Answers: ACL Drill Set 2
Today’s post lists the answers to ACL drill set 2. What’s that? Check out this post that explains the details. No stopwatch, no speed requirement for these, unlike the subnetting speed practice. Answers are below the fold!
First, use this figure as the backdrop:
Next, I’ve left the problem statements for easier reference, with the answer to follow each:
1) Host C (172.16.55.55/27) attempts to connect to Telnet server S3 (192.168.2.199/26). Your ACL will be applied outbound on R2’s S0/0/1 interface. Permit traffic from host C to telnet services on S3. However, also prevent access from Host C to Telnet server S4 (192.168.2.189/26), as well as telnet services on all servers in that same subnet. Permit all other traffic.
In this case, with a requirement, instead of matching the telnet traffic that should be permitted, the solution just uses the permit all at the end of the list to match that traffic. The first statement matches the traffic that the problem statement asked to be denied.
On R2:
|
1 2 3 4 5 |
interface S0/0/1 ip access-group out ! access-list 111 deny tcp 192.168.2.128 0.0.0.63 eq telnet host 172.16.55.55 access-list 111 permit ip any any |
2) Host B (10.0.0.1/17) pings the four servers in the network: S1 (10.100.100.100/17), S2 (172.16.5.5/24), S3 (192.168.1.141/26), and S4 (10.255.255.254/17). The configuration will enabled an ACL on R1’s F0/0 interface, inbound. Configure an ACL so that host B can still successfully ping servers in the same subnets as S1 and S4, but filter so that the pings to servers in the same subnet as S2 and S3 fail.
In this case, the answer relies on the implied deny all at the end of the list to filter the ping traffic to servers S2 and S3, simply permitting the traffic to server S4’s subnet.
On R1:
|
1 2 3 4 |
interface F0/0 ip access-group 112 in ! access-list 112 permit icmp host 10.0.0.1 10.255.128.0 0.0.127.255 |
3) Repeat #1, but for an ACL that will be placed on R1’s F0/1 as an inbound ACL, and match all packets in Host C’s subnet and in servers S3’s subnet.
On R1:
|
1 2 3 4 5 |
interface F0/1 ip access-group 113 in ! access-list 113 deny tcp 172.16.55.32 0.0.0.31 192.168.2.128 0.0.0.63 eq telnet access-list 113 permit ip any any |
One of your requirements on problem # 1 is that the access list “prevent access from Host C to server S4 (192.168.2.189/26).” But although your access list prevents Host C from using S4’s telnet service, it does not prevent it from accessing other services on that particular host.
Hi Jeff,
You’re right. I had intended that statement to be specifically about Telnet services, but the words didn’t say that. I’ve edited both the problem statement here and in the problem statement post to clarify. Thanks for the heads up!
Wendell
Hi Wendell,
For the second question, you have permitted traffic to server S4’s subnet right ?
So, for S4 subnet (10.255.255.254/17), subnet id is 10.255.128.0
Can I use access-list 112 permit icmp host 10.0.0.1 10.255.128.0 0.0.127.255 ?
Hi Wendell,
Sorry, I made a typing mistake in the previous comment. I meant this
access-list 112 permit icmp host 10.255.128.0 0.0.127.255
Hi Dias,
You are indeed correct. I just edited the answer to #2 to match you suggestion. Thanks!
Wendell
Hi Wendell,
There’s a couple typos above: This one in the answer for #2 isn’t a big deal “access-list 112 permit icmp host 10.0.0.1 10.255.1288.0 0.0.127.255” Extra 8 in the destination IP.
The answer for the 3rd one though wouldn’t work at all on Host C’s subnet since it’s on the wrong interface F0/0 instead of F0/1. It’s correct in the Drill on the previous post, just not in the answer.
Thanks for the blog – good practice.
Hi Christine,
Thanks! Made both edits. Appreciate the help finding the errors.
Hi Wendell,
As I see the question and answer for drill 2, it looks to me that although host B and server S1 are physically on the same LAN by the diagram, they actually have addresses that are not on the same subnet.
Host B subnet: 10.0.0.0/27
S1 subnet: 10.100.0.0/27
Then, the only way I see those two communicating is via router R1, maybe as ROAS. This means that an additional rule is needed to allow pings destined to S1’s subnet, e.g. access-list 112 permit icmp host 10.0.0.1 10.100.0.0 0.0.127.255. Is that right?
Also, unless I’m mistaken, on the questions blog post you required named ACLs: “Here are the requirements. Your job: create a named ACL, with one or more lines, and enabled on the correct interface, to implement the requirements.” but here I only see answers with numbered ACLs. Is there a reason why you’re using the numbered ACLs?
