Security

ACL Lab

Two modes: Placement uses the PAT edge topology (extended ACLs close to source, standard ACLs close to destination). Troubleshooting uses the dual-site R1/R2 diagram with PC subnets and a remote server — find every fix for broken HTTPS filtering.

How to play

Two modes: Placement uses the PAT edge topology (extended ACLs close to source, standard ACLs close to destination). Troubleshooting uses the dual-site R1/R2 diagram with PC subnets and a remote server — find every fix for broken HTTPS filtering.

ACL Placement Game

Identify the source, then choose where to place a standard or extended ACL.

Scenario 1 of 7Score: 0/14

Why source matters

ACL placement starts by identifying the traffic source. Extended ACLs match source, destination, protocol, and port — place them close to the source. Standard ACLs only match source IP — place them close to the destination.

PAT reminder

PAT changes internal private addresses at the internet edge. Decide what traffic you filter, where the source is, and whether the ACL should see the original inside address.

Extended ACL

Block LAN-A users from reaching LAN-B server

Block 192.168.10.0/24 from accessing 192.168.20.10 on TCP port 80.

Source
LAN-A Users
192.168.10.0/24
Destination
LAN-B Web Server
192.168.20.10
Filter
TCP port 80
192.168.10.0/24192.168.20.0/2410.0.0.0/30203.0.113.0/30LAN-A192.168.10.0/24GW 192.168.10.1host 192.168.10.25LAN-B192.168.20.0/24GW 192.168.20.1srv 192.168.20.10Internet198.51.100.50host 203.0.113.99via R2 PATR1distributionR2PAT / NAT edgeR1 G0/0192.168.10.1/24192.168.10.0/24R1 G0/1192.168.20.1/24192.168.20.0/24R1 G0/210.0.0.1/3010.0.0.0/30R2 G0/010.0.0.2/3010.0.0.0/30R2 G0/1203.0.113.1/30203.0.113.0/30
SourceDestinationACL interface

Step 1 — Who is the source?