Config Lab: Standard Named ACL 1
Standard named ACLs follow a nice simple format, which is great for getting started with ACLs. This next lab gives you some exercise on the basic syntax, while throwing in a few issues related to the application of the ACL. Where should you put it? How does Router-on-a-Stick config (router trunking) impact that choice? And how could you match two consecutive subnets with one deny command? Check out this latest lab to exercise your skills and answer these questions.
The Lab Exercise
Requirements
This lab gives you a set of relatively straightforward ACL requirements, but with enough flexibility to make you think beyond just making this a configuration exercise. You will also need to review a pretty detailed initial configuration to get your bearings first. Then you have to think about where to put the ACL, on which interface, and in which direction. So it’s a good thinking lab.
The specific rules for this lab are:
- Create a standard named ACL named “ThisACL” which performs the following functions:
- Block all traffic from the 10.0.1.0/26 and 10.0.1.64/26 subnets to all of the 20.0.0.0/8 subnets networks displayed in the figure, using a single command
- Block all traffic from the 10.0.1.254 host to all of the 20.0.0.0/8 networks displayed in the figure
- Permit all other traffic
- You choose the device on which to enable the ACL, the interface, and the direction.
- The switches function as layer 2 switches only, so the interface on which you enable the ACL will be one of the router interfaces.
- You may enable the ACL on one router only, but on multiple interfaces and directions as desired
- As seen in the initial configurations:
- Assume all router interfaces shown in the lab are up, working, and have correct IP addresses assigned
- Assume routing between all devices is configured and operational
- Assume that at least one device exists on each VLAN with an IP address ending in .100 with correct gateways configured.
Figure 1: Two Router ROAS Topology
Initial Configuration
Examples 1, 2, 3, and 4 show the beginning configuration state of R1, R2, SW1, and SW2.
hostname R1
!
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.252
no shutdown
!
interface GigabitEthernet0/2
no shutdown
!
interface GigabitEthernet0/2.1
encapsulation dot1q 10
ip address 10.0.1.1 255.255.255.192
!
interface GigabitEthernet0/2.2
encapsulation dot1q 20
ip address 10.0.1.65 255.255.255.192
!
interface GigabitEthernet0/2.3
encapsulation dot1q 30
ip address 10.0.1.129 255.255.255.128
!
router ospf 1
network 0.0.0.0 255.255.255.255 area 0Example 1: R1 Config
hostname R2
!
interface GigabitEthernet0/1
ip address 192.168.1.2 255.255.255.252
no shutdown
!
interface GigabitEthernet0/2
no shutdown
!
interface GigabitEthernet0/2.1
encapsulation dot1q 10
ip address 20.0.1.1 255.255.255.0
!
interface GigabitEthernet0/2.2
encapsulation dot1q 20
ip address 20.0.2.1 255.255.255.0
!
interface GigabitEthernet0/2.3
encapsulation dot1q 30
ip address 20.0.3.1 255.255.255.0
!
router ospf 1
network 0.0.0.0 255.255.255.255 area 0Example 2: R2 Config
hostname SW1
!
vlan 10,20,30
!
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
no shutdown
!
interface GigabitEthernet1/0/2
switchport access vlan 10
!
interface GigabitEthernet1/0/3
switchport access vlan 20
!
interface GigabitEthernet1/0/4
switchport access vlan 30
Example 3: SW1 Config
hostname SW2
!
vlan 10,20,30
!
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
no shutdown
!
interface GigabitEthernet1/0/2
switchport access vlan 10
!
interface GigabitEthernet1/0/3
switchport access vlan 20
!
interface GigabitEthernet1/0/4
switchport access vlan 30Example 4: SW2 Config
Answer Options - Click Tabs to Reveal
You can learn a lot and strengthen real learning of the topics by creating the configuration – even without a router or switch CLI. In fact, these labs were originally built to be used solely as a paper exercise!
To answer, just think about the lab. Refer to your primary learning material for CCNA, your notes, and create the configuration on paper or in a text editor. Then check your answer versus the answer post, which is linked at the bottom of the lab, just above the comments section.
You can also implement the lab using the Cisco Packet Tracer network simulator. With this option, you use Cisco’s free Packet Tracer simulator. You open a file that begins with the initial configuration already loaded. Then you implement your configuration and test to determine if it met the requirements of the lab.
(Use this link for more information about Cisco Packet Tracer.)
Use this workflow to do the labs in Cisco Packet Tracer:
- Download the .pkt file linked below.
- Open the .pkt file, creating a working lab with the same topology and interfaces as the lab exercise.
- Add your planned configuration to the lab.
- Test the configuration using some of the suggestions below.
You can also implement the lab using Cisco Modeling Labs – Personal (CML-P). CML-P (or simply CML) replaced Cisco Virtual Internet Routing Lab (VIRL) software in 2020, in effect serving as VIRL Version 2.
