ACL Drill Set 2
Here’s another ACL drill set. What’s that? Check out this post that explains the details. No stopwatch, no speed requirement for these, unlike the subnetting speed practice. Just focus on getting the right answer. For this post, you will create a small but complete ACL, with one or more ACEs (commands) per ACL. This post has three such exercises. Questions are below the fold!
First, use this same figure as the backdrop:
Here are the requirements. Your job: create a numbered ACL, with one or more lines, and enabled on the correct interface, to implement the requirements.
1) Host C (172.16.55.55/27) attempts to connect to Telnet server S3 (192.168.2.199/26). Your ACL will be applied outbound on R2’s S0/0/1 interface. Permit traffic from host C to telnet services on S3. However, also prevent access from Host C to Telnet server S4 (192.168.2.189/26), as well as telnet services on all servers in that same subnet. Permit all other traffic.
2) Host B (10.100.0.1/17) pings the four servers in the network: S1 (10.100.100.100/17), S2 (172.16.5.5/24), S3 (192.168.1.141/26), and S4 (10.255.255.254/17). The configuration will enabled an ACL on R1’s F0/0 interface, inbound. Configure an ACL so that host B can still successfully ping servers in the same subnets as S1 and S4, but filter so that the pings to servers in the same subnet as S2 and S3 fail.
3) Repeat #1, but for an ACL that will be placed on R1’s F0/1 as an inbound ACL, and match all packets in Host C’s subnet and in servers S3’s subnet.
Hi Wendell,
Aren’t B and S1 suppose to be on the same subnet?
Thanks,
RN
RN,
They are indeed! 🙂 There’s no need to permit traffic going to the subnet where B and S1 reside, because the router doesn’t process those packets.
Wendell
Hi Mr. Wendell,
Readind the stem of this question, I’ve understood that the ACL must allow Host B’s ping to S1 (that’s in the same subnetwork), S2, S3, and S4 IP address and deny Host B’s ping to the others servers in S2 and S3 subnetwork. So I’ve included these two ACEs
access-list 112 permit icmp host 10.100.0.1 host 172.16.5.5
access-list 112 permit icmp host 10.100.0.1 host 192.168.1.141
to the ACL before the ACE that allow Host B ping to S4 IP address and all other servers in the same subnetwork,
access-list 112 permit icmp host 10.100.0.1 10.255.128.0 0.0.127.255
as the answer that you’ve posted. Is that correct or I didn’t understand the question?
Thank you,
Mauricio.
Mauricio,
Yeah, I think you’re reading #2 a little differently than I intended it back in 2015 when I wrote this. 🙂
At least based on the sample answer, looks like I meant:
permit B to ping all addresses in subnet 1 and subnet 4 (aka the subnets where S1 and S2 reside)
deny B to ping all addresses in subnet 2 and subnet 3
I’m thinking you read requirements and attempted to permit for S2 and S3, but to deny for all other addresses in subnet 2 and 3?
Another proof that the wording in English about ACLs can be more challenging than the ACLs themselves. But yes, I think it was just a reasonable different interpretation. As long as you get how to configure it, I think that’s plenty good.
Regards,
Wendell