Answers: ACL Drill Set 2

 In 200-301 V2 Ch02: Standard ACLs, 200-301 V2 Part 1: IP ACLs, ACL Drill, CCENT-OLD

Today’s post lists the answers to ACL drill set 2. What’s that? Check out this post that explains the details. No stopwatch, no speed requirement for these, unlike the subnetting speed practice. Answers are below the fold!

First, use this figure as the backdrop:

Next, I’ve left the problem statements for easier reference, with the answer to follow each:

1) Host C (172.16.55.55/27) attempts to connect to Telnet server S3 (192.168.2.199/26). Your ACL will be applied outbound on R2’s S0/0/1 interface. Permit traffic from host C to telnet services on S3. However, also prevent access from Host C to Telnet server S4 (192.168.2.189/26), as well as telnet services on all servers in that same subnet. Permit all other traffic.

In this case, with a requirement, instead of matching the telnet traffic that should be permitted, the solution just uses the permit all at the end of the list to match that traffic. The first statement matches the traffic that the problem statement asked to be denied.

On R2:

interface S0/0/1
 ip access-group out
!
access-list 111 deny tcp 192.168.2.128 0.0.0.63 eq telnet host 172.16.55.55
access-list 111 permit ip any any

2) Host B (10.0.0.1/17) pings the four servers in the network: S1 (10.100.100.100/17), S2 (172.16.5.5/24), S3 (192.168.1.141/26), and S4 (10.255.255.254/17). The configuration will enabled an ACL on R1’s F0/0 interface, inbound. Configure an ACL so that host B can still successfully ping servers in the same subnets as S1 and S4, but filter so that the pings to servers in the same subnet as S2 and S3 fail.

In this case, the answer relies on the implied deny all at the end of the list to filter the ping traffic to servers S2 and S3, simply permitting the traffic to server S4’s subnet.

On R1:

interface F0/0
 ip access-group 112 in
!
access-list 112 permit icmp host 10.0.0.1 10.255.128.0 0.0.127.255

3) Repeat #1, but for an ACL that will be placed on R1’s F0/1 as an inbound ACL, and match all packets in Host C’s subnet and in servers S3’s subnet.

On R1:

interface F0/1
 ip access-group 113 in
!
access-list 113 deny tcp 172.16.55.32 0.0.0.31 192.168.2.128 0.0.0.63 eq telnet
access-list 113 permit ip any any

 

ACL Drill Set 2
An STP Root Question with No Direct Link to the Root
Subscribe
Notify of
guest

33 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Jeff

One of your requirements on problem # 1 is that the access list “prevent access from Host C to server S4 (192.168.2.189/26).” But although your access list prevents Host C from using S4’s telnet service, it does not prevent it from accessing other services on that particular host.

lyjo

Hi Jeff,
You’re right. I had intended that statement to be specifically about Telnet services, but the words didn’t say that. I’ve edited both the problem statement here and in the problem statement post to clarify. Thanks for the heads up!
Wendell

Dias

Hi Wendell,

For the second question, you have permitted traffic to server S4’s subnet right ?
So, for S4 subnet (10.255.255.254/17), subnet id is 10.255.128.0
Can I use access-list 112 permit icmp host 10.0.0.1 10.255.128.0 0.0.127.255 ?

Dias

Hi Wendell,

Sorry, I made a typing mistake in the previous comment. I meant this
access-list 112 permit icmp host 10.255.128.0 0.0.127.255

lyjo

Hi Dias,
You are indeed correct. I just edited the answer to #2 to match you suggestion. Thanks!
Wendell

Christine

Hi Wendell,
There’s a couple typos above: This one in the answer for #2 isn’t a big deal “access-list 112 permit icmp host 10.0.0.1 10.255.1288.0 0.0.127.255” Extra 8 in the destination IP.
The answer for the 3rd one though wouldn’t work at all on Host C’s subnet since it’s on the wrong interface F0/0 instead of F0/1. It’s correct in the Drill on the previous post, just not in the answer.
Thanks for the blog – good practice.

lyjo

Hi Christine,
Thanks! Made both edits. Appreciate the help finding the errors.

vfylyk

Hi Wendell,

As I see the question and answer for drill 2, it looks to me that although host B and server S1 are physically on the same LAN by the diagram, they actually have addresses that are not on the same subnet.

Host B subnet: 10.0.0.0/27
S1 subnet: 10.100.0.0/27

Then, the only way I see those two communicating is via router R1, maybe as ROAS. This means that an additional rule is needed to allow pings destined to S1’s subnet, e.g. access-list 112 permit icmp host 10.0.0.1 10.100.0.0 0.0.127.255. Is that right?

