CCNA Lab - Standard and Extended ACLs (IPv4) - Nick's Network Lab
CCNA Lab - Standard and Extended ACLs (IPv4) - Nick's Network Lab
com/ccna-lab-standard-and-extended-acls-ipv4/
Lab Overview
Access Control Lists (ACLs) are a critical part of any network topology and are fundamental to
ensuring proper access control to network resources. We’ll take a look out both Standard and
Extended ACLs and best practice on where to place them in a network topology.
1 of 15 1/7/2025, 4:39 PM
CCNA Lab: Standard and Extended ACLs (IPv4) - Nick's Network Lab https://nicksnetworklab.com/ccna-lab-standard-and-extended-acls-ipv4/
I have provided free packet tracer labs to go along with this guide. Everything necessary to
complete the lab has already been configured, except for the ACLs. It is your job to configure
ACLs and place them in the most efficient locations while also satisfying the specified rules.
Extended ACLs are way more flexible and can match many more things such as source and/or
destination IP addresses, protocols, and port numbers. This allows administrators and
2 of 15 1/7/2025, 4:39 PM
CCNA Lab: Standard and Extended ACLs (IPv4) - Nick's Network Lab https://nicksnetworklab.com/ccna-lab-standard-and-extended-acls-ipv4/
engineers to customize how they want access control to work in their environment compared to
standard ACLs. Extended ACLs are required if an administrator or engineer needs to filter
traffic on anything more than a source address.
Named ACLs are exactly what they suggest – ACLs with a named, which can include
alphanumeric characters. These are great because you can use descriptive names for ACLs to
help easily identify what they do.
ACL Placement
Determining where to place ACLs is also an important concept to understand. If you place an
ACL in the wrong part of a network, it may cause unintended traffic flow issues.
• Inbound ACLs filter traffic coming into an interface before it gets processed. Traffic that
matches the ACL gets discarded, and does not need to be processed for routing. These
are generally more efficient and avoids wasting resources to process traffic that is
doomed to be dropped anyway. If it is permitted, then it continues to be processed for
routing.
• Outbound ACLs process traffic for routing before being compared to an ACL. This
means that even if the traffic matches a configured ACL, the device still processed it
anyway, but drops it when it matches an ACL.
It’s important to keep these two methods in mind. They are also used to determine where to
place an ACL. However, there are two key things to memorize best practice ACL placement:
3 of 15 1/7/2025, 4:39 PM
CCNA Lab: Standard and Extended ACLs (IPv4) - Nick's Network Lab https://nicksnetworklab.com/ccna-lab-standard-and-extended-acls-ipv4/
Objectives:
4 of 15 1/7/2025, 4:39 PM
CCNA Lab: Standard and Extended ACLs (IPv4) - Nick's Network Lab https://nicksnetworklab.com/ccna-lab-standard-and-extended-acls-ipv4/
1. Configuring ACL 50
The first thing we need to do is determine which device the ACL needs to be configured on.
Recall that it is best practice to place standard ACLs as close to the destination as possible.
Since we are wanting to deny devices from accessing 10.1.3.0 /24, that would be the
destination network. R3’s GigbitEthernet0/0 interface is the closest interface to that network, so
we will configure the ACL on R3.
5 of 15 1/7/2025, 4:39 PM
CCNA Lab: Standard and Extended ACLs (IPv4) - Nick's Network Lab https://nicksnetworklab.com/ccna-lab-standard-and-extended-acls-ipv4/
Because we are wanting to filter out traffic from any device in the 10.1.1.0 /24 network, we will
use the network address with a wildcard mask in the deny statement followed by a permit any,
which will ensure any other traffic can access the 10.1.3.0 /24 network.
6 of 15 1/7/2025, 4:39 PM
CCNA Lab: Standard and Extended ACLs (IPv4) - Nick's Network Lab https://nicksnetworklab.com/ccna-lab-standard-and-extended-acls-ipv4/
interface GigabitEthernet0/0
ip access-group 50 out
ACL 50 is now configured and placed correctly. You can use the show access-list command to
verify your configuration.
