Answers: ACL Drill Set 2

certskills
By certskills July 27, 2015 09:05

Today’s post lists the answers to ACL drill set 2. What’s that? Check out this post that explains the details. No stopwatch, no speed requirement for these, unlike the subnetting speed practice. Answers are below the fold!

First, use this figure as the backdrop:

Next, I’ve left the problem statements for easier reference, with the answer to follow each:

1) Host C (172.16.55.55/27) attempts to connect to Telnet server S3 (192.168.2.199/26). Your ACL will be applied outbound on R2’s S0/0/1 interface. Permit traffic from host C to telnet services on S3. However, also prevent access from Host C to Telnet server S4 (192.168.2.189/26), as well as telnet services on all servers in that same subnet. Permit all other traffic.

In this case, with a requirement, instead of matching the telnet traffic that should be permitted, the solution just uses the permit all at the end of the list to match that traffic. The first statement matches the traffic that the problem statement asked to be denied.

On R2:

2) Host B (10.0.0.1/17) pings the four servers in the network: S1 (10.100.100.100/17), S2 (172.16.5.5/24), S3 (192.168.1.141/26), and S4 (10.255.255.254/17). The configuration will enabled an ACL on R1’s F0/0 interface, inbound. Configure an ACL so that host B can still successfully ping servers in the same subnets as S1 and S4, but filter so that the pings to servers in the same subnet as S2 and S3 fail.

In this case, the answer relies on the implied deny all at the end of the list to filter the ping traffic to servers S2 and S3, simply permitting the traffic to server S4’s subnet.

On R1:

3) Repeat #1, but for an ACL that will be placed on R1’s F0/1 as an inbound ACL, and match all packets in Host C’s subnet and in servers S3’s subnet.

On R1:

 

ACL Drill Set 2
An STP Root Question with No Direct Link to the Root
certskills
By certskills July 27, 2015 09:05
Write a comment

25 Comments

  1. Jeff August 4, 23:58

    One of your requirements on problem # 1 is that the access list “prevent access from Host C to server S4 (192.168.2.189/26).” But although your access list prevents Host C from using S4’s telnet service, it does not prevent it from accessing other services on that particular host.

    Reply to this comment
    • CCENTSkills August 6, 05:56

      Hi Jeff,
      You’re right. I had intended that statement to be specifically about Telnet services, but the words didn’t say that. I’ve edited both the problem statement here and in the problem statement post to clarify. Thanks for the heads up!
      Wendell

      Reply to this comment
  2. Dias October 22, 03:24

    Hi Wendell,

    For the second question, you have permitted traffic to server S4’s subnet right ?
    So, for S4 subnet (10.255.255.254/17), subnet id is 10.255.128.0
    Can I use access-list 112 permit icmp host 10.0.0.1 10.255.128.0 0.0.127.255 ?

    Reply to this comment
  3. Dias October 22, 05:50

    Hi Wendell,

    Sorry, I made a typing mistake in the previous comment. I meant this
    access-list 112 permit icmp host 10.255.128.0 0.0.127.255

    Reply to this comment
  4. CCENTSkills October 26, 20:52

    Hi Dias,
    You are indeed correct. I just edited the answer to #2 to match you suggestion. Thanks!
    Wendell

    Reply to this comment
  5. Christine November 20, 23:26

    Hi Wendell,
    There’s a couple typos above: This one in the answer for #2 isn’t a big deal “access-list 112 permit icmp host 10.0.0.1 10.255.1288.0 0.0.127.255” Extra 8 in the destination IP.
    The answer for the 3rd one though wouldn’t work at all on Host C’s subnet since it’s on the wrong interface F0/0 instead of F0/1. It’s correct in the Drill on the previous post, just not in the answer.
    Thanks for the blog – good practice.

    Reply to this comment
  6. vfylyk November 26, 03:14

    Hi Wendell,

    As I see the question and answer for drill 2, it looks to me that although host B and server S1 are physically on the same LAN by the diagram, they actually have addresses that are not on the same subnet.

    Host B subnet: 10.0.0.0/27
    S1 subnet: 10.100.0.0/27

    Then, the only way I see those two communicating is via router R1, maybe as ROAS. This means that an additional rule is needed to allow pings destined to S1’s subnet, e.g. access-list 112 permit icmp host 10.0.0.1 10.100.0.0 0.0.127.255. Is that right?

    Also, unless I’m mistaken, on the questions blog post you required named ACLs: “Here are the requirements. Your job: create a named ACL, with one or more lines, and enabled on the correct interface, to implement the requirements.” but here I only see answers with numbered ACLs. Is there a reason why you’re using the numbered ACLs?

    Anyway, thank you for all the drills!

    Reply to this comment
  7. HectorJ February 9, 21:54

    Hi, Wendell. These are my comments:

    1) Before the listed requierements there’s a previous one: “Here are the requirements. Your job: create a named ACL”
    However, it seems like somehow, it changed to a numbered ACL on the answers section.

    2) I’m really aware about what you traying to show with this drill set: the way that an
    implicit deny and an explicit permit from any to any works. However, like in the previous
    drill set, I thought that intention this time was explicitly write down every asked requierement
    This means that, for instance, at the first question I explicitly permit telnet communication
    between host 192.168.2.199 and host 172.16.55.55

    permit tcp host 192.168.2.199 eq telnet host 172.16.55.55

    I must say that besides of what I’m saying, I actually included the lines of configurations
    you wrote down on every answer (so, at least, that was ok).

    If it had been a CCNA exam question, what should’ve done?
    Would it be considered a wrong answer if I had explicitly include such a requirements (as I said)?

    3) Third requierement says “match all packets in Host C’s subnet”:

    deny tcp 172.16.55.32 0.0.0.31 192.168.2.128 0.0.0.63

    doesn’t restrict udp packets.

