← Back to Blog
Networking📅 May 4, 2026⏱️ 8 min

Lab Runbook: Configure Named Standard IPv4 ACLs

A step-by-step command reference for completing Cisco NetAcad Network Defense Lab 4.5.5 in Packet Tracer. Covers creating and applying a named standard ACL on R1 to restrict File Server access, with full command sets, expected outputs, and verification steps.

# ACL# IPv4# Cisco# Packet Tracer# Network Defense# Access Control# Security

title: "Lab Runbook: Configure Named Standard IPv4 ACLs" description: "A step-by-step command reference for completing Cisco NetAcad Network Defense Lab 4.5.5 in Packet Tracer. Covers creating and applying a named standard ACL on R1 to restrict File Server access, with full command sets, expected outputs, and verification steps." date: "2026-05-04" category: "Networking" tags: ["ACL", "IPv4", "Cisco", "Packet Tracer", "Network Defense", "Access Control", "Security"] author: "Stephen Nnamani" readingTime: "8 min" image: "/images/blog/named-standard-ipv4-acl-topology.png"

About This Runbook

This is a step-by-step breakdown of the tasks required to complete Lab 4.5.5: Packet Tracer - Configure Named Standard IPv4 ACLs from the Cisco NetAcad Network Defense course. It is intended to help students who are struggling to work through the lab independently.

This runbook is text-only and will not be accompanied by a video explanation. It focuses purely on the commands and configuration sequence needed to reach a 100% score.

Educational Use Notice: This document is produced for non-profit and educational purposes only. All lab content, topology, and objectives are the intellectual property of Cisco Systems / Cisco Networking Academy. This runbook is shared in the spirit of peer learning and is not intended for commercial use.

Credits: Lab content sourced from Cisco Networking Academy (NetAcad), Network Defense course. Shared with fellow students of the Per Scholas cybersecurity programme.

Addressing Table

| Device | Interface | IP Address | Subnet Mask | Default Gateway | |---|---|---|---|---| | R1 | F0/0 | 192.168.10.1 | 255.255.255.0 | N/A | | R1 | F0/1 | 192.168.20.1 | 255.255.255.0 | N/A | | R1 | E0/0/0 | 192.168.100.1 | 255.255.255.0 | N/A | | R1 | E0/1/0 | 192.168.200.1 | 255.255.255.0 | N/A | | File Server | NIC | 192.168.200.100 | 255.255.255.0 | 192.168.200.1 | | Web Server | NIC | 192.168.100.100 | 255.255.255.0 | 192.168.100.1 | | PC0 | NIC | 192.168.20.3 | 255.255.255.0 | 192.168.20.1 | | PC1 | NIC | 192.168.20.4 | 255.255.255.0 | 192.168.20.1 | | PC2 | NIC | 192.168.10.3 | 255.255.255.0 | 192.168.10.1 |

Objectives

  • Configure and apply a named standard ACL on R1
  • Verify that the ACL permits only the correct hosts to reach the File Server

Background / Scenario

The senior network administrator has asked you to create a standard named ACL to protect the File Server. The File Server hosts the database for web applications and should only be accessible to two hosts: PC1 (the Web Manager workstation at 192.168.20.4) and the Web Server (at 192.168.100.100). All other traffic to the File Server must be denied.

Part 1: Configure and Apply a Named Standard ACL

Step 1: Verify Connectivity Before the ACL is Applied

Before configuring anything, confirm all three workstations can reach both servers. Open the command prompt on each PC and ping both server addresses.

From PC0 (192.168.20.3):

ping 192.168.100.100
ping 192.168.200.100

From PC1 (192.168.20.4):

ping 192.168.100.100
ping 192.168.200.100

From PC2 (192.168.10.3):

ping 192.168.100.100
ping 192.168.200.100

Expected output: All pings succeed. If any fail, check that the router interfaces are up and IP addresses match the addressing table before proceeding.

Step 2: Configure the Named Standard ACL on R1

Click on R1 in the topology and open the CLI tab.