2. Configuring ACL 60
We can use the same logic as ACL 50 to determine where to put ACL 60. In this case, R1’s
GigabitEthernet0/1 interface is the closest interface to the destination network.
ACL 60 is a little different – we need to filter on a single host address rather than a network
address with a wildcard mask, however the syntax is very similar:
Since we’ve already determined the interface to apply the filter to, all we need to do is apply the
filter to outbound traffic:
interface GigabitEthernet0/1
ip access-group 60 out
3. Verify
Now that both ACLs are configured and placed, let’s verify with a few ping tests.
This will verify that 10.1.1.0 /24 cannot reach the 10.1.3.0 /24 network. (ACL 50)
7 of 15 1/7/2025, 4:39 PM
CCNA Lab: Standard and Extended ACLs (IPv4) - Nick's Network Lab https://nicksnetworklab.com/ccna-lab-standard-and-extended-acls-ipv4/
8 of 15 1/7/2025, 4:39 PM
CCNA Lab: Standard and Extended ACLs (IPv4) - Nick's Network Lab https://nicksnetworklab.com/ccna-lab-standard-and-extended-acls-ipv4/
Objectives:
1. Create a named, extended ACL called “extended_local_ACL” with the following rules:
• Allow only PC1 to ping and browse to local_HTTP1 using HTTP and HTTPs.
• Allow only PC2 to ping and browse to local_HTTP2 using HTTP and HTTPs.
• Deny any hosts on the 10.1.1.0 /24 network from reaching the 172.16.1.0 /24
network.
• Allow any hosts on the 10.1.1.0 /24 network to access any other network.
• Bind extended_local_ACL to the most efficient interface on R1.
2. Create a numbered, extended ACL with a number of “150” and apply the following rules:
• Allow any hosts on the 10.1.1.0 /24 network to browse to external websites.
• Allow any external hosts to browse to the internal HTTP servers on the 172.16.1.0
/24 network.
9 of 15 1/7/2025, 4:39 PM
CCNA Lab: Standard and Extended ACLs (IPv4) - Nick's Network Lab https://nicksnetworklab.com/ccna-lab-standard-and-extended-acls-ipv4/
3. Verify
• Verify PC1 can ping local_HTTP1, but not local_HTTP2.
• Verify PC1 can browse to local_HTTP1 (via IP) with HTTP and HTTPs.
• Verify PC2 can ping local_HTTP2, but not local_HTTP1
• Verify PC2 can browse to local_HTTP2 (via IP) with HTTP and HTTPs
• Verify PC1. PC2, and PC3 can all browse to nickm155.sg-host.com and cisco.com
1. Configuring extended_local_ACL
Since R1 is the only router in the topology, let’s focus on configuring the ACL before
determining where to apply it. To create a named, extended ACL use the ip access-list
{standard/extended} {number/name} command. This will enter into an ACL configuration
mode, where you can add permit and deny statements.
Note: You can also use this command to create standard, named ACLs. This guide does not
use standard, named ACLs.
Let’s use the ip access-list extended extended_local_ACL command to create the ACL and
enter ACL configuration mode.
10 of 15 1/7/2025, 4:39 PM
CCNA Lab: Standard and Extended ACLs (IPv4) - Nick's Network Lab https://nicksnetworklab.com/ccna-lab-standard-and-extended-acls-ipv4/
From there, we can take a look at how to do use permit and deny statements. The syntax to
use permit/deny statements is permit/deny {protocol} {source} {destination} {port #}.
Let’s configure the first three permit statements bullet one of the objectives: Allow only PC1 to
ping and browse to local_HTTP1 using HTTP and HTTPS.
