ACL. (Also note that the configuration enables the ACL as suggested in the lab.)

Completed Answer


Extended IPv4 ACL Drill 1
Extended IPv4 ACL Drill 2
By certskills May 5, 2017 09:05
Write a comment

No Comments

No Comments Yet!

Let me tell You a sad story ! There are no comments yet, but You can be first one to comment this article.

Write a comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email


Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.