If you prefer to use CML, use a similar workflow as you would use if using Cisco Packet Tracer, as follows:
- Download the CML file (filetype .yaml) linked below.
- Import the lab’s CML file into CML and then start the lab.
- Compare the lab topology and interface IDs to this lab, as they may differ (more detail below).
- Add your planned configuration to the lab.
- Test the configuration using some of the suggestions below.
Network Device Info:
This table lists the interfaces used in the lab exercise documentation that differ from those used in the sample CML file.
| Device | Lab Port | CML Port |
| SW1 | G1/0/1 | G0/1 |
| SW1 | G1/0/2 | G0/2 |
| SW1 | G1/0/3 | G0/3 |
| SW1 | G1/0/4 | G1/0 |
| SW2 | G1/0/1 | G0/1 |
| SW2 | G1/0/2 | G0/2 |
| SW2 | G1/0/3 | G0/3 |
| SW2 | G1/0/4 | G1/0 |
Lab Answers Below: Spoiler Alert
Lab Answers: Configuration (Click Tab to Reveal)
Answers
Figure 1: Two Router ROAS Topology
interface GigabitEthernet0/2.1
ip access-group ThisACL out
!
interface GigabitEthernet0/2.2
ip access-group ThisACL out
!
interface GigabitEthernet0/2.3
ip access-group ThisACL out
!
ip access-list standard ThisACL
deny 10.0.1.0 0.0.0.127
deny 10.0.1.254
permit anyExample 5: R2 Config
Commentary, Issues, and Verification Tips (Click Tabs to Reveal)
Commentary
Engineers use router IP ACLS for several useful purposes. Those purposes range from filtering packets as they pass through the router, based on the values in the packet header, to using those same header fields to determine which packets need to have an IP service applied – and which do not. This is why it is good to get comfortable with how they are configured, processed, and applied.
With this lab, you were tasked with configuring a standard ACL to block the traffic from two different networks and a specific host. Cisco suggests that we place standard ACLs as close to the destination as possible. In this case, the closest location is on R2. However, the requirements allow us to choose any interfaces on that one router. So, the solution shown here puts the ACL on router R2 and enables the ACL outbound on the three ROAS subinterfaces on R2’s G0/2 interface.
The one challenging matching action per the requirements is to block the traffic from the 10.0.1.0/26 and 10.0.1.64/26 subnets, but with a single command. These two named IPv4 ACL commands could be used to match and deny packets from those subnets separately:
deny 10.0.1.0 0.0.0.63
deny 10.0.1.64 0.0.0.63
To match them with one command, consider these two subnets as a single range of addresses, including the numbers from 10.0.1.0 – 10.0.1.127. That happens to be the same numbers as in subnet 10.0.1.0/25, which can be matched with the deny 10.0.1.0 0.0.0.127 command, as seen in the answer.
The command to match the single host is: deny 10.0.1.254. Note that in older versions of IOS host parameter is required in front of single matching addresses, but not today.
This lab also might have made you wonder if the ACL could have been applied to the G0/2 physical interface, in this case, filtering all IP traffic exiting the interface, and the answer is no. An ACL applied under interface G0/2 – not one of its subinterfaces – would be considered for packets routed out G0/2, but not for packets routed out of its subinterfaces. So, as shown in the answer, the ip access-group ThisACL out command is used as a subcommand on all three subinterfaces.
Known Issues in this Lab
This section of each Config Lab Answers post hopes to help with those issues by listing any known issues with Packet Tracer related to this lab. In this case, the issues are:
| # | Summary | Detail |
| 1 | None | No known issues related to this lab. |
Why Would Cisco Packet Tracer Have Issues?
(Note: The below text is the same in every Config Lab.)
Cisco Packet Tracer (CPT) simulates Cisco routers and switches. However, CPT does not run the same software that runs in real Cisco routers and switches. Instead, developers wrote CPT to predict the output a real router or switch would display given the same topology and configuration – but without performing all the same tasks, an actual device has to do. On a positive note, CPT requires far less CPU and RAM than a lab full of devices so that you can run CPT on your computer as an app. In addition, simulators like CPT help you learn about the Cisco router/switch user interface – the Command Line Interface (CLI) – without having to own real devices.
CPT can have issues compared to real devices because CPT does not run the same software as Cisco devices. CPT does not support all commands or parameters of a command. CPT may supply output from a command that differs in some ways from what an actual device would give. Those differences can be a problem for anyone learning networking technology because you may not have experience with that technology on real gear – so you may not notice the differences. So this section lists differences and issues that we have seen when using CPT to do this lab.
Beyond comparing your answers to this lab’s Answers post, you can test in Cisco Packet Tracer (CPT) or Cisco Modeling Labs (CML). In fact, you can and should explore the lab once configured. For this lab, once you have completed the configuration, try these verification steps.
