Extended IPv4 ACL Drill 1
Extended Access Control Lists (ACLs) can be a challenge for many reasons. In the first few posts in this series, these ACL exercises will focus on just a few of those issues. In particular:
- The concept and syntax to match TCP and UDP port numbers
- When you need to make the ACL match and permit some kinds of overhead traffic
Today’s post gives you a set of requirements, and then a few variations on that set of requirements. Your job: Create an ACL that meets those requirements. Simple enough!
Ground Rules
First off, a quick note about some rules for this exercise. First:
These exercises are NOT intended to be about tricky wording. The requirements are intended to be plain.
Instead, the goal of these exercises is to give you repetition in thinking about:
- The location and direction of the ACL
- The matching of different applications
- The matching of some overhead protocols
So, read the requirements, think of them as being plain, create ACL statements to match each requirement, and practice choosing the correct config while thinking about the location of the ACL!
The Requirements
Configure an ACL to meet the following requirements.
First, the exercise uses the topology in Figure 1:
Figure 1: Topology Used in the ACL Drill
Use the following requirements to decide how to configure a named IPv4 ACL to permit and deny specific applications:
- Use the ACL location shown with the circled 1, that is, outbound on router R2’s G0/2 interface.
- Deny any TCP and UDP traffic that is not otherwise noted to be permitted per these requirements, while allowing all other IP packets.
- For any ACL statements that could use either a number or a keyword (for instance, for a TCP port number), use the number, not the keyword.
- Permit the following applications to work correctly between hosts in the subnet where host A resides and hosts in the subnet where server S resides:
- Telnet
- World Wide Web
- SMTP
Additionally, make sure that your ACL meets the following requirements for overhead protocols. Configure ACL statements only if necessary to meet these requirements:
- To allow IPv4 ARP to work correctly
- To allow IPv4 OSPF to work correctly
You should be able to extrapolate the necessary IPv4 addressing details from the following router address/mask reference table:
| Device | Interface | Address/Mask |
| R1 | G0/1 | 172.16.1.1/25 |
| R1 | S0/0/0 | 172.16.12.1/30 |
| R2 | G0/1 | 172.16.2.2/26 |
| R2 | S0/0/1 | 172.16.12.2/30 |
| R2 | G0/2 | 172.16.23.2/29 |
| R3 | G0/1 | 172.16.3.3/27 |
| R3 | G0/2 | 172.16.23.3/29 |
Router Interfaces and Their Address/Mask Settings
Answers: Next Post!
I’ll post in the answers within the next few days. Once posted, the answer post should be linked at the bottom of this post, as the next post in chronological order. Thanks for playing!
Hi Mr,
In the topology, we have two routers named R2, I guess one was supposed to be R1.
Hello again,
Thanks for the heads up. Yep, the leftmost router should be R1 – I’ll look at getting it fixed. Might be a few days. Thanks!!
Wendell