11 of 15 1/7/2025, 4:39 PM
CCNA Lab: Standard and Extended ACLs (IPv4) - Nick's Network Lab https://nicksnetworklab.com/ccna-lab-standard-and-extended-acls-ipv4/
Notice how the port number is specified in the permit statement. This tells the router to permit
any TCP traffic with a port number of 80 and 443 (HTTP and HTTPS) with a source of 10.1.1.1
(PC1) and a destination of 172.16.1.3 (local_HTTP1). We can use the same syntax to add
permit statements for PC2:
The next thing we need to do is deny any hosts on the 10.1.1.0 /24 network from reaching the
172.16.1.0 /24 network. This will ensure no other PCs (if there were any) can ping or browse to
the local HTTP servers. We can specify the protocol as “ip” which will deny all IP traffic between
10.1.1.0 /24 and 172.16.1.0 /24, besides what’s been permitted.
Finally, all we need to do is allow any hosts on the 10-.1.1.0 /23 network to access any other
network. Because there is an implicit deny any at the end of ACLs, this will ensure PC1 and
PC2 can still access the internet. Similar to the previous statement, we can use “ip” to permit all
IP traffic from 10.1.1.0 /24 to any other destination network.
Now that we have the ACL configured, we need to determine which interface to place it on.
Remember, it is best practice to place extended ACLs as close to the source as possible.
R1’s GigabitEthenet0/1 interface is the best place.
12 of 15 1/7/2025, 4:39 PM
CCNA Lab: Standard and Extended ACLs (IPv4) - Nick's Network Lab https://nicksnetworklab.com/ccna-lab-standard-and-extended-acls-ipv4/
R1(config)#interface gigabitEthernet0/1
R1(config-if)#ip access-group extended_local_ACL in
The next ACL we’ll create is ACL 150. Notice how the number falls within the extended range
(100-199 and 2000-26999) for numbered ACLs. We’ll use the access-list {number} {action}
syntax.
This ACL will allow the 10.1.1.0 /24 network to browse to external websites. Recall that in the
extended_local_ACL we added the permit ip 10.1.1.0 0.0.0.255 any statement to allow that
network to access any other network. However, we have to allow traffic from external networks
back into the network.
The first command we need to do is access-list 150 permit tcp any 10.1.1.0 0.0.0.255
established. This will allow any TCP connections originating from the inside network back into
the network, hence the established keyword.
Next, we need to permit any external HTTP and HTTPS traffic to access the local HTTP
servers. Like before, we can use “eq” and specify ports 80 and 443.
You may not have caught it, but since we are creating an ACL with permit/deny statements, we
need to be sure to include DNS in the equation. Otherwise, DNS traffic from the internal PCs
will be dropped. The permit statement below allows DNS traffic (port 53) from the DNS server
to reach the 10.1.1.0 /24 network.
13 of 15 1/7/2025, 4:39 PM
CCNA Lab: Standard and Extended ACLs (IPv4) - Nick's Network Lab https://nicksnetworklab.com/ccna-lab-standard-and-extended-acls-ipv4/
Finally, we can satisfy the last objective to deny external hosts from accessing the 10.1.1.0 /24
network with the below deny statement.
The best place to apply this ACL is inbound on R1’s GigabitEthernet0/0 interface, which is the
closest interface to the external network.
3. Verify
Now that both ACLs are configured and placed, let’s verify with some ping and browsing tests.
You can use the show access-lists command to verify your configuration. You can also use
this command to see ACL matches, which is super handy when verifying.
Full Configuration
14 of 15 1/7/2025, 4:39 PM
CCNA Lab: Standard and Extended ACLs (IPv4) - Nick's Network Lab https://nicksnetworklab.com/ccna-lab-standard-and-extended-acls-ipv4/
SUKHDEEP SINGH
FEBRUARY 1, 2024 AT 9:12 AM
Linkedin GitHub
15 of 15 1/7/2025, 4:39 PM