Anyway, thank you for all the drills!
Hi, Wendell. These are my comments:
1) Before the listed requierements there’s a previous one: “Here are the requirements. Your job: create a named ACL”
However, it seems like somehow, it changed to a numbered ACL on the answers section.
2) I’m really aware about what you traying to show with this drill set: the way that an
implicit deny and an explicit permit from any to any works. However, like in the previous
drill set, I thought that intention this time was explicitly write down every asked requierement
This means that, for instance, at the first question I explicitly permit telnet communication
between host 192.168.2.199 and host 172.16.55.55
permit tcp host 192.168.2.199 eq telnet host 172.16.55.55
I must say that besides of what I’m saying, I actually included the lines of configurations
you wrote down on every answer (so, at least, that was ok).
If it had been a CCNA exam question, what should’ve done?
Would it be considered a wrong answer if I had explicitly include such a requirements (as I said)?
3) Third requierement says “match all packets in Host C’s subnet”:
deny tcp 172.16.55.32 0.0.0.31 192.168.2.128 0.0.0.63
doesn’t restrict udp packets.
Thanks on advance for paying attention to these concerns
May be is a kind of missunderstanding, beacuse of the way the requirement was written down.
In my opinion “match all packets” overrides any telnet restriction (or telnet traffic permission)
I was thinking the same thing as Hector here!
Hi Wendell –
two things
1. Shouldn’t problem #3 be “ip access-group 113 in”?
Hi Jon,
Oops. Changed. Thanks! Wendell
Hi Wendell,
Shouldn’t the answer to problem #1 contain
interface S0/0/1
ip access-group 111 out
hello wendell ,
I’m confused with the word “match” in ur statement..
‘3) Repeat #1, but for an ACL that will be placed on R1’s F0/1 as an inbound ACL, and match all packets in Host C’s subnet and in servers S3’s subnet.’.
In the #1 acl ,it allows the traffic from C(only) to S3 with the permit command.
Then in the #3 acl , “match all packets from C’s subnet” , does it mean that it should deny the traffic from C to S3 ? It can also allow the access…right?
Hi Nancy,
The differences in the requirements for #3 are:
The location of the ACL has changed
Instead of host C, it’s host C’s subnet
Instead of server 3, it’s server 3’s subnet
#3 doesn’t mention any change to the deny/permit action best I can tell. But I could have spelled it out a little better (maybe like the above).
That work?
Wendell
Hi Wendall,
your assignment starts out with “Here are the requirements. Your job: create a named ACL…..”
wouldn’t the answers start with:
ip access-list extended name1
then subcommands
to get for the first answer:
Extended IP access list name1
10 deny tcp 192.168.2.128 0.0.0.63 eq telnet host 172.16.55.55
20 permit ip any any
Hi Troy,
Yep, you’re right. It was easier for me to change the word “named” to “numbered” in the problem statement, though. 🙂 Done. Sorry about that!
Wendell
Hi Wendell,
I don’t think the requirements were clear enough for this one. If you intended to make use of the implicit deny then the question may have been better worded to highlight this and say something like, in as few lines as possible.
To me it looked like you wanted us to list out all the individual permit/deny statements.
I suppose in the exam there won’t be any ambiguity as it’s mutiple choice.
Hi Bav,
I’ll take a look. Thanks for the input.
Yep, here in the blog, I do want to be as clear as possible. However, the importance of learning far outweighs any other goal for blog content, so I allow myself some freedom to show posts that allow more freedom than say a typical exam question. Exam questions need to remove ambiguity, while some ambiguity in learning exercises triggers useful confusion (yes, a real learning theory idea), exploration, and better mastery. But I can’t recall if that particular point of ambiguity was intentional or not. 🙂
Wendell
Wendell, I understand what you are saying, but I also found question 2 and it’s answer very unclear.
In your answer you only allow specific icmp traffic and drop all other traffic whatsoever, rendering the host unusable.
Also, notice that host B and S1 are connected to the same subnet, but the ip scheme does not much the topology, which also contribute to the confusion.
I do agree though that this is an interesting question, and so is the answer.
My answer included five statements: Two permit, two deny, and finally a ‘permit ip any any’ statement.
Hi Wendell,
In the answer to question 3, you specified the network 192.168.2.128. It should be S3’s subnet.
S3 IP address and mask is 192.168.2.199/26.
So shouldn’t it be 192.168.2.192?
