Answers: Standard Numbered ACL 1

certskills
By certskills January 2, 2016 12:05

Your answers from the previous lab exercise should result in a lot of thinking, and about 5-6 lines of configuration on a single device. Admittedly, I expect to see a variety of answers to this lab, so feel free to post your alternative and your reasons for it – especially focusing on why you chose a particular device, interface, and direction for applying the ACL.

Answers

Figure 1: Two  Router ROAS Topology

 

Example 5: R1 Config

 

Commentary

There are a number of useful purposes for an ACL, from something as simple as blocking the traffic from a specific host or group of hosts, to use within a number of features from Network Address Translation (NAT).  This is why it is good to get a comfortable with how they are configured how they are processed and how they are applied.

With this lab you were tasked with configuring a standard ACL to block the traffic from one and two different specific hosts for subnets connected to router R2. The solution I chose matches a source IP address of the subnets or addresses that begin with 20, located in connected subnets off router R2. That leaves the choice of where to place the ACL in the network.

As for where to place the ACL:

The lab said all switches were layer 2 switches, so a layer 3 ACL could not be applied on the two switches. So the ACL would need to be applied on routers R1 or R2.

For the direction from R2’s LAN subnets towards R1’s LAN subnets, the options for interfaces were:

  • R2’s G0/2 (and/or subinterfaces) inbound
  • R2’s G0/1 outbound
  • R1’s G0/1 inbound
  • R2’s G0/2 (and/or subinterfaces) outbound

Because a standard ACL is specified it is considered best practice to apply these types of ACL as close to the destination as possible, in this case this would be on R1. However, the lab requirements made an extra requirement for this lab: you can enable the ACL on one interface only, and one direction only. Which begs the question: could you apply the ACL outbound on R1’s G0/2 interface, and have it filtr traffic on both that physical interface and all the subinterfaces? The answer is no. IP ACLs must be applied on the interface where the IP addresses are configured, so to place them to filter outbound traffic on R1’s G0/2 interface, you would actually need to enable them on G0/2.1, G0/2.2, and G0/2.3. So that one requirement to enable the ACL in one location only disallows the use of the ACL on R1’s subinterfaces.

The sample answer then uses the close-to-the-destination (R1) solution, but inbound on R1’s G0/1 interface. The actual access-list commands are relatively straightforward: access-list 1 deny 20.0.1.0 0.0.0.255, access-list 1 deny 20.0.2.100, access-list 1 deny 20.0.3.100, and access-list 1 permit any. (Note: In older versions of IOS it is required to use the host parameter in front of single matching addresses).

Standard Numbered ACL 1
OSPF Interface Config 2
certskills
By certskills January 2, 2016 12:05
Write a comment

10 Comments

  1. Ruben December 9, 17:17

    Hello again Wendell.
    I messed up and placed ACLs on R1’s G0/2 (probably not even needed in this scenario), G0/2.1, G0/2.2 and G0/2.3.
    I keep making the same mistake in a lot of exercises: I still do not take my time reading the question and paying attention to all the details…
    Keep up these little tricks and tips please! 🙂

    Reply to this comment
  2. CCENTSkills December 9, 19:53

    Hi Ruben,
    Glad to hear you are finding it useful! That’s one of the big issues with late-stage prep: how do you figure out the little tidbits you’re missing? Q&A certainly helps, little labs, help, exercises, etc. My new CCENT ICND1 Exam Prep LiveLessons is also designed to help with that specific issue as well. Keep at it!
    Wendell

    Reply to this comment
  3. Andreas January 23, 05:02

    Hi Wendell.
    Many thanks for the sharing your experience. It is really very interesting.
    I am a bit confused about this kind of questions, basically about the issue of where to apply the ACL.
    When we talk about restricting access to the VLANs, don’t we also include the router’s own IP addresses on these VLANs? or we are talking only about accessing hosts in these VLANs?
    In the first case, the application of the ACL outbound on G0/2 would anyhow be rejected since the addresses 10.0.1.1, 10.0.2.1, 10.0.3.1 would still be accessible after the installation of the ACL.
    Thank you very much again.

    Reply to this comment
  4. CCENTSkills January 25, 08:58

    Hi Andreas,
    You’re very welcome! Glad you’re finding the content interesting.
    On this one, on your first question. I’d say yes, we would include the router’s own addresses. I think that the answer does indeed do that. However, taking a broader think about the exercise, your question stems from a central issue with any ACL question: how to interpret the words into ACL statements. The English language words will probably be at least a little ambiguous compared to the ACL statement. Or, if the exercise is worded to be totally unambiguous, the exercise or question is too easy. So it’s actually difficult to make a meaningful ACL exercise without giving away the answer.

    On your last comment, about the application of the ACL on the G0/2 interface, I don’t understand your comment. If you added:
    int g0/2
    ip access-group 1 out

    Then the ACL would have no effect relative to the router interface IP addresses. It would filter packets destined to the rest of the 10.0.0.0 subnets. (Is that your point? Putting the ACL there would possibly match the requirements better?)
    Thanks,
    Wendell

    Reply to this comment
  5. HectorJ February 1, 22:31

    Hi, Wendell.These are my comments:

    1.- I actually solved the lab the same way you did. However, in real life,
    I beg my boss does not ask me for set up another subnet on some other R1’s
    interface, so it might be allowed to recive and send data from and to those
    restricted addresses, because I think that those access list statements
    placed on gi0/1 would restrict such a traffic too.
    2.- If those access list statements are placed in every gi0/2 subinterfaces,
    in my opinion they are actually placed in one PHYSICAL place: gi0/2
    (although, logically are configured on different interfaces). By the
    way, wouldn’t it be better saying “you must” rather than “you may”?
    Wouldn´t it cause a misunderstanding (I mean, the way the requierement
    was written down)?

    Reply to this comment
    • CCENTSkills February 6, 10:04

      Hi Hector,
      Any way you write ACL requirements in a language other than ACL commands can be interpreted and may become ambiguous. Case in point, on your #2, you emphasize the same “physical” place. Always has been one of the challenges of ACL questions and ACL labs, how to give instructions without giving away the answer. If you learn how the commands work, then I believe the learning goal is achieved, even with the messiness of the struggle with the wording.

      Reply to this comment
  6. Ady March 30, 13:45

    Hi Wondell, I didn’t know that we have the freedom to choose which is the source and which is the destination. For example when saying permit subnet A to communicate to subnet B. it would be the same as permit subnet B to communicate to Subnet A.
    This is important in finding out the direction of the ACL based on direction of packets.

    Reply to this comment
  7. Paolo July 12, 10:54

    Hi Wendell, i solved the lab the same way you did but placing that ACL inbound R1’s G0/1 inbound makes hosts 20.0.2.100 and 20.0.3.100 and subnet 20.0.1.0/24 unable to reach all of the 10.0.0.0 subnets (as required) but also unable to reach 192.168.1.1 (R1’s G0/1 IP address). Isn’t it breaking the requirements?

    Reply to this comment
  8. Peter August 24, 10:08

    The posted solution does not meet the requirements in the problem statement The solution will block access to R1’s serial interface 192.168.1.1 from 20.0.1.0/24,
    20.0.2.100 and 20.0.3.100, so it does not meet the requirement to “permit all other traffic”. I believe there is no solution to the problem as stated.

    Reply to this comment
    • CCENTSkills August 24, 16:16

      Hi Peter,
      I agree with you. I do think it’s still a useful exercise, but yes, packets addressed to the R1’s WAN interface, as you noted, would be discarded with the solution as shown.
      Thanks,
      Wendell

      Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email

Subscribe

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.

Search

Categories