Extended IPv4 ACL Drill 1

 In 200-301 V2 Ch07: Extended ACLs, 200-301 V2 Part 2: IP ACLs, ACL Drill

Extended Access Control Lists (ACLs) can be a challenge for many reasons. In the first few posts in this series, these ACL exercises will focus on just a few of those issues. In particular:

  • The concept and syntax to match TCP and UDP port numbers
  • When you need to make the ACL match and permit some kinds of overhead traffic

Today’s post gives you a set of requirements, and then a few variations on that set of requirements. Your job: Create an ACL that meets those requirements. Simple enough!

Ground Rules

First off, a quick note about some rules for this exercise. First:

These exercises are NOT intended to be about tricky wording. The requirements are intended to be plain.

Instead, the goal of these exercises is to give you repetition in thinking about:

  • The location and direction of the ACL
  • The matching of different applications
  • The matching of some overhead protocols

So, read the requirements, think of them as being plain, create ACL statements to match each requirement, and practice choosing the correct config while thinking about the location of the ACL!

 

The Requirements

Configure an ACL to meet the following requirements.

First, the exercise uses the topology in Figure 1:

 

Figure 1: Topology Used in the ACL Drill

 

Use the following requirements to decide how to configure a named IPv4 ACL to permit and deny specific applications:

  1. Use the ACL location shown with the circled 1, that is, outbound on router R2’s G0/2 interface.
  2. Deny any TCP and UDP traffic that is not otherwise noted to be permitted per these requirements, while allowing all other IP packets.
  3. For any ACL statements that could use either a number or a keyword (for instance, for a TCP port number), use the number, not the keyword.
  4. Permit the following applications to work correctly between hosts in the subnet where host A resides and hosts in the subnet where server S resides:
    • Telnet
    • World Wide Web
    • SMTP

Additionally, make sure that your ACL meets the following requirements for overhead protocols. Configure ACL statements only if necessary to meet these requirements:

  1. To allow IPv4 ARP to work correctly
  2. To allow IPv4 OSPF to work correctly

You should be able to extrapolate the necessary IPv4 addressing details from the following router address/mask reference table:

Device Interface Address/Mask
R1 G0/1 172.16.1.1/25
R1 S0/0/0 172.16.12.1/30
R2 G0/1 172.16.2.2/26
R2 S0/0/1 172.16.12.2/30
R2 G0/2 172.16.23.2/29
R3 G0/1 172.16.3.3/27
R3 G0/2 172.16.23.3/29

Router Interfaces and Their Address/Mask Settings

 

Answers: Next Post!

I’ll post in the answers within the next few days. Once posted, the answer post should be linked at the bottom of this post, as the next post in chronological order. Thanks for playing!

Advice After 17 Trips to CLUS
Extended IPv4 ACL Drill 1 - Answers
Subscribe
Notify of
guest

2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
almeidajoaodealmeida

Hi Mr,
In the topology, we have two routers named R2, I guess one was supposed to be R1.

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

2
0
Would love your thoughts, please comment.x
()
x