Answers: Standard Named ACL 1

By certskills January 16, 2016 12:05

The previous lab exercise requires you to configure a standard named ACL, but as usual, with a few twists. You need to think outside the box a bit to match the correct range of addresses, and work through the choice of what interface to use to enable the ACL. As usual, check the requirements from the previous lab exercise and make your own answer first – it’s an exercise for you. Enjoy!




Figure 1: Two Router ROAS Topology

Example 5: R2 Config



There are a number of useful purposes for an ACL, from something as simple as blocking the traffic from a specific host or group of hosts, to use within a number of features from Network Address Translation (NAT).  This is why it is good to get a comfortable with how they are configured how they are processed and how they are applied.

With this lab you were tasked with configuring a standard ACL to block the traffic from two different networks and a specific host. Cisco suggests that we place standard ACLs as close to the destination as possible, in this case this would be on R2. Because the requirements allow us to enable the ACL on as many interfaces as we want, but just on one device, the solution show here puts the ACL on router R2, and enables the ACL outbound on the three ROAS subinterfaces on R2’s G0/2 interface.

The one challenging matching action per the requirements is to block the traffic from the and subnets, but with a single command. These two named IPv4 ACL commands could be used to match and deny packets from those subnets separately:



To match them with one command, think about these two subnets as a single range of addresses, which incudes the numbers from – That happens to be the same numbers as in subnet, which can be matched with the deny command, as seen in the answer.

The command to match the single host is deny Note that in older versions of IOS host parameter is required in front of single matching addresses, but not today.

This lab also might have made you wonder if the ACL could have been applied to the G0/2 physical interface in this case, filtering all IP traffic exiting the interface, and the answer is no. An ACL applied under interface G0/2 – not one of its subinterfaces – would be considered for packets routed out G0/2, but not for packets routed out its subinterfaces. So, as shown in the answer, the ip access-group ThisACL out command is used as a subcommand on all three subinterfaces.


Standard Named ACL 1
L2 EtherChannel 1
By certskills January 16, 2016 12:05
Write a comment


  1. HectorJ February 9, 23:26

    You’ve made the point again, Wendell!!! Thanks

    Reply to this comment
  2. jventou June 1, 11:11

    Hi Wendell,

    For the specific case, can we also apply the ACL at the R2’s G0/1 as inbound?

    Reply to this comment
  3. Kristian October 27, 18:11

    Hi Wendell, so could we apply the entire ACL inbound, on R2’s G0/1 interface?
    My thinking was to prevent the router having to go through process of looking up routing table and having to process the packets only for them to be discarded…

    Reply to this comment
    • certskills Author October 28, 12:43

      Sure, you could filter inbound on R2 as well. And I agree it appears to possibly be a performance improvement. However, most modern-day switches have forwarding ASICs that can handle forwarding rates assuming all ports receive frames at 100%, so I don’t know if it’s of any practical improvement. But yes, that location would work, too.

      Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email


Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.