Config Lab: Standard Numbered ACL 1
Write a 1-line ACL to match something? Easy. Write a several line ACL with a bunch of requirements? A little harder. Choosing where to put that multi-line ACL, when the ACL requirements span multiple subnets? Yet another bump. Combining all that with Router-as-a-Stick (ROAS) config, choosing the interface can be a challenge. Today’s lab gives you all that! Check it out.
The Lab Exercise
Requirements
This lab gives you a set of relatively straightforward ACL requirements, but with enough flexibility to make you think beyond just making this an access-list command syntax exercise. You will also need to review a pretty detailed initial configuration to get your bearings first. Then you have to think about where to put the ACL, on which interface, and in which direction. So it’s a good thinking lab.
The specific rules for this lab are:
- Create a standard numbered ACL that performs the following functions:
- Block all traffic from the 20.0.1.0/24 network to all of the 10.0.0.0 subnets displayed in the figure
- Block all traffic from host 20.0.2.100 to all of the 10.0.0.0 subnets displayed in the figure
- Block all traffic from host 20.0.3.100 to all of the 10.0.0.0 subnets displayed in the figure
- Permit all other traffic
- You choose the device on which to enable the ACL, the interface, and the direction
- You may enable the ACL in one place only, in one direction only
- As seen in the initial configurations:
- Assume all router interfaces shown in the lab are up and working, plus have correct IP addresses assigned
- Assume routing between all devices is configured and operational
- Assume that at least one host exists on each VLAN with an IP address ending in .100 with correct gateways configured.
Figure 1: Two  Router ROAS Topology
Initial Configuration
Examples 1, 2, 3, and 4 show the initial configuration state of R1, R2, SW1, and SW2.
hostname R1
!
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.252
no shutdown
!
interface GigabitEthernet0/2
no shutdown
!
interface GigabitEthernet0/2.1
encapsulation dot1q 10
ip address 10.0.1.1 255.255.255.0
!
interface GigabitEthernet0/2.2
encapsulation dot1q 20
ip address 10.0.2.1 255.255.255.0
!
interface GigabitEthernet0/2.3
encapsulation dot1q 30
ip address 10.0.3.1 255.255.255.0
!
router ospf 1
network 0.0.0.0 255.255.255.255 area 0Example 1: R1 Config
hostname R2
!
interface GigabitEthernet0/1
ip address 192.168.1.2 255.255.255.252
no shutdown
!
interface GigabitEthernet0/2
no shutdown
!
interface GigabitEthernet0/2.1
encapsulation dot1q 10
ip address 20.0.1.1 255.255.255.0
!
interface GigabitEthernet0/2.2
encapsulation dot1q 20
ip address 20.0.2.1 255.255.255.0
!
interface GigabitEthernet0/2.3
encapsulation dot1q 30
ip address 20.0.3.1 255.255.255.0
!
router ospf 1
network 0.0.0.0 255.255.255.255 area 0Example 2: R2 Config
hostname SW1
!
vlan 10,20,30
!
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
no shutdown
!
interface GigabitEthernet1/0/2
switchport access vlan 10
!
interface GigabitEthernet1/0/3
switchport access vlan 20
!
interface GigabitEthernet1/0/4
switchport access vlan 30
Example 3: SW1 Config
hostname SW2
!
vlan 10,20,30
!
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
no shutdown
!
interface GigabitEthernet1/0/2
switchport access vlan 10
!
interface GigabitEthernet1/0/3
switchport access vlan 20
!
interface GigabitEthernet1/0/4
switchport access vlan 30Example 4: SW2 Config
Answer Options - Click Tabs to Reveal
You can learn a lot and strengthen real learning of the topics by creating the configuration – even without a router or switch CLI. In fact, these labs were originally built to be used solely as a paper exercise!
To answer, just think about the lab. Refer to your primary learning material for CCNA, your notes, and create the configuration on paper or in a text editor. Then check your answer versus the answer post, which is linked at the bottom of the lab, just above the comments section.
You can also implement the lab using the Cisco Packet Tracer network simulator. With this option, you use Cisco’s free Packet Tracer simulator. You open a file that begins with the initial configuration already loaded. Then you implement your configuration and test to determine if it met the requirements of the lab.
(Use this link for more information about Cisco Packet Tracer.)
Use this workflow to do the labs in Cisco Packet Tracer:
- Download the .pkt file linked below.
- Open the .pkt file, creating a working lab with the same topology and interfaces as the lab exercise.
- Add your planned configuration to the lab.
- Test the configuration using some of the suggestions below.