R1> enable
R1# configure terminal
R1(config)# ip access-list standard File_Server_Restrictions
R1(config-std-nacl)# permit host 192.168.20.4
R1(config-std-nacl)# permit host 192.168.100.100
R1(config-std-nacl)# deny any
R1(config-std-nacl)# exit

What this does:

  • ip access-list standard File_Server_Restrictions creates a named standard ACL. Standard ACLs filter based on source IP address only.
  • permit host 192.168.20.4 allows PC1 (the Web Manager workstation) through.
  • permit host 192.168.100.100 allows the Web Server through.
  • deny any blocks all other source addresses. This statement is explicit but Packet Tracer scores it as a required entry.

Important: The ACL name File_Server_Restrictions is case-sensitive. The permit and deny statements must be entered in this exact order. Both are scored.

Verify the ACL before applying it:

R1# show access-lists

Expected output:

Standard IP access list File_Server_Restrictions
    10 permit host 192.168.20.4
    20 permit host 192.168.100.100
    30 deny any

If the IPs are wrong or the order is different, delete the ACL and re-enter it:

R1(config)# no ip access-list standard File_Server_Restrictions

Then repeat Step 2 from the beginning.

Step 3: Apply the Named ACL to the Interface

Apply the ACL outbound on the F0/1 interface:

R1# configure terminal
R1(config)# interface f0/1
R1(config-if)# ip access-group File_Server_Restrictions out
R1(config-if)# end

What this does: Attaches the ACL to the outbound direction of F0/1. Traffic leaving R1 through this interface will be checked against the ACL before being forwarded.

Note: In a production network, applying an ACL to an active interface without a maintenance window is not recommended. In this lab environment it is safe to apply directly.

Save the configuration:

R1# copy running-config startup-config

Part 2: Verify the ACL Implementation

Step 1: Confirm ACL Configuration and Interface Binding

R1# show access-lists

R1# show ip interface f0/1

In the output of show ip interface f0/1, look for:

Outgoing access list is File_Server_Restrictions

This confirms the ACL is bound to the correct interface in the correct direction.

Step 2: Verify ACL Behaviour

Test from each workstation to confirm the ACL is working as intended.

From PC0 (192.168.20.3) — should be blocked from File Server:

ping 192.168.100.100   (Web Server — should succeed)
ping 192.168.200.100   (File Server — should fail)

From PC1 (192.168.20.4) — should reach both servers:

ping 192.168.100.100   (Web Server — should succeed)
ping 192.168.200.100   (File Server — should succeed)

From PC2 (192.168.10.3) — should be blocked from File Server:

ping 192.168.100.100   (Web Server — should succeed)
ping 192.168.200.100   (File Server — should fail)

After testing, run show access-lists again to see the match counters:

R1# show access-lists

Each statement will show how many packets matched it, confirming the ACL is actively filtering traffic.

Quick Reference: What the ACL Permits and Denies

| Source Host | IP Address | File Server Access | Web Server Access | |---|---|---|---| | PC1 (Web Manager) | 192.168.20.4 | Permitted | Permitted | | Web Server | 192.168.100.100 | Permitted | N/A | | PC0 | 192.168.20.3 | Denied | Permitted | | PC2 | 192.168.10.3 | Denied | Permitted |

Complete Command Summary

enable
configure terminal
ip access-list standard File_Server_Restrictions
 permit host 192.168.20.4
 permit host 192.168.100.100
 deny any
exit
interface f0/1
 ip access-group File_Server_Restrictions out
end
copy running-config startup-config

Completion Check

When done, click Check Results in the lab interface. Your score should be 100%.

If not 100%, the most common issues are:

  • ACL name typed incorrectly (File_Server_Restrictions is case-sensitive)
  • Permit statements entered in the wrong order (PC1 must come before Web Server)
  • deny any statement missing (Packet Tracer scores this explicitly)
  • ACL applied to the wrong interface or wrong direction (must be outbound on F0/1)
  • ip access-group command missing from the interface entirely