ACL Practice Drills
You need practice with ACLs for CCENT and CCNA R/S. Some of that practice should focus on putting a complete ACL together, with multiple Access Control Entries (ACE) (that is, multiple permit and deny commands) to meet a set of requirements. But even before building complete ACLs, you need to master the basics of building a single ACE (that is, a single command).
This post introduces a type of exercise in this blog: the ACL Drill. These exercises let you practice the various steps of creating ACL commands. This post describes the basic process, with some advice on how to approach creating ACL commands, both for these drills and for the exams.
One ACE ACL
In Cisco-speak, one line in an ACL is called an Access Control Entry (ACE).
Some of the drills give you practice with building an ACL with a single ACE, keeping the focus of the discussion on one command (ACE) at a time. Basically, for each stated problem, you have to create one ACE – specifically either a permit or deny command for a named ACL – that meets the criteria.
Example One ACE ACL Drill
For the ACL practice drills in this blog, we will frequently use the following diagram. The IP addresses and subnets will change, even from question to question. In some cases, you will match traffic going from a client to a server, and sometimes you will stop traffic as it goes from a server to a client. In those cases, you will need to think about the placement of the port number fields.
For example, a drill question might state:
Host A (10.1.1.1/24) attempts to connect to web server S4 (192.168.2.254/27). Your ACL will be applied outbound on R2’s S0/0/0 interface. Permit traffic from host A’s subnet to reach the web service on S4.
First, consider the location of the ACL. The problem statement asks that you enable it outbound on R2’s S0/0/0. That placement means it will filter packets as they pass from host A to server S4. So, any matching of host A’s IP address should happen as the source IP address, and any matching of server S4 should happen as the destination address. If the requirement stated that the ACL was inbound on that same interface, you could still permit the traffic, but you must do so by matching traffic sourced from the server, sent back to host A.
Next, consider the requirements of “from host A’s subnet”. The problem statement tells you A’s IP address/mask (10.1.1.1/24). You need to somehow match all addresses in the resident subnet, and put that in the source IP address field of the command. Specifically, it needs to be a permit command (that part’s pretty obvious.) So, just from that analysis, the command will start as follows:
permit <protocol> 10.1.1.0 0.0.0.255
Matching Transport Ports
So far, the source address field matches all packets with source IP address in subnet 10.1.1.0/24. Looking further, the requirements mention “web services on server S4”. If the wording had simply stated “server S4”, I personally would interpret that to mean that we should match IP packets sent to that server. But “web services…” tells me that we should filter TCP traffic to that host, specifically, to the well-known TCP port for web (port 80). You can match port 80, or use the “www” keyword, either way. And in this case, to match the port, note that you cannot use the protocol type of “IP”, because IOS requires us to use either “TCP” or “UDP” when matching port numbers. Here’s the updated command:
permit tcp 10.1.1.0 0.0.0.255 host 192.168.2.254 eq www
And that’s it. For these exercises, I will list a handful of problem statements and the diagram. Later, I’ll post the answers. Your job: do the drills, and if you have questions, ask them. (It really is ok to ask questions.)
Drill to Build Complete ACLs
To move beyond thinking about a single ACE in a single ACL, you have to start thinking about the order of ACEs in the ACL, how they might impact each other. You also have to think about the default action to deny all other traffic, and whether you need to configure an alternative permit statement at the end of an ACL, for instance, the commonly used explicit permit all with the named ACL command permit ip any any.
Some of the ACL drills ask you to make multiline ACLs. In particular, these exercises make you consider:
- Do my configuration commands match some of the same packets? If so, what’s the correct order to use when adding the ACEs to the ACL?
- What is the impact of the implicit deny all at the end of each ACL? Can you take advantage of it?
- Should you configure an explicit permit all at the end of the ACL?
Drill to Interpret ACEs in an Editor
A third style for these drills is to interpret what other ACLs would match. The idea is simple: the question blog post lists a series of ACEs, and you have to describe with words and numbers what types of packets would match that ACE. Basically, it’s what you would do on the exam when you see a pre-configured ACL in a Sim, Simlet, or multi choice question.
These drills also have a small twist: the problem statement says that the commands exist in a text editor. Why? Well, it is possible for you to paste the command into a router, and the router then changes the values in the address fields. For example, with an address and wildcard mask of:
The address range is 10.1.1.0 – 10.1.1.255. Simple enough.
However, if the command included an address field like this:
When the command was copied into configuration mode, the router does some math that determines that 10.1.1.1 is actually not the beginning number in that range of addresses, but 10.1.1.0 is. So, IOS would change the parameters to:
Basically, if the address in an address/wildcard pair does NOT list the first IP address in that range, then IOS changes the command to use the first number.
So, your job in these drills is to think about the address ranges, but also to predict whether the command has the correct first value in that range, and if not, state what that value should be.
Summary and Link to the Questions
That’s it! Go forth and practice. You can find the current set of ACL Drills at this link.