Lab: Access List (ACL) in Simple Networks

Download PDF Version


This lab demonstrates how to use access list (ACL) in simple network to filter traffic. We will use simple access list as well as ip access list in this.


There are two different networks connected through routers. By default router perform the routing between those two networks and working fine. Now company has deployed Client-Server Architecture, and wants to add security so that only particular hosts can access some particular server. Our responsibility is to fulfill the security requirement.



Sakun Sharma ACL Lab Topology


  1. Only HostC can access AccServer.
  2. Both machines can access WebServer only for HTTP Services.
  3. Only AccServer can access DatabaseServer.

Device Details:

IP Address
AccServer / 24
Accounts Server
WebServer / 24
Web Server
DatabaseServer / 24
Database Server
No IP Address
Server Switch (No VLAN’s)
f0/0 –
f1/0 –
f2/0 –
Server Network Gateway
LAN Gateway
Database Server Gateway
HostC / 16
Accounts User
HostD / 16
Normal User


We will use two ACLs which will be as follows:

  1. On R1 at s0/1 IN – IP Extended Access list – To allow HostC to access AccServer, allow both hosts to access WebServer and block access to AccServer.
  2. On R1 f2/0 OUT – Standard Access list – To allow traffic only from AccServer and block rest all.

Access Lists:

On R1 at s0/1 in:

Extended IP access list 101
10 permit ip host host
20 permit tcp host eq www

Command: access-list 101 permit ip host host
access-list 101 permit tcp host eq www

Here we have created an extended numbered access list 101, which contains two statements with sequence number 10 and 20.

10 : To permit all ip protocols from host to host – This statement will permit traffic from HostC to AccServer.

20 : To permit only TCP Protocol ‘www’ (Port 80) from network 172.16.x.x to host – This statements permit only HTTP traffic from 172.16.x.x network to WebServer.

:: Implicit Deny – At the end of every access list there is Implicit Deny, means packet which does not match any criteria above will be dropped. So that is why all the traffic to AccServer other than from host is dropped and all other protocol traffic to WebServer is dropped.

On R1 at fa2/0 out:

Standard IP access list 10
10 permit

Command: access-list 10 permit

Here we are creating an Standard Access List to filter traffic to Database Server. In this command at sequence no 10, we are permitting host only, all other will be denied due to implicit deny at the end.


ACL Interface

Here we are assigning those access lists onto the interfaces.
Extended Access List 101 is applied at ‘interface FastEthernet1/0’ – ip access-group 101 in. It is configured as inbound access list.

Standard Access List 10 is applied at ‘interface FastEthernet2/0’ – ip access-group 10 out. It is configured as outbound access list.


From Host C


Note: Ping to (WebServer) fails because only HTTP 80, traffic is allowed.

From Host D


From AccServer


Account Server Ping

From WebServer


Download GNS 3 Lab:

ACL Simple Lab:

newsletter software