ACL Drill Set 1

Posted July 16, 2015

In 200-301 V2 Ch02: Standard ACLs, 200-301 V2 Part 1: IP ACLs, ACL Drill, CCENT-OLD

Here’s the first ACL drill set. What’s that? Check out this post that explains the details. No stopwatch, no speed requirement for these, unlike the subnetting speed practice. Just focus on getting the right answer. Questions are below the fold!

First, use this figure as the backdrop:

Here are the questions. Your job for this drill: Treat each requirement as a completely separate problem. For each, create a 1 line ACL, with either a “permit” or “deny” action, to do what the requirement asks.

1) Host A (10.1.1.1/24) attempts to connect to Telnet server S3 (192.168.2.254/27). Your ACL will be applied outbound on R1’s S0/0/0 interface. Permit traffic from host A to telnet services on S3, as well as telnet services on all servers in that same subnet.

2) Host C (10.1.101.145/22) attempts to connect to web server S4 (192.168.3.250/28). Your ACL will be applied outbound on R3’s F0/0 interface. Deny hosts in host C’s subnet from communicating with web services on web server S4.

3) Repeat #2, but for an ACL that will be placed on R1’s F0/1 as an outbound ACL.

Enjoy! Answers in a few days.

8 Comments

Oldest

Newest Most Voted

Inline Feedbacks

View all comments

Dexter

July 16, 2015 1:19 pm

permit tcp host 10.1.1.1 192.168.2.224 0 0.0.0.31 eq 23

Dexter

Reply to Dexter

July 16, 2015 1:20 pm

Erratum
permit tcp host 10.1.1.1 192.168.2.224 0 0.0.31 eq 23

Dexter

July 16, 2015 1:40 pm

2) deny tcp 10.1.100.0 0.0.3.255 host 192.168.3.250 eq www

Samir

July 18, 2015 7:01 am

1)access-list 101 permit tcp host 10.1.1.1 192.168.2.224 0.0.0.31 eq telnet
2)access-list 101 deny tcp 10.1.100.0 0.0.3.255 host 192.168.3.250 eq www
3)access-list 101 deny tcp host 192.168.3.250 eq www 10.1.100.0 0.0.3.255

lyjo

Admin

July 21, 2015 5:06 pm

Hi Dexter and Samir. The answer post is up! Should be the next post in chronological sequence, linked near where you see this post. But I like your answers! 🙂
Wendell

Starter

October 24, 2016 5:12 pm

if I whrite like this woud it be correct answer to :

permit tcp host 10.1.1.1 192.168.2.254 0.0.0.31 eq 23

deny tcp 10.1.101.145 0.0.3.255 host 192.168.3.250 eq 80

deny tcp host 192.168.3.250 eq 80 10.1.101.145 0.0.3.255
Or i need to use subnet address as destination!! thanks for Reply

lyjo

Admin

Reply to Starter

October 27, 2016 8:02 pm

Hi Starter,
Thanks for the post.
Your logic is pretty good. The one issue with your answers is that when you match a subnet, you’re still using the specific IP address along with the wildcard masks. You picked the correct wildcard masks, but you also need to use the subnet ID rather than the specific IP address.

EG, on your first command:
permit tcp host 10.1.1.1 192.168.2.224 0.0.0.31 eq 23

Note the link at the bottom of the post to the post that lists the answers as well. 🙂
Wendell

Jayson

September 26, 2019 3:53 pm

Question #3 is confusing to me. Looking at other people’s take on the question, it is filtering mostly the return/reverse message from S1. After looking at it that way, I understand how the ACL command would be configured but I did not get to that conclusion from the question alone. Must just be me.