Extended IPv4 ACL Drill 1 – Answers

certskills
By certskills May 5, 2017 09:05

The previous post listed a set of ACL requirements that require an IPv4 Extended ACL. Your job: using those requirements, configure an extended named ACL. Of course, this post makes no sense without the post that states the requirements, so check out that post first. Answers and comments are below the fold.

Ground Rules

Often times, the words that describe the requirements for an ACL can be interpreted in several ways. So, before reading these answers, consider:

  • Your answer may be correct per your interpretation of the requirements…
  • …while being different from the answer listed here.

For the answer shown here, I tried to work through the requirements one by one, with a line in the ACL for each requirement. Feel free to comment about alternate answers, but FYI, that’s how I came up with these.

On to the answers!

 

Subnets in Use

All the answers will use the subnets of host A and Server S, so a few words about those first.

To match the subnet of host A, you need to find the subnet ID and the matching wildcard mask. First, calculate the subnet ID:

  1. R1’s G0/1 interface address/mask is 172.16.1.1/25
  2. Calculate the subnet ID as 172.16.1.0.

Then, to find the correct wildcard (not subnet) mask to use:

  1. Convert prefix mask /25 to dotted decimal mask 255.255.255.128
  2. Subtract it from 255.255.255.255 to get 0.0.0.127
  3. Use 0.0.0.127 as the wildcard mask in the ACL statement.

For subnet 3, using the same logic:

  1. R3’s G0/1 interface address/mask is 172.16.3.3/27
  2. To match the subnet, use the subnet ID of 172.16.3.0.
  3. Convert prefix mask /25 to dotted decimal mask 255.255.255.224
  4. Subtract it from 255.255.255.255 to get 0.0.0.31
  5. Use 0.0.0.31 as the wildcard mask.

 

Answers

Of note for this particular answer:

  • The ACL is located on R2, in the direction pointing towards the server, so any matching of well-known ports should be a match of the ACL’s destination port number
  • Any ACL statement that matches a port number should use either the tcp or udp keywords.
  • As an outbound ACL, the ACL will no filter any messages created by the router itself. So, the ACL would not consider filtering any ARP or OSPF messages it had generated anyway. (More on this topic in the answers for Option 3.)

Figure 1: Topology Used in the ACL Drill

 

The answers for requirement set 1, for the explicitly identified applications:

Partial Answer

The requirement about denying all other TCP and UDP packets, while permitting all other IP packets besides those, might be a bit tricky. The logic intended by the combined requirements is this sequence:

  1. Permit packets for apps Telnet, World Wide Web, and SMTP
  2. Deny all other TCP and UDP traffic (that wasn’t already permitted)
  3. Permit all other IP traffic (that wasn’t already denied)

With that in mind, the following answer adds the matching for all other TCP, then UDP, and then IP. Without those final three commands, all other IP packets would have been denied because of the implied deny any any at the end of the ACL. (Also note that the configuration enables the ACL as suggested in the lab.)

Completed Answer

 

Extended IPv4 ACL Drill 1
Extended IPv4 ACL Drill 2
certskills
By certskills May 5, 2017 09:05
Write a comment

No Comments

No Comments Yet!

Let me tell You a sad story ! There are no comments yet, but You can be first one to comment this article.

Write a comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email

Subscribe

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.

Search

Categories