Lab 9: Filtering Traffic with a Standard ACL
Enforce policy: block VLAN 20 from reaching the server network while VLAN 10 stays allowed, using a standard ACL placed correctly (close to the destination). Difficulty: Intermediate · Time: ~25 min.
Lab objectives
- Write a standard numbered ACL with permit and deny
- Apply it outbound on the server-facing interface
- Prove one subnet is blocked and the other allowed
- Read the ACL hit counters
Topology & addressing
Router with three networks: 192.168.10.0/24 (allowed), 192.168.20.0/24 (to block), 192.168.99.0/24 (servers, Gi0/2). PCs in each user network, one server in .99.
Step-by-step configuration
access-list 10 deny 192.168.20.0 0.0.0.255access-list 10 permit any | Deny the HR subnet, allow everyone else (implicit deny would kill all!) |
interface gi0/2ip access-group 10 out | Standard ACL close to the destination |
Verification
Ping the server from a .10 PC — success. From a .20 PC — Destination host unreachable (the router's ACL speaking). show access-lists shows match counters climbing on each line — your proof of what's being caught.
Next lab: labs hub · test yourself: CCNA practice test.
Frequently asked questions
Why must permit any be added at the end?
Every ACL ends with an invisible deny any; without an explicit permit, the ACL would block all traffic, not just the target subnet.
Why apply the standard ACL near the destination?
Standard ACLs match only source IPs — applied too early they'd block that source from everything, not just the protected network.
What does show access-lists display?
Each ACL line with hit counters, showing how many packets matched — invaluable for verifying and troubleshooting.
Related articles
Want hands-on training?
Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.