- Issue the show ip access-lists and show access-lists commands to display the access-lists.
- Issue the show ip interfaces commands and look for the lines on each interface that identify if any ACLs are enabled, and if so, which ACLs and in what direction.
Hi Mr. Odom,
What do u think about the approach of configuring the ACL, on the G0/2 of R2(outbound) ?
Hello,
Thanks for the question. Using R2’s G0/2 interface would have no effect, however, as the interface has not been configured with an IP address. Whereever you choose, the ACL must be enabled on an interface that has IP enabled by virtue of being configured with an IP address. (See the last paragraph of the commentary section for a little more about that particular subject.)
Hope this helps,
Wendell
Thank you, I got it 🙂
Question:
The access-list also could be applied in R2’s Gi0/1 in …..?
ip access-group ThisACL in
Mac,
Sure, that would work!
Wendell
Hi Wendell,
I can see in Figure 1, that all VLANs’ subnets show a 24 bit mask. But in the R1’s and R2’s configs they show different masks (255.255.255.0 in R2, but 255.255.255.192 and 255.255.255.128 in R1). Why is that?
Hi Vicente,
It was a mistake in the figure (which is now fixed.) I meant to use the 255.255.255.192 and 225.255.255.128 masks in R1 per the config (which were as intended), but we failed on updating the figure to match. Should be good now – let me know if you see anything else that’s suspicious. Thanks for helping by uncovering a mistake that needs fixing!
Wendell
Hello, can i apply the ACL on SW2 Gi1/0/1 in? The question doesn’t say if this switch is a layer 2 or 3.
Hi Elton.
In this case, no. I agree, the question doesn’t state L2 or L3 switch overtly. The initial configuration, however, shows config for L2 functions only, with no L3 interfaces on the switch. I don’t set about to hide those kinds of facts in these labs, though, so I’ll go add a clarifying comment to help future readers on that point. Thanks for the comment.
I think should deny 10.0.1.0 0.0.0.63
This is an common mistake ,but don´t worry, Here the explication
With a mask /26 the networs are 0,64,128 and 192 and your wild card is .63 thats correct , but the exercise indicates that only just 2 first networks with only one ACE , and obtain this with a /25 that have only two network 0 and 128 , and the wc mask is 127..
networks
first 10.0.1.0 1-126 10.0.1.127
second 10.0.1.128 129-254 10.0.1.255
The stament willbe
access-list 1 deny 10.0.1.0 0.0.0.127
Hello Wendell,
Please a question. Can a single ACL be enabled on multiple interfaces? Eg for this exercise, can this ACL be enabled both on G0/1 IN and G0/2 subint OUT?
Yes indeed!
However, keep in mind that it’s only sensical to enable an IPv4 ACL on an IPv4-enabled interface. In this case, R1’s G0/2 does not have an IP address assigned so IPv4 is not enabled. You would instead enable it on one of the subinterfaces, on which Ipv4 is enabled.
But the core of your question – one ACL enabled on any interface or direction – that’s allowed. Then the question becomes whether it’s effective or not.
W
Hello,
I hope all is well and I once again want to thank you for putting those labs free on the internet without the need for registration. Great source for studying.
I think that there is a missconfig in a CML file, I was wondering why after applying ACL I can still ping my PCs, and this is what I saw configured after issuing ipconfig on the PCs
You’re welcome, Alexandr!
I took a look at the CML config. I think there are larger issues beyond the PCs – if you look at the R1 initial config, it doesn’t match the lab. I’ll plan on taking a look when I have a minute. Thanks for the heads up!
Hi Wendell
Thank you for the great books and labs! 🙂
I read that more specific ACEs should be placed further above in an ACL and ACLs are applied from top to bottom.
The original lab solution:
ip access-list standard ThisACL
deny 10.0.1.0 0.0.0.127
deny 10.0.1.254
permit any
I came up with this solution because denying a specific IP-address seems more specific to me than denying a subnet:
ip access-list standard ThisACL
deny host 10.0.1.254
deny 10.0.1.0 0.0.0.127
permit any
Best regards
Hi Timo,
I like your thinking. While it doesn’t change the logic in this case, as there is no overlap between the more specific ACE vs. the more general ACEs, it’s a good habit to place the more specific ACEs (that is, those with more specific matching parameters) earlier. 100% fine with your change!
Wendell
To match them with one command, consider these two subnets as a single range of addresses, including the numbers from 10.0.1.0 – 10.0.1.127. That happens to be the same numbers as in subnet 10.0.1.0/25, which can be matched with the deny 10.0.1.0 0.0.0.127 command, as seen in the answer.
is this concept related to summary route?i havent studied but saw multiple times here on blog