Progressive ACL labs — standard/extended numbered and named ACLs, placement, logging, and filtering troubleshooting — on CML free-tier (5 nodes or fewer).
Beginner CCNA ACL lab on a compact 5-node CML-Free topology. You will configure static routing end-to-end, implement source NAT (PAT) at the source edge, and then build a standard numbered ACL near the destination to allow a single NATed host and a specific subnet while denying all others. You will validate with pings from end hosts, observe ACL hit counters and NAT translations, and troubleshoot common mistakes such as ACL placement, wildcard masks, and pre-/post-NAT address matching.
View lab detailsDeploy a numbered extended ACL on a router-on-a-stick topology to allow HTTP from a single approved client to a web server while denying all other TCP attempts to that server from the same user VLAN. Apply the ACL inbound near the source, verify with real client traffic, and troubleshoot using ACL hit counts and test flows.
View lab detailsHands-on ACL practice using named standard and extended ACLs, applied with correct placement and direction, edited by sequence number, and verified with counters and end-host tests. The lab adds a realistic NAT edge to expose order-of-operations pitfalls without obscuring data-plane ACL effects.
New here? Start with the free study hub and step-by-step guides, then own the bundle to practice on real Cisco IOS.
11 hands-on, auto-graded CCNA labs spanning 25 topics — each one a real Cisco Modeling Labs scenario you build on Cisco IOS. It's a one-time $29.99 and every lab is yours to keep forever.
A one-time purchase — $29.99. Buy once and own every lab in the bundle permanently; it's separate from the daily-lab subscription, so there's nothing recurring.
Yes — each lab is a Cisco Modeling Labs (CML) topology you import and build on real Cisco IOS, and the CML free tier is enough. You download the topology and lab guide, then build it yourself.
Every lab ships as a problem to solve. You build it in CML, then submit your config to grade it against the answer key — you get a pass/fail on each objective, so you know exactly what's right and what to fix instead of guessing.
CCNA. The labs are sequenced to build the hands-on configuration and troubleshooting skills CCNA candidates are expected to demonstrate on real gear.
Hands-on CCNA ACL practice using standard ACLs and wildcard masks to allow a single host, a contiguous range, and an entire subnet while proving a deny. You will place the ACL near the destination, order statements correctly, verify with end-host pings and ACL counters, and troubleshoot common mistakes.
View lab detailsDual-router Branch/HQ lab with a branch client and an HQ server. You will apply an extended IPv4 ACL inbound near the source on the Branch LAN to block specific traffic (TCP/80) while permitting others (ICMP), and a standard IPv4 ACL outbound near the destination on the HQ LAN to admit only the approved source. Validate from real hosts, confirm ACL hitcounts, and keep inter-site connectivity via static routes over a /30 transit.
View lab detailsBuild a two-router, one-access-switch lab with a client and a server. Establish basic IP connectivity with static routing, then implement an extended IPv4 ACL inbound on the client-facing interface to permit SSH and HTTP to the server while denying Telnet and ICMP echo. Validate from the client and review ACL hit counters for proof.
View lab detailsConfigure a standard IPv4 ACL and bind it to the VTY lines on the HQ router so only the dedicated management host can SSH to it. Confirm that regular routed traffic between sites is unaffected, and prove both a permitted and a denied management attempt.
View lab detailsThree-router static-routing lab with two Linux endpoints. An extended IPv4 ACL is intentionally misordered inbound near the source, causing Telnet to be permitted unexpectedly. Learners must observe first-match behavior via hit counters, enable buffered logging to see ACL log entries, and then correct the ACL sequence so Telnet is blocked while SSH and ICMP are permitted. All routers include a complete SSH management plane. The final solution forwards end-to-end and is enterprise-clean.
View lab detailsDeploy and verify multiple IPv4 ACLs on a single router that terminates three distinct LANs (Client, Server, and Management). You will place an extended ACL inbound on the Client interface to allow only specific services to the Server and block access to Management, a standard ACL outbound on the Management interface to enforce destination-side protection by source, and a VTY access-class to restrict router SSH to the Management subnet only. Validate with end-host tests that permitted flows succeed while denied flows are provably blocked, and use ACL hit counts and logs to troubleshoot.
View lab detailsBuild a 5-node edge/DMZ topology. Implement a named extended ACL on the EDGE router to allow only TCP/80, TCP/443, and ICMP echo from the Inside LAN to a DMZ web server, deny all other traffic to that server with logging, and still permit general traffic elsewhere. Apply the ACL inbound on the EDGE inside LAN interface. Harden router SSH management with a standard ACL. Verify with wget, ping, and an intentionally denied SSH attempt that increments the deny log counter.
View lab detailsDiagnose and repair an ACL + NAT policy on a small branch-to-DC topology. Implement PAT on the branch edge, correctly place an extended ACL to filter pre-NAT traffic, prove a permitted flow and a denied flow from the end host, and validate with show commands.
View lab details