Also, unless I’m mistaken, on the questions blog post you required named ACLs: “Here are the requirements. Your job: create a named ACL, with one or more lines, and enabled on the correct interface, to implement the requirements.” but here I only see answers with numbered ACLs. Is there a reason why you’re using the numbered ACLs?

Anyway, thank you for all the drills!

HectorJ

Hi, Wendell. These are my comments:

1) Before the listed requierements there’s a previous one: “Here are the requirements. Your job: create a named ACL”
However, it seems like somehow, it changed to a numbered ACL on the answers section.

2) I’m really aware about what you traying to show with this drill set: the way that an
implicit deny and an explicit permit from any to any works. However, like in the previous
drill set, I thought that intention this time was explicitly write down every asked requierement
This means that, for instance, at the first question I explicitly permit telnet communication
between host 192.168.2.199 and host 172.16.55.55

permit tcp host 192.168.2.199 eq telnet host 172.16.55.55

I must say that besides of what I’m saying, I actually included the lines of configurations
you wrote down on every answer (so, at least, that was ok).

If it had been a CCNA exam question, what should’ve done?
Would it be considered a wrong answer if I had explicitly include such a requirements (as I said)?

3) Third requierement says “match all packets in Host C’s subnet”:

deny tcp 172.16.55.32 0.0.0.31 192.168.2.128 0.0.0.63

doesn’t restrict udp packets.

Thanks on advance for paying attention to these concerns
May be is a kind of missunderstanding, beacuse of the way the requirement was written down.
In my opinion “match all packets” overrides any telnet restriction (or telnet traffic permission)

Chris

I was thinking the same thing as Hector here!

Jon

Hi Wendell –

two things

1. Shouldn’t problem #3 be “ip access-group 113 in”?

lyjo

Hi Jon,
Oops. Changed. Thanks! Wendell

Jon

Hi Wendell,

Shouldn’t the answer to problem #1 contain

interface S0/0/1
ip access-group 111 out

nancy

hello wendell ,
I’m confused with the word “match” in ur statement..

‘3) Repeat #1, but for an ACL that will be placed on R1’s F0/1 as an inbound ACL, and match all packets in Host C’s subnet and in servers S3’s subnet.’.

In the #1 acl ,it allows the traffic from C(only) to S3 with the permit command.
Then in the #3 acl , “match all packets from C’s subnet” , does it mean that it should deny the traffic from C to S3 ? It can also allow the access…right?

lyjo

Hi Nancy,
The differences in the requirements for #3 are:
The location of the ACL has changed
Instead of host C, it’s host C’s subnet
Instead of server 3, it’s server 3’s subnet

#3 doesn’t mention any change to the deny/permit action best I can tell. But I could have spelled it out a little better (maybe like the above).

That work?
Wendell

troyl

Hi Wendall,
your assignment starts out with “Here are the requirements. Your job: create a named ACL…..”

wouldn’t the answers start with:

ip access-list extended name1
then subcommands

to get for the first answer:

Extended IP access list name1
10 deny tcp 192.168.2.128 0.0.0.63 eq telnet host 172.16.55.55
20 permit ip any any

lyjo

Hi Troy,
Yep, you’re right. It was easier for me to change the word “named” to “numbered” in the problem statement, though. 🙂 Done. Sorry about that!
Wendell

Bav

Hi Wendell,

I don’t think the requirements were clear enough for this one. If you intended to make use of the implicit deny then the question may have been better worded to highlight this and say something like, in as few lines as possible.

To me it looked like you wanted us to list out all the individual permit/deny statements.

I suppose in the exam there won’t be any ambiguity as it’s mutiple choice.

lyjo

Hi Bav,
I’ll take a look. Thanks for the input.
Yep, here in the blog, I do want to be as clear as possible. However, the importance of learning far outweighs any other goal for blog content, so I allow myself some freedom to show posts that allow more freedom than say a typical exam question. Exam questions need to remove ambiguity, while some ambiguity in learning exercises triggers useful confusion (yes, a real learning theory idea), exploration, and better mastery. But I can’t recall if that particular point of ambiguity was intentional or not. 🙂
Wendell

RN

Wendell, I understand what you are saying, but I also found question 2 and it’s answer very unclear.

In your answer you only allow specific icmp traffic and drop all other traffic whatsoever, rendering the host unusable.

Also, notice that host B and S1 are connected to the same subnet, but the ip scheme does not much the topology, which also contribute to the confusion.