Thanks,
RN
From my point of view, you’re right. it should be
access-list 113 deny tcp 172.16.55.32 0.0.0.31 192.168.2.192 0.0.0.63 eq telnet
Answer #2 is incorrect, Host B is not on the same subnet as S1, meaning an ACE is required to permit traffic to flow to the S1 subnet, or it would be blocked to the implicit deny rule.
Tobias,
I agree. the fix though is better if I fix the mistake in the problem post. The problem post shows hosts A, B, and S1 in the same subnet, and the text in the problem post gave an incorrect IP address for host B (10.0.0.1/17). It should have been 10.100.0.1/17 so B would be in the correct subnet.
So… I agree, but now that I’ve changed the problem, B is in the same subnet as S1.
Sorry about the mistake.
Hi Wendell,
In the answer to the 2nd question with that ACL all the traffic will be filtered and instead i was interpreting it as just the ICMP traffic should be filtered. Am i wrong?
Many thanks for you really great site!
Nicola,
You are welcome! Glad you’re enjoying it.
As to your question, two answers.
1) literally, you are right! Congrats. 🙂
2) You bring up a point that’s always an issue with ACLs. the requirements were in English. We write the ACL in config. There’s always some room for different interpretation, ambiguity, and so on, so that two people come up with different answers.
So, on my answer #2, I think we’d agree that the suggested answer does do what the requirements ask – it just does more (filters more traffic). So the listed answer does literally meet the requirement.
If you’re first thought is something like “But…” – that’s the point. But you are thinking correctly in that the answer filters more.
Wendell
I think the questions would be easier to interpret with a bulleted list of requirements. For example, i Filtered ICMP traffic and only ICMP Traffic in my ACL. You filtered ICMP Traffic and everything else (referring to question 2).
I dont think either of us are wrong, but it takes away from the exercise when there isn’t 1 correct answer.
Just a suggestion.
As always thanks for the time and effort you put into these exercises!!!
Austin,
Thanks for the input. And you’re welcome!
Wendell
Hello Wendell,
I’ve got a gripe with answer number 3, specifically:
access-list 113 deny tcp 172.16.55.32 0.0.0.31 192.168.2.128 0.0.0.63 eq telnet
The destination address of this ACE should be S3 (192.168.2.199/26) subnet. It looks to me like S3 is in the 192.168.2.192 subnet, with mask 255.255.255.192, aka /26. So, i think the right ACE should be:
access-list 113 deny tcp 172.16.55.32 0.0.0.31 192.168.2.*192* 0.0.0.63 eq telnet
I REALLY hope I am right here, else… I’ve got too much work to do.
Wendell, thank you so much for your time, sometimes it feels like being coached one to one with the effort you put in all of this. I feel like you really care about the people you teach to =D
Hi Edgardo,
First, on the ACL, I think you have the matching logic mastered. I think the issue is parsing the language, which is often the more difficult part. For requirement A:
– permit from C to Telnet Server S3
– Deny from C to Telnet server S4
– permit all other
– use an ACL outbound on R2’s S0/0/1, which means the source will be S3’s subnet, or S4’s subnet, for matching.
I think you got all the above, except that I think you read the first dash item above as “deny” from C to Telnet server S3, whereas the lab says “permit”. And as noted in this post’s explanation then, we’re relying on the explicit permit any any at the end of the list to match that traffic. That’s why there’s no ACL matching subnet 192.168.2.192/26.
Does that clear it up?
Second, you’re very welcome! I really do enjoy helping people learn this stuff. Glad it comes across!
Wendell
My answers are the literal interpretation of the question without considering the implied deny ip any any at the end. :-/
1.
access-list 101 permit tcp 192.168.2.199 eq telnet host 172.16.55.55
access-list 101 deny tcp 192.168.2.128 0.0.0.63 eq telnet host 172.16.55.55
access-list 101 permit ip any any
2.
access-list 102 permit icmp host 10.100.0.1 10.100.0.0 0.0.127.255
access-list 102 permit icmp host 10.100.0.1 10.255.128.0 0.0.127.255
access-list 102 deny icmp host 10.100.0.1 172.16.5.0 0.0.0.255
access-list 102 deny icmp host 10.100.0.1 192.168.1.128 0.0.0.63
3.
access-list 103 permit icmp 172.16.55.32 0.0.0.31 192.168.1.128 0.0.0.63
I see now after reading why I got my answers wrong.
Actually I have a follow up question after re-reviewing the requirements for #3 – Shouldn’t S3 destination subnet be 192.168.1.128 and not 192.168.2.128?
Hi Gabriel,
If you’re matching S3, yes. But the solution is matching S4 w/ a deny, and then using the permit any at the end of the list to match S3 and everything else.
Wendell