ACL Drill Set 1
Here’s the first ACL drill set. What’s that? Check out this post that explains the details. No stopwatch, no speed requirement for these, unlike the subnetting speed practice. Just focus on getting the right answer. Questions are below the fold!
First, use this figure as the backdrop:
Here are the questions. Your job for this drill: Treat each requirement as a completely separate problem. For each, create a 1 line ACL, with either a “permit” or “deny” action, to do what the requirement asks.
1) Host A (10.1.1.1/24) attempts to connect to Telnet server S3 (192.168.2.254/27). Your ACL will be applied outbound on R1’s S0/0/0 interface. Permit traffic from host A to telnet services on S3, as well as telnet services on all servers in that same subnet.
2) Host C (10.1.101.145/22) attempts to connect to web server S4 (192.168.3.250/28). Your ACL will be applied outbound on R3’s F0/0 interface. Deny hosts in host C’s subnet from communicating with web services on web server S4.
3) Repeat #2, but for an ACL that will be placed on R1’s F0/1 as an outbound ACL.
Enjoy! Answers in a few days.
permit tcp host 10.1.1.1 192.168.2.224 0 0.0.0.31 eq 23
Erratum
permit tcp host 10.1.1.1 192.168.2.224 0 0.0.31 eq 23
2) deny tcp 10.1.100.0 0.0.3.255 host 192.168.3.250 eq www
1)access-list 101 permit tcp host 10.1.1.1 192.168.2.224 0.0.0.31 eq telnet
2)access-list 101 deny tcp 10.1.100.0 0.0.3.255 host 192.168.3.250 eq www
3)access-list 101 deny tcp host 192.168.3.250 eq www 10.1.100.0 0.0.3.255
Hi Dexter and Samir. The answer post is up! Should be the next post in chronological sequence, linked near where you see this post. But I like your answers! 🙂
Wendell
if I whrite like this woud it be correct answer to :
permit tcp host 10.1.1.1 192.168.2.254 0.0.0.31 eq 23
deny tcp 10.1.101.145 0.0.3.255 host 192.168.3.250 eq 80
deny tcp host 192.168.3.250 eq 80 10.1.101.145 0.0.3.255
Or i need to use subnet address as destination!! thanks for Reply
Hi Starter,
Thanks for the post.
Your logic is pretty good. The one issue with your answers is that when you match a subnet, you’re still using the specific IP address along with the wildcard masks. You picked the correct wildcard masks, but you also need to use the subnet ID rather than the specific IP address.
EG, on your first command:
permit tcp host 10.1.1.1 192.168.2.224 0.0.0.31 eq 23
Note the link at the bottom of the post to the post that lists the answers as well. 🙂
Wendell
Question #3 is confusing to me. Looking at other people’s take on the question, it is filtering mostly the return/reverse message from S1. After looking at it that way, I understand how the ACL command would be configured but I did not get to that conclusion from the question alone. Must just be me.