Access Control List Help

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

I am currently trying to work out a ACL problem I have been given.

I have the following network: 172.16.16.0/20 - I have been asked to write a ACL that restricts access to only 'the top half' of the network.

This is how i think i should tackle this problem. Identify the host range of the network for example 172.16.16.1 -> 172.16.31.254 and find the middle host from the range. Anything above the middle host class as the top half of the network. Anything below the middle host class as the bottom half.

Am i thinking on the right track?

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

*Cough*

 

LOL he hasnt come back after 4 days man! either he solved it just gave up trying!

 

Perhaps he hasn't returned because no one answered his question!

 

But I thought people had answered it?

Harry.

 

I thought that, then noticed that this was posted after the site came back online?

 

...so is there an answer?

 

Yes - here .

Harry.

 

Hi guys,

i was looking through and saw this thread; I have just taken CCNA Semester 2 exam (I passed ) and thought I would have a go at this question.

Now, I didn't get 100% on my exam, and I know I dropped points on ACL's so...

This would be my answer:

access-list 101 deny ip any 172.16.16.0 0.0.15.127

somewhat different to that given; I would appreciate some feedback as I would like to clear this up before commencing with semetser 3.

J

 

Jeff,

Actually, your answer is incorrect. However, D-Faktor's is also wrong - access-list 101 permit any 172.16.32.0 0.0.15.255 eq 80 would select the wrong network. 172.16.32.0 is not part of the 172.16.16.0 / 20 network, and so that acl would not work.

The correct acl would be :

access-list 101 permit ip any 172.16.24.0 0.0.7.255

Using a permit statement is the correct way to do it, as that way you prevent packets to any other destination network from passing the acl.

If you wanted to use a deny ip, use this:

access-list 101 deny ip any 172.16.16.0 0.0.7.255

But of course the above acl would allow much more through, and is not suitable.



Here is a practice question for you:

What would the result be if you used the following acl instead of the correct one I listed (access-list 101 permit ip any 172.16.24.0 0.0.7.255)?

access-list 101 permit ip any 172.16.28.128 0.0.7.255


Spice Weasel

 

Spice

Thanks for the reply; I have a question.

I have only done sem 1 & 2 so perhaps you know something I don't. Let me explain what I think I know at this time. The network in question is a Class B network with 4 bits borrowed from the 3rd Octect ( /20 ).

If that is true it would give me the following networks:

0 - not used in sem 1 & 2 although I understand it is later.
16
32
48 etc etc

Where do you get the 24 network from?

If there had been 5 bits borrowed that would give me 24 as the 3rd useable network (assuming the zero network cannot be used).

8
16
24



J

 

Jeff,

You are on the right track. As there are 12 bits in the host portion, and 20 bits for the network portion, the range of addresses for the network run from -

172.16.16.0 - 172.16.31.254

The next similar network would be 172.16.32.0 - 172.16.47.254, then 172.16.48.0 - 172.16.53.254, and so on. Just as you point out in your post above, the 4 network bits in the third octet mean the decimal value hops by 16 for each network.

So we know the network in the question runs from 172.16.16.0 - 172.16.31.254, and the question asks us to create an access list to allow the top half of the network. Since this is all binary, the first bit of the host portion determines if the host is in the top or bottom half of the network. In effect, it is as if we were subnetting the network into two networks - we would do that by making two /21 networks.

Note the third octet has a value of 0001 0000 to 0001 1111 (decimal 16 to 31). The first four bits are always 0001 for this network. The next bit is either a 0 (for the lower half of the network) or 1 (for the upper half of the network). So our access list essentially only needs to check that bit to determine if the address is in the lower or upper half of the network.

0001 0000 = 16
0001 1000 = 24

So if the access list looks for anything in the range of 172.16.24.0 to 172.16.31.254 it will catch all the upper addresses.

So, 172.16.24.0 0.0.7.255 selects the upper half. The 0.0.7.255 masks off the 11 lowest bits of the host portion (the access list doesn't care about them), leaving just one bit checked by the acl, the bit that determines if it is the upper or lower half of the address range.

Hope that helps, if anyone is interested I can post a few practical access list questions. Access lists are used everywhere in cisco products, it really is worth it to spend the time to get comfortable with them.


As an aside, what would the difference be if the access list used was -

access-list 101 permit ip any 172.16.28.128 0.0.7.255

- instead?

Spice Weasel

 

Ahh, the old "12 bits in the host portion" ploy

hmm...

My best guess

172.16.28.0 to 172.16.31.0 assumes /20 as previous.

0001 1100
0001 1101
0001 1110
0001 1111

the 7 in the wildcard mask will ignore the 3 LSBs which means the ACL will attempt to match bits 4 and 5; 172.16.24.0 network.

Also, the 255 in the Wildcard mask will attempt to allow any value for the 4th Octet; 1 to 254 usable hosts I believe.

Net effect, therefore, is an ACL looking for packets in the 172.16.24.0 network but being applied to an interface on the 172.16.28.0 network.

Or, as we used to say in the Army, SNAFU.

J

 

A bit of a trick question, but useful to demonstrate masks in acl's.

access-list 101 permit ip any 172.16.28.128 0.0.7.255

-would work just fine. It will produce exactly the same effect as -

access-list 101 permit ip any 172.16.24.0 0.0.7.255

The two access lists are completely identical in function. The key is the mask 0.0.7.255 - that means the access list ignores the last 11 bits of the address. Since the difference between 172.16.24.0 and 172.28.128 are all in the last 11 bits, there is no diffence between them. You could have any value for the last 11 bits and it would not matter.

In fact, if you enter 172.16.28.128 0.0.7.255 in an access list on a Cisco router it will change it to 172.16.24.0 0.0.7.255 automatically, since it will set the bits covered by the mask to zero as they will not be checked by the acl.

Spice Weasel

 

Thats very interesting; just goes to show how much I don't know. But I have two more semesters to go and, presumably, I will get plenty of practice with ACLs.

Thanks for the enlightenment.

Jeff

 

Hi Jeff,

Here are a few fairly practical access-list problems. I think they are a bit harder than most of the CCNA material, so if you feel comfortable making acl's like these you should be all set for CCNA testing relating to acl's. I made these questions up, they are not part of any exam, they are the sort of common, basic acl's you end up making all the time on routers/switches.


1 - A 2960 switch is the command switch for a cluster of 8 switches. An access-list is needed to restrict access to vty lines on the command switch. Create a standard access-list to allow only the following addresses to have access:

172.20.14.8/28, 192.168.24.17/24, 192.168.24.18/24, and 192.168.70.192/26. All other source addresses must be blocked.



2 - A router has an interface connected to an ISP. Make an access-list to block the RFC 1918 private addresses. Also, block all tcp netbios ports (tcp 137,138,139) and tcp ports 135 and 3389. All other traffic should be allowed to pass.

I hope the questions will be useful practice, getting comfortable with acl's early on makes it easier when you get into more complex areas of routers and switches.

Spice Weasel