You can also implement the lab using Cisco Modeling Labs – Personal (CML-P). CML-P (or simply CML) replaced Cisco Virtual Internet Routing Lab (VIRL) software in 2020, in effect serving as VIRL Version 2.
If you prefer to use CML, use a similar workflow as you would use if using Cisco Packet Tracer, as follows:
- Download the CML file (filetype .yaml) linked below.
- Import the lab’s CML file into CML and then start the lab.
- Compare the lab topology and interface IDs to this lab, as they may differ (more detail below).
- Add your planned configuration to the lab.
- Test the configuration using some of the suggestions below.
Download this lab’s CML file!
Network Device Info:
This table lists the interfaces used in the lab exercise documentation that differ from those used in the sample CML file.
| Device | Lab Port | Â CML Port |
| SW1 | G1/0/1 | G0/1 |
| SW1 | G1/0/2 | G0/2 |
| SW1 | G1/0/3 | G0/3 |
| SW1 | G1/0/4 | G1/0 |
| SW2 | G1/0/1 | G0/1 |
| SW2 | G1/0/2 | G0/2 |
| SW2 | G1/0/3 | G0/3 |
| SW2 | G1/0/4 | G1/0 |
Lab Answers Below: Spoiler Alert
Lab Answers: Configuration (Click Tab to Reveal)
Answers
Figure 1: Two Router ROAS Topology
interface GigabitEthernet0/1
ip access-group 1 in
!
access-list 1 deny 20.0.2.100
access-list 1 deny 20.0.3.100
access-list 1 deny 20.0.1.0 0.0.0.255
access-list 1 permit anyExample 5: R1 Config
Commentary, Issues, and Verification Tips (Click Tabs to Reveal)
Commentary
Engineers use router IP ACLS for several useful purposes. Those purposes range from filtering packets as they pass through the router, based on the values in the packet header, to using those same header fields to determine which packets need to have an IP service applied – and which do not. This is why it is good to get comfortable with how they are configured, processed, and applied.
With this lab, you were tasked with configuring a standard ACL to block the traffic from one and two different specific hosts for subnets connected to router R2. The solution I chose matches a source IP address of the subnets or addresses that begin with 20, located in connected subnets off router R2. That leaves the choice of where to place the ACL in the network.
As for where to place the ACL:
The lab said all switches were layer 2 switches, so a layer 3 ACL could not be applied on the two switches. So the ACL would need to be applied on routers R1 or R2.
For the direction from R2’s LAN subnets towards R1’s LAN subnets, the options for interfaces were:
- R2’s G0/2 (and/or subinterfaces) inbound
- R2’s G0/1 outbound
- R1’s G0/1 inbound
- R2’s G0/2 (and/or subinterfaces) outbound
The lab exercise asks for a standard ACL. Standard ACLs should be applied as close to the destination as possible – in this case, router R1. However, the lab requirements made an extra requirement: you can only enable the ACL on one interface and one direction. This begs the question: could you apply the ACL outbound on R1’s G0/2 interface and have it filter traffic on both that physical interface and all the subinterfaces? The answer is no. IP ACLs must be applied on the interface where the IP addresses are configured, so to place them to filter outbound traffic on R1’s G0/2 interface, you would actually need to enable them on G0/2.1, G0/2.2, and G0/2.3. So that one requirement to enable the ACL in one location only disallows the use of the ACL on R1’s subinterfaces.
The sample answer uses the close-to-the-destination (R1) solution but is inbound on R1’s G0/1 interface. The actual access-list commands are relatively straightforward: access-list 1 deny 20.0.1.0 0.0.0.255, access-list 1 deny 20.0.2.100, access-list 1 deny 20.0.3.100, and access-list 1 permit any. (Note: In older versions of IOS, it is required to use the host parameter in front of single matching addresses).
Known Issues in this Lab
This section of each Config Lab Answers post hopes to help with those issues by listing any known issues with Packet Tracer related to this lab. In this case, the issues are:
| # | Summary | Detail |
| 1 | None | No known issues related to this lab. |
Why Would Cisco Packet Tracer Have Issues?
(Note: The below text is the same in every Config Lab.)
Cisco Packet Tracer (CPT) simulates Cisco routers and switches. However, CPT does not run the same software that runs in real Cisco routers and switches. Instead, developers wrote CPT to predict the output a real router or switch would display given the same topology and configuration – but without performing all the same tasks, an actual device has to do. On a positive note, CPT requires far less CPU and RAM than a lab full of devices so that you can run CPT on your computer as an app. In addition, simulators like CPT help you learn about the Cisco router/switch user interface – the Command Line Interface (CLI) – without having to own real devices.