I do agree though that this is an interesting question, and so is the answer.

My answer included five statements: Two permit, two deny, and finally a ‘permit ip any any’ statement.

RN

Hi Wendell,

In the answer to question 3, you specified the network 192.168.2.128. It should be S3’s subnet.

S3 IP address and mask is 192.168.2.199/26.

So shouldn’t it be 192.168.2.192?

Thanks,

RN

Michał Krzyszczuk

From my point of view, you’re right. it should be
access-list 113 deny tcp 172.16.55.32 0.0.0.31 192.168.2.192 0.0.0.63 eq telnet

Tobias Larsson

Answer #2 is incorrect, Host B is not on the same subnet as S1, meaning an ACE is required to permit traffic to flow to the S1 subnet, or it would be blocked to the implicit deny rule.

lyjo

Tobias,
I agree. the fix though is better if I fix the mistake in the problem post. The problem post shows hosts A, B, and S1 in the same subnet, and the text in the problem post gave an incorrect IP address for host B (10.0.0.1/17). It should have been 10.100.0.1/17 so B would be in the correct subnet.
So… I agree, but now that I’ve changed the problem, B is in the same subnet as S1.
Sorry about the mistake.

Nicola

Hi Wendell,

In the answer to the 2nd question with that ACL all the traffic will be filtered and instead i was interpreting it as just the ICMP traffic should be filtered. Am i wrong?

Many thanks for you really great site!

lyjo

Nicola,
You are welcome! Glad you’re enjoying it.

As to your question, two answers.
1) literally, you are right! Congrats. 🙂
2) You bring up a point that’s always an issue with ACLs. the requirements were in English. We write the ACL in config. There’s always some room for different interpretation, ambiguity, and so on, so that two people come up with different answers.

So, on my answer #2, I think we’d agree that the suggested answer does do what the requirements ask – it just does more (filters more traffic). So the listed answer does literally meet the requirement.

If you’re first thought is something like “But…” – that’s the point. But you are thinking correctly in that the answer filters more.
Wendell

Austin

I think the questions would be easier to interpret with a bulleted list of requirements. For example, i Filtered ICMP traffic and only ICMP Traffic in my ACL. You filtered ICMP Traffic and everything else (referring to question 2).

I dont think either of us are wrong, but it takes away from the exercise when there isn’t 1 correct answer.

Just a suggestion.

As always thanks for the time and effort you put into these exercises!!!

Edgardo Riccobon

Hello Wendell,

I’ve got a gripe with answer number 3, specifically:

access-list 113 deny tcp 172.16.55.32 0.0.0.31 192.168.2.128 0.0.0.63 eq telnet

The destination address of this ACE should be S3 (192.168.2.199/26) subnet. It looks to me like S3 is in the 192.168.2.192 subnet, with mask 255.255.255.192, aka /26. So, i think the right ACE should be:

access-list 113 deny tcp 172.16.55.32 0.0.0.31 192.168.2.*192* 0.0.0.63 eq telnet

I REALLY hope I am right here, else… I’ve got too much work to do.

Wendell, thank you so much for your time, sometimes it feels like being coached one to one with the effort you put in all of this. I feel like you really care about the people you teach to =D

GJM

My answers are the literal interpretation of the question without considering the implied deny ip any any at the end. :-/

1.
access-list 101 permit tcp 192.168.2.199 eq telnet host 172.16.55.55
access-list 101 deny tcp 192.168.2.128 0.0.0.63 eq telnet host 172.16.55.55
access-list 101 permit ip any any

2.
access-list 102 permit icmp host 10.100.0.1 10.100.0.0 0.0.127.255
access-list 102 permit icmp host 10.100.0.1 10.255.128.0 0.0.127.255
access-list 102 deny icmp host 10.100.0.1 172.16.5.0 0.0.0.255
access-list 102 deny icmp host 10.100.0.1 192.168.1.128 0.0.0.63

3.
access-list 103 permit icmp 172.16.55.32 0.0.0.31 192.168.1.128 0.0.0.63

I see now after reading why I got my answers wrong.

GJM

Actually I have a follow up question after re-reviewing the requirements for #3 – Shouldn’t S3 destination subnet be 192.168.1.128 and not 192.168.2.128?

Wendell Odom

Hi Gabriel,
If you’re matching S3, yes. But the solution is matching S4 w/ a deny, and then using the permit any at the end of the list to match S3 and everything else.
Wendell

33
0
Would love your thoughts, please comment.x
()
x