    Thanks on advance for paying attention to these concerns
    May be is a kind of missunderstanding, beacuse of the way the requirement was written down.
    In my opinion “match all packets” overrides any telnet restriction (or telnet traffic permission)

    Reply to this comment
  8. Jon May 29, 11:39

    Hi Wendell –

    two things

    1. Shouldn’t problem #3 be “ip access-group 113 in”?

    Reply to this comment
  9. Jon June 11, 11:41

    Hi Wendell,

    Shouldn’t the answer to problem #1 contain

    interface S0/0/1
    ip access-group 111 out

    Reply to this comment
  10. nancy June 18, 03:26

    hello wendell ,
    I’m confused with the word “match” in ur statement..

    ‘3) Repeat #1, but for an ACL that will be placed on R1’s F0/1 as an inbound ACL, and match all packets in Host C’s subnet and in servers S3’s subnet.’.

    In the #1 acl ,it allows the traffic from C(only) to S3 with the permit command.
    Then in the #3 acl , “match all packets from C’s subnet” , does it mean that it should deny the traffic from C to S3 ? It can also allow the access…right?

    Reply to this comment
    • CCENTSkills June 19, 07:27

      Hi Nancy,
      The differences in the requirements for #3 are:
      The location of the ACL has changed
      Instead of host C, it’s host C’s subnet
      Instead of server 3, it’s server 3’s subnet

      #3 doesn’t mention any change to the deny/permit action best I can tell. But I could have spelled it out a little better (maybe like the above).

      That work?
      Wendell

      Reply to this comment
  11. troyl July 15, 01:27

    Hi Wendall,
    your assignment starts out with “Here are the requirements. Your job: create a named ACL…..”

    wouldn’t the answers start with:

    ip access-list extended name1
    then subcommands

    to get for the first answer:

    Extended IP access list name1
    10 deny tcp 192.168.2.128 0.0.0.63 eq telnet host 172.16.55.55
    20 permit ip any any

    Reply to this comment
    • CCENTSkills July 21, 09:40

      Hi Troy,
      Yep, you’re right. It was easier for me to change the word “named” to “numbered” in the problem statement, though. 🙂 Done. Sorry about that!
      Wendell

      Reply to this comment
  12. Bav December 16, 09:07

    Hi Wendell,

    I don’t think the requirements were clear enough for this one. If you intended to make use of the implicit deny then the question may have been better worded to highlight this and say something like, in as few lines as possible.

    To me it looked like you wanted us to list out all the individual permit/deny statements.

    I suppose in the exam there won’t be any ambiguity as it’s mutiple choice.

    Reply to this comment
    • CCENTSkills December 18, 10:44

      Hi Bav,
      I’ll take a look. Thanks for the input.
      Yep, here in the blog, I do want to be as clear as possible. However, the importance of learning far outweighs any other goal for blog content, so I allow myself some freedom to show posts that allow more freedom than say a typical exam question. Exam questions need to remove ambiguity, while some ambiguity in learning exercises triggers useful confusion (yes, a real learning theory idea), exploration, and better mastery. But I can’t recall if that particular point of ambiguity was intentional or not. 🙂
      Wendell

      Reply to this comment
      • RN March 3, 20:01

        Wendell, I understand what you are saying, but I also found question 2 and it’s answer very unclear.

        In your answer you only allow specific icmp traffic and drop all other traffic whatsoever, rendering the host unusable.

        Also, notice that host B and S1 are connected to the same subnet, but the ip scheme does not much the topology, which also contribute to the confusion.

        I do agree though that this is an interesting question, and so is the answer.

        My answer included five statements: Two permit, two deny, and finally a ‘permit ip any any’ statement.

        Reply to this comment
  13. RN March 3, 19:48

    Hi Wendell,

    In the answer to question 3, you specified the network 192.168.2.128. It should be S3’s subnet.

    S3 IP address and mask is 192.168.2.199/26.

    So shouldn’t it be 192.168.2.192?

    Thanks,

    RN

    Reply to this comment
  14. Tobias Larsson December 6, 05:01

    Answer #2 is incorrect, Host B is not on the same subnet as S1, meaning an ACE is required to permit traffic to flow to the S1 subnet, or it would be blocked to the implicit deny rule.

    Reply to this comment
    • CCENTSkills January 16, 11:22

      Tobias,
      I agree. the fix though is better if I fix the mistake in the problem post. The problem post shows hosts A, B, and S1 in the same subnet, and the text in the problem post gave an incorrect IP address for host B (10.0.0.1/17). It should have been 10.100.0.1/17 so B would be in the correct subnet.
      So… I agree, but now that I’ve changed the problem, B is in the same subnet as S1.
      Sorry about the mistake.

      Reply to this comment
  15. Nicola January 11, 08:52

    Hi Wendell,

    In the answer to the 2nd question with that ACL all the traffic will be filtered and instead i was interpreting it as just the ICMP traffic should be filtered. Am i wrong?

    Many thanks for you really great site!

    Reply to this comment
    • CCENTSkills January 21, 10:27

      Nicola,
      You are welcome! Glad you’re enjoying it.

      As to your question, two answers.
      1) literally, you are right! Congrats. 🙂
      2) You bring up a point that’s always an issue with ACLs. the requirements were in English. We write the ACL in config. There’s always some room for different interpretation, ambiguity, and so on, so that two people come up with different answers.

      So, on my answer #2, I think we’d agree that the suggested answer does do what the requirements ask – it just does more (filters more traffic). So the listed answer does literally meet the requirement.

      If you’re first thought is something like “But…” – that’s the point. But you are thinking correctly in that the answer filters more.
      Wendell

      Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email

Subscribe

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.

Search

Categories