Extended ACL Fundamentals: Permit HTTP, Deny Others
Deploy a numbered extended ACL on a router-on-a-stick topology to allow HTTP from a single approved client to a web server while denying all other TCP attempts to that server from the same user VLAN. Apply the ACL inbound near the source, verify with real client traffic, and troubleshoot using ACL hit counts and test flows.
Extended ACL: Application Filtering at a Hardened Edge
Build a 5-node edge/DMZ topology. Implement a named extended ACL on the EDGE router to allow only TCP/80, TCP/443, and ICMP echo from the Inside LAN to a DMZ web server, deny all other traffic to that server with logging, and still permit general traffic elsewhere. Apply the ACL inbound on the EDGE inside LAN interface. Harden router SSH management with a standard ACL. Verify with wget, ping, and an intentionally denied SSH attempt that increments the deny log counter.
CCNA: Named ACLs & Editing by Sequence Number
Hands-on ACL practice using named standard and extended ACLs, applied with correct placement and direction, edited by sequence number, and verified with counters and end-host tests. The lab adds a realistic NAT edge to expose order-of-operations pitfalls without obscuring data-plane ACL effects.
CCNA: ACL Placement – Std Near Dest, Ext Near Source
Dual-router Branch/HQ lab with a branch client and an HQ server. You will apply an extended IPv4 ACL inbound near the source on the Branch LAN to block specific traffic (TCP/80) while permitting others (ICMP), and a standard IPv4 ACL outbound near the destination on the HQ LAN to admit only the approved source. Validate from real hosts, confirm ACL hitcounts, and keep inter-site connectivity via static routes over a /30 transit.