1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Access Control List Help

Discussion in 'General Cisco Certifications' started by Paulcraig1979, May 1, 2006.

  1. Paulcraig1979

    Paulcraig1979 New Member

    5
    0
    1
    I am currently trying to work out a ACL problem I have been given.

    I have the following network: 172.16.16.0/20 - I have been asked to write a ACL that restricts access to only 'the top half' of the network.

    This is how i think i should tackle this problem. Identify the host range of the network for example 172.16.16.1 -> 172.16.31.254 and find the middle host from the range. Anything above the middle host class as the top half of the network. Anything below the middle host class as the bottom half.

    Am i thinking on the right track? :eek:
     
  2. simongrahamuk
    Honorary Member

    simongrahamuk Hmmmmmmm?

    6,199
    125
    199
    *Cough*
     
  3. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    98
    181
    LOL he hasnt come back after 4 days man! :blink either he solved it just gave up trying! :biggrin
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  4. simongrahamuk
    Honorary Member

    simongrahamuk Hmmmmmmm?

    6,199
    125
    199
    Perhaps he hasn't returned because no one answered his question! :ohmy :ohmy
     
  5. hbroomhall

    hbroomhall Petabyte Poster Gold Member

    6,623
    115
    224
    But I thought people had answered it?

    Harry.
     
    Certifications: ECDL A+ Network+ i-Net+
    WIP: Server+
  6. simongrahamuk
    Honorary Member

    simongrahamuk Hmmmmmmm?

    6,199
    125
    199
    I thought that, then noticed that this was posted after the site came back online? :blink
     
  7. Mr.Cheeks

    Mr.Cheeks 1st ever Gold Member! Gold Member

    5,369
    85
    190
    ...so is there an answer?
     
  8. hbroomhall

    hbroomhall Petabyte Poster Gold Member

    6,623
    115
    224
    Yes - here .

    Harry.
     
    Certifications: ECDL A+ Network+ i-Net+
    WIP: Server+
  9. Jeff1545

    Jeff1545 New Member

    5
    0
    25
    Hi guys,

    i was looking through and saw this thread; I have just taken CCNA Semester 2 exam (I passed :biggrin ) and thought I would have a go at this question.

    Now, I didn't get 100% on my exam, and I know I dropped points on ACL's so...

    This would be my answer:

    access-list 101 deny ip any 172.16.16.0 0.0.15.127

    somewhat different to that given; I would appreciate some feedback as I would like to clear this up before commencing with semetser 3.

    J
     
    Certifications: Bugger all
    WIP: CCNA
  10. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    Jeff,

    Actually, your answer is incorrect. However, D-Faktor's is also wrong - access-list 101 permit any 172.16.32.0 0.0.15.255 eq 80 would select the wrong network. 172.16.32.0 is not part of the 172.16.16.0 / 20 network, and so that acl would not work.

    The correct acl would be :

    access-list 101 permit ip any 172.16.24.0 0.0.7.255

    Using a permit statement is the correct way to do it, as that way you prevent packets to any other destination network from passing the acl.

    If you wanted to use a deny ip, use this:

    access-list 101 deny ip any 172.16.16.0 0.0.7.255

    But of course the above acl would allow much more through, and is not suitable.



    Here is a practice question for you:

    What would the result be if you used the following acl instead of the correct one I listed (access-list 101 permit ip any 172.16.24.0 0.0.7.255)?

    access-list 101 permit ip any 172.16.28.128 0.0.7.255


    Spice Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  11. Jeff1545

    Jeff1545 New Member

    5
    0
    25
    Spice

    Thanks for the reply; I have a question.

    I have only done sem 1 & 2 so perhaps you know something I don't. Let me explain what I think I know at this time. The network in question is a Class B network with 4 bits borrowed from the 3rd Octect ( /20 ).

    If that is true it would give me the following networks:

    0 - not used in sem 1 & 2 although I understand it is later.
    16
    32
    48 etc etc

    Where do you get the 24 network from? :(

    If there had been 5 bits borrowed that would give me 24 as the 3rd useable network (assuming the zero network cannot be used).

    8
    16
    24

    :blink

    J
     
    Certifications: Bugger all
    WIP: CCNA
  12. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    Jeff,

    You are on the right track. As there are 12 bits in the host portion, and 20 bits for the network portion, the range of addresses for the network run from -

    172.16.16.0 - 172.16.31.254

    The next similar network would be 172.16.32.0 - 172.16.47.254, then 172.16.48.0 - 172.16.53.254, and so on. Just as you point out in your post above, the 4 network bits in the third octet mean the decimal value hops by 16 for each network.

