Answers: Standard Named ACL 1

certskills
By certskills January 16, 2016 12:05

The previous lab exercise requires you to configure a standard named ACL, but as usual, with a few twists. You need to think outside the box a bit to match the correct range of addresses, and work through the choice of what interface to use to enable the ACL. As usual, check the requirements from the previous lab exercise and make your own answer first – it’s an exercise for you. Enjoy!

 

Answers

 

Figure 1: Two Router ROAS Topology

Example 5: R2 Config

 

Commentary

There are a number of useful purposes for an ACL, from something as simple as blocking the traffic from a specific host or group of hosts, to use within a number of features from Network Address Translation (NAT).  This is why it is good to get a comfortable with how they are configured how they are processed and how they are applied.

With this lab you were tasked with configuring a standard ACL to block the traffic from two different networks and a specific host. Cisco suggests that we place standard ACLs as close to the destination as possible, in this case this would be on R2. Because the requirements allow us to enable the ACL on as many interfaces as we want, but just on one device, the solution show here puts the ACL on router R2, and enables the ACL outbound on the three ROAS subinterfaces on R2’s G0/2 interface.

The one challenging matching action per the requirements is to block the traffic from the 10.0.1.0/26 and 10.0.1.64/26 subnets, but with a single command. These two named IPv4 ACL commands could be used to match and deny packets from those subnets separately:

deny 10.0.1.0 0.0.0.63

deny 10.0.1.64 0.0.0.63

To match them with one command, think about these two subnets as a single range of addresses, which incudes the numbers from 10.0.1.0 – 10.0.1.127. That happens to be the same numbers as in subnet 10.0.1.0/25, which can be matched with the deny 10.0.1.0 0.0.0.127 command, as seen in the answer.

The command to match the single host is deny 10.0.1.254. Note that in older versions of IOS host parameter is required in front of single matching addresses, but not today.

This lab also might have made you wonder if the ACL could have been applied to the G0/2 physical interface in this case, filtering all IP traffic exiting the interface, and the answer is no. An ACL applied under interface G0/2 – not one of its subinterfaces – would be considered for packets routed out G0/2, but not for packets routed out its subinterfaces. So, as shown in the answer, the ip access-group ThisACL out command is used as a subcommand on all three subinterfaces.

 

Standard Named ACL 1
L2 EtherChannel 1
certskills
By certskills January 16, 2016 12:05
Write a comment

8 Comments

  1. HectorJ February 9, 23:26

    You’ve made the point again, Wendell!!! Thanks

    Reply to this comment
  2. jventou June 1, 11:11

    Hi Wendell,

    For the specific case, can we also apply the ACL at the R2’s G0/1 as inbound?

    Reply to this comment
  3. Kristian October 27, 18:11

    Hi Wendell, so could we apply the entire ACL inbound, on R2’s G0/1 interface?
    My thinking was to prevent the router having to go through process of looking up routing table and having to process the packets only for them to be discarded…

    Reply to this comment
    • certskills Author October 28, 12:43

      Kristian,
      Sure, you could filter inbound on R2 as well. And I agree it appears to possibly be a performance improvement. However, most modern-day switches have forwarding ASICs that can handle forwarding rates assuming all ports receive frames at 100%, so I don’t know if it’s of any practical improvement. But yes, that location would work, too.
      Wendell

      Reply to this comment
  4. Daniel February 29, 11:29

    I don’t understand why to use ACL as out for sub interfaces.

    I tried to emulate lab in GNS3 with setup where ACL is configured as inbound on sub interfaces and it worked as expected

    interface GigabitEthernet2/0.10
    encapsulation dot1Q 10
    ip address 10.0.1.1 255.255.255.192
    ip access-group ThisACL in
    end

    When sub interface receives packet from vlan it is inbound traffic?

    If it true why use ACL outbound?

    Reply to this comment
    • certskills Author March 2, 10:36

      Daniel,
      I may be missing your point. But here’s an answer that may be about what you are asking.
      You can match packets with an ACL as they enter (in) an interface and as they exit (out) an interface. Depending on the direction, the packet may have been sent by a host you are thinking about, or may be traveling towards that host. You have to think about the location of the sender and receiver when thinking about both the direction to apply the ACL and the matching logic in the ACL.
      In this case, the ACL applied on R2’s G0/2 sub interfaces means R2 will examine packets traveling towards hosts located off those sub interfaces, as sent by hosts in the subnets off R1.
      Hope this helps,
      Wendell

      Reply to this comment
  5. Jorge October 30, 13:39

    I don’t understand why the following statement is needed on subinterfaces:..

    ip access-group ThisACL out

    Couldn’t we just enable ip access-group ThiACL in on r2 g0/1 interface?

    Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email

Subscribe

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.

Search

Categories