Standard Named ACL 1

By certskills January 14, 2016 12:05

Standard named ACLs follow a nice simple format, which is great for getting started with ACLs. This next lab gives you some exercise on the basic syntax, while throwing in a few issues related to the application of the ACL. Where should you put it? How does Router-on-a-Stick config (router trunking) impact that choice? And how could you match two consecutive subnets with one deny command? Check out this latest lab to exercise your skills and answer these questions.


This lab gives you a set of relatively straightforward ACL requirements, but with enough flexibility to make you think beyond just making this a configuration exercise. You will also need to review a pretty detailed initial configuration to get your bearings first. Then you have to think about where to put the ACL, on which interface, and in which direction. So it’s a good thinking lab.

The specific rules for this lab are:

  • Create a standard named ACL named “ThisACL” which performs the following functions:
    1. Block all traffic from the and subnets to all of the subnets networks displayed in the figure, using a single command
    2. Block all traffic from the host to all of the networks displayed in the figure
    3. Permit all other traffic
  • You choose the device on which to enable the ACL, the interface, and the direction
  • You may enable the ACL on one router only, but on multiple interfaces and directions as desired
  • As seen in the initial configurations:
    1. Assume all router interfaces shown in the lab are up, working and have correct IP addresses assigned
    2. Assume routing between all devices is configured and operational
    3. Assume that at least one device exists on each VLAN with an IP address ending in .100 with correct gateways configured.


Figure 1: Two Router ROAS Topology

Initial Configuration

Examples 1, 2, 3 and 4 show the beginning configuration state of R1, R2, SW1 and SW2.


Example 1: R1 Config


Example 2: R2 Config


Example 3: SW1 Config


Example 4: SW2 Config


Answer on Paper, or Maybe Test in Lab

Next, write your answer on paper. Or if you have some real gear, or other tools, configure the lab with those tools.

To test your solution if you happen to try it with VIRL or real gear, you can check by verifying it with the show ip access-lists  and show ip interfaces commands. If possible you could also configure additional hosts to the topology to ensure the access-list is working as expected.


Do this Lab with Cisco’s VIRL

You can do these labs on paper and still get a lot out of the lab. As an extra help, we have added files for the Virtual Internet Routing Lab (VIRL) software as well. The .VIRL file found here is a file that when used with VIRL will load a lab topology similar to this lab’s topology, with the initial configuration shown in the lab as well. This section lists any differences between the lab exercise and the .VIRL file’s topology and configuration.

Download this lab’s VIRL file!

Network Device Info

All interfaces in topology match the lab figure.


Host device info:

This table lists host information pre-configured in VIRL, information that might not be required by the lab but may be useful to you.

Device IP Address Mac Address User/password
PC1 02:00:11:11:11:11 cisco/cisco
PC2 02:00:22:22:22:22 cisco/cisco
PC3 02:00:33:33:33:33 cisco/cisco
PC4 02:00:44:44:44:44 cisco/cisco
PC5 02:00:55:55:55:55 cisco/cisco
PC6 02:00:66:66:66:66 cisco/cisco


Handy Host Commands:

To see PC IP address: ifconfig eth1

Ping example: ping -c 4

Trace example: tracepath

To connect to another node within the topology: telnet

Answers: OSPF Network Config 2
Answers: Standard Named ACL 1
By certskills January 14, 2016 12:05
Write a comment


  1. Phil_ccna April 9, 15:28

    Hello Mr Odom,
    First of all, a great thank you for all your work regarding Cisco and Network fields (blog, writting books, tutorial video). I could learn many things thanks to your 100-105 and 200-105 Official Cert guide.

    I have to pass the CCENT within 15 days now. So am finishing my preparation with the good labs you proposed. Then here is my solution for this one:

    interface GigabitEthernet0/0
    ip address
    ip access-group ThisACL out
    duplex auto
    speed auto
    ip access-list standard ThisACL
    deny host
    permit any

    Then, I have decided to do it as a simple way I could do.
    A standard ACL with 3 lines, nevertheless it has the inconvenient to be placed close to the source so not in R2, and furthermore outbound of R1’sG0/1, that will load the CEF for nothing 🙂 Then, I have gathered both subnet and within this lead to cover up to to be denied. Awaiting for your or any comment

    Thank’s so lot, greating from France

    Reply to this comment
  2. Gustavo August 14, 15:12

    I didn’t understand this configuration part

    Vlan 10 – ( – / PC1 – ?
    Vlan 20 – ( – / PC2 – ?
    Vlan 30 – ( – / PC3 – ?

    My answer is:


    R2(config)# ip access-list standard ThisACL
    R2(config-std-nacl)# deny
    R2(config-std-nacl)# deny
    R2(config-std-nacl)# permit any
    R2(config)# int fa0/1.1
    R2(config-subif)# ip access-group ThisACL out
    R2(config)# int fa0/1.2
    R2(config-subif)# ip access-group ThisACL out
    R2(config)# int fa0/1.3
    R2(config-subif)# ip access-group ThisACL out

    Reply to this comment
    • CCENTSkills September 7, 11:17

      Hi Gustavo,
      Two answers.
      First, in the top part of your post, the three lines under your “I didn’t understand…” – I think I don’t understand what you wrote either! 🙂 Seriously, I don’t see where in this post it lists those lines as configuration. Maybe expound if you see this and care to comment?

      On your second part, I like the ACL. It should be applied to subinterfaces of G0/2, not F0/1, but otherwise I like it. It’s also the same solution as in the answer post.
      Answer back if you care to clue me in to more details about what you meant. Thanks!

      Reply to this comment
  3. Patrick October 13, 07:11

    I don’t believe your config is complete, as R1 and R2 will never swap routing information via RIP as network isn’t advertised, so the interfaces aren’t enabled to speak RIP or advertise any networks.

    Reply to this comment
    • certskills Author October 16, 10:41

      You were right – the RIP part of the initial config was incomplete. I fixed it. Thanks for the heads up.

      Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email


Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.