Answers: Standard Named ACL 1

certskills
By certskills January 16, 2016 12:05

The previous lab exercise requires you to configure a standard named ACL, but as usual, with a few twists. You need to think outside the box a bit to match the correct range of addresses, and work through the choice of what interface to use to enable the ACL. As usual, check the requirements from the previous lab exercise and make your own answer first – it’s an exercise for you. Enjoy!

 

Answers

 

Figure 1: Two Router ROAS Topology

Example 5: R2 Config

 

Commentary

There are a number of useful purposes for an ACL, from something as simple as blocking the traffic from a specific host or group of hosts, to use within a number of features from Network Address Translation (NAT).  This is why it is good to get a comfortable with how they are configured how they are processed and how they are applied.

With this lab you were tasked with configuring a standard ACL to block the traffic from two different networks and a specific host. Cisco suggests that we place standard ACLs as close to the destination as possible, in this case this would be on R2. Because the requirements allow us to enable the ACL on as many interfaces as we want, but just on one device, the solution show here puts the ACL on router R2, and enables the ACL outbound on the three ROAS subinterfaces on R2’s G0/2 interface.

The one challenging matching action per the requirements is to block the traffic from the 10.0.1.0/26 and 10.0.1.64/26 subnets, but with a single command. These two named IPv4 ACL commands could be used to match and deny packets from those subnets separately:

deny 10.0.1.0 0.0.0.63

deny 10.0.1.64 0.0.0.63

To match them with one command, think about these two subnets as a single range of addresses, which incudes the numbers from 10.0.1.0 – 10.0.1.127. That happens to be the same numbers as in subnet 10.0.1.0/25, which can be matched with the deny 10.0.1.0 0.0.0.127 command, as seen in the answer.

The command to match the single host is deny 10.0.1.254. Note that in older versions of IOS host parameter is required in front of single matching addresses, but not today.

This lab also might have made you wonder if the ACL could have been applied to the G0/2 physical interface in this case, filtering all IP traffic exiting the interface, and the answer is no. An ACL applied under interface G0/2 – not one of its subinterfaces – would be considered for packets routed out G0/2, but not for packets routed out its subinterfaces. So, as shown in the answer, the ip access-group ThisACL out command is used as a subcommand on all three subinterfaces.

 

Standard Named ACL 1
L2 EtherChannel 1
certskills
By certskills January 16, 2016 12:05
Write a comment

3 Comments

  1. HectorJ February 9, 23:26

    You’ve made the point again, Wendell!!! Thanks

    Reply to this comment
  2. jventou June 1, 11:11

    Hi Wendell,

    For the specific case, can we also apply the ACL at the R2’s G0/1 as inbound?

    Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email

Subscribe

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.

Search

Categories