CPT can have issues compared to real devices because CPT does not run the same software as Cisco devices. CPT does not support all commands or parameters of a command. CPT may supply output from a command that differs in some ways from what an actual device would give. Those differences can be a problem for anyone learning networking technology because you may not have experience with that technology on real gear – so you may not notice the differences. So this section lists differences and issues that we have seen when using CPT to do this lab.
Beyond comparing your answers to this lab’s Answers post, you can test in Cisco Packet Tracer (CPT) or Cisco Modeling Labs (CML). In fact, you can and should explore the lab once configured. For this lab, once you have completed the configuration, try these verification steps.Â
- Issue the show ip access-lists and show access-lists commands to display the access-lists.
- Issue the show ip interfaces commands and look for the lines on each interface that identify if any ACLs are enabled, and if so, which ACLs and in what direction.
- Add some hosts to the topology and use some ping and traceroute commands to generate traffic and test the ACLs. Because all the requirements mention IP packets only and not specific applications, you can use any command to drive traffic to test the ACL.
Why cannot the ACL not be applied to router 1 G0/2 out?
Hi Ausman,
The explanation about that specific point is in the 2nd-to-last paragraph of the commentary tab. Take a look, and follow up if that doesn’t answer your question.
Wendell
I think the image has a dead link (https://files.certskills.com/blogfigs/clab154-01.svg).
Thanks, Emil, and any others of you that noted the issue. Turns out some Linux maintenance broke a feature that broke many links on these posts. Seeing your comment(s) was very useful so I’d know to take a look. All good now. Thanks much.
Why is it not possible to apply the ACL to switch’s G1/0/1 port?
Hey Thomas,
The ACL is an IP ACL. Those work on devices that perform IP routing. Some switches – actually many switches – default to operate as a layer 2 switch, but can also be configured to act as a layer 3 switch, which basically means they also act as a router. IF the switch were configured to act as a layer 3 switch, on any interface on which layer 3 logic had been enabled, it would be possible to enable an IP ACL on that interface.
But… in this scenario, the switches are both acting as layer 2 switches, with no layer 3 functions enabled. So if you tried the ip access-group interface subcommand on the switch, it would reject the command.
Hope this helps…
This is a very confusing/misleading lab. The requirement says one place in one direction only. I was not aware that one place meant you couldn’t enable the multiple sub interfaces (single physical interface). I also set mine as R1 G0/2 outbound to place it as close as possible to the destination.
Great lab thank you
where does it say the switches are L2?
Hi Luis,
The lab doesn’t state that fact in the text. Instead, you should see the various evidences that the switches are acting only as layer 2 switches. For example:
– the icons are layer 2 switch icons
– The switch configs show only layer 2 config with no layer three config
– The router ROAS config shows R1 connected to the subnets that exist on VLANs 10, 20, and 30 per the figure, so if the attached switch were acting as a layer three switch, the ROAS config would have no meaning.
So, so need to be able to look at a CCNA question on exam day and tell if a switch is meant to be a layer 2 switch or layer 3 switch. The good news is that in the vast majority of cases, it’s a layer 2 switch, and you would likely have an overt clue that it’s a layer 3 switch, like a layer 3 switch icon, or layer 3 switch config, or a mention in the question.
Hope this helps…
Wendell
Your explanation for not using R2 g0/2 interface is still not clear to me. Can you please explain it further.
Hi Sandy,
Well, I’d be willing to give more if you’d tell me more of what you’re thinking as to why R2 G0/2 would work. That would help me know what’s giving you trouble. Keep in mind these rules:
IP ACLs work on interfaces that have IP addresses
Outbound ACLs examine IP packets the router forwards out an IP-enabled interface
Inbound ACLs examine IP packets the router receives in an IP-enabled interface
R2 G0/2 has no IP address and does not have IP enabled.
Those rules may have connected the dots already? If not, describe your logic in choosing R2 G0/2.
Does the following command satisfy all deny requirements for simplicity’s sake?
access-list 1 deny 20.0.0.0 0.0.255.255
That’s what I used and if I put a PC host in each VLAN off SW2 it blocks all traffic from those subnets.
Hey Gabriel,
As long as you understand what it’s matching, I’m good with your answer. For exam purposes, just make sure you read the wording carefully. but for real life, match the packets as efficiently as you can, the fewer the ACEs the better. (In my solution, I used one ACE per bullet point in the lab, just to be more obvious.)
Wendell
Hi again everybody at CertSkills. Thank you very much for labs and study material from your site. Much appreciated.
You’re quite welcome!