    So we know the network in the question runs from 172.16.16.0 - 172.16.31.254, and the question asks us to create an access list to allow the top half of the network. Since this is all binary, the first bit of the host portion determines if the host is in the top or bottom half of the network. In effect, it is as if we were subnetting the network into two networks - we would do that by making two /21 networks.

    Note the third octet has a value of 0001 0000 to 0001 1111 (decimal 16 to 31). The first four bits are always 0001 for this network. The next bit is either a 0 (for the lower half of the network) or 1 (for the upper half of the network). So our access list essentially only needs to check that bit to determine if the address is in the lower or upper half of the network.

    0001 0000 = 16
    0001 1000 = 24

    So if the access list looks for anything in the range of 172.16.24.0 to 172.16.31.254 it will catch all the upper addresses.

    So, 172.16.24.0 0.0.7.255 selects the upper half. The 0.0.7.255 masks off the 11 lowest bits of the host portion (the access list doesn't care about them), leaving just one bit checked by the acl, the bit that determines if it is the upper or lower half of the address range.

    Hope that helps, if anyone is interested I can post a few practical access list questions. Access lists are used everywhere in cisco products, it really is worth it to spend the time to get comfortable with them.


    As an aside, what would the difference be if the access list used was -

    access-list 101 permit ip any 172.16.28.128 0.0.7.255

    - instead?

    Spice Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  13. Jeff1545

    Jeff1545 New Member

    5
    0
    25
    Ahh, the old "12 bits in the host portion" ploy :oops:

    hmm...

    My best guess :rolleyes:

    172.16.28.0 to 172.16.31.0 assumes /20 as previous.

    0001 1100
    0001 1101
    0001 1110
    0001 1111

    the 7 in the wildcard mask will ignore the 3 LSBs which means the ACL will attempt to match bits 4 and 5; 172.16.24.0 network.

    Also, the 255 in the Wildcard mask will attempt to allow any value for the 4th Octet; 1 to 254 usable hosts I believe.

    Net effect, therefore, is an ACL looking for packets in the 172.16.24.0 network but being applied to an interface on the 172.16.28.0 network.

    Or, as we used to say in the Army, SNAFU.

    J
     
    Certifications: Bugger all
    WIP: CCNA
  14. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    A bit of a trick question, but useful to demonstrate masks in acl's.

    access-list 101 permit ip any 172.16.28.128 0.0.7.255

    -would work just fine. It will produce exactly the same effect as -

    access-list 101 permit ip any 172.16.24.0 0.0.7.255

    The two access lists are completely identical in function. The key is the mask 0.0.7.255 - that means the access list ignores the last 11 bits of the address. Since the difference between 172.16.24.0 and 172.28.128 are all in the last 11 bits, there is no diffence between them. You could have any value for the last 11 bits and it would not matter.

    In fact, if you enter 172.16.28.128 0.0.7.255 in an access list on a Cisco router it will change it to 172.16.24.0 0.0.7.255 automatically, since it will set the bits covered by the mask to zero as they will not be checked by the acl.

    Spice Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  15. Jeff1545

    Jeff1545 New Member

    5
    0
    25
    Thats very interesting; just goes to show how much I don't know. But I have two more semesters to go and, presumably, I will get plenty of practice with ACLs.

    Thanks for the enlightenment.

    Jeff
     
    Certifications: Bugger all
    WIP: CCNA
  16. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    Hi Jeff,

    Here are a few fairly practical access-list problems. I think they are a bit harder than most of the CCNA material, so if you feel comfortable making acl's like these you should be all set for CCNA testing relating to acl's. I made these questions up, they are not part of any exam, they are the sort of common, basic acl's you end up making all the time on routers/switches.


    1 - A 2960 switch is the command switch for a cluster of 8 switches. An access-list is needed to restrict access to vty lines on the command switch. Create a standard access-list to allow only the following addresses to have access:

    172.20.14.8/28, 192.168.24.17/24, 192.168.24.18/24, and 192.168.70.192/26. All other source addresses must be blocked.



    2 - A router has an interface connected to an ISP. Make an access-list to block the RFC 1918 private addresses. Also, block all tcp netbios ports (tcp 137,138,139) and tcp ports 135 and 3389. All other traffic should be allowed to pass.

    I hope the questions will be useful practice, getting comfortable with acl's early on makes it easier when you get into more complex areas of routers and switches. :)

    Spice Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE

Share This Page

Loading...