ACL Drill Set 1

 In 200-301 V2 Ch02: Standard ACLs, 200-301 V2 Part 1: IP ACLs, ACL Drill, CCENT-OLD

Here’s the first ACL drill set. What’s that? Check out this post that explains the details. No stopwatch, no speed requirement for these, unlike the subnetting speed practice. Just focus on getting the right answer. Questions are below the fold!

First, use this figure as the backdrop:

Here are the questions. Your job for this drill: Treat each requirement as a completely separate problem. For each, create a 1 line ACL, with either a “permit” or “deny” action, to do what the requirement asks.

1) Host A (10.1.1.1/24) attempts to connect to Telnet server S3 (192.168.2.254/27). Your ACL will be applied outbound on R1’s S0/0/0 interface. Permit traffic from host A to telnet services on S3, as well as telnet services on all servers in that same subnet.

2) Host C (10.1.101.145/22) attempts to connect to web server S4 (192.168.3.250/28). Your ACL will be applied outbound on R3’s F0/0 interface. Deny hosts in host C’s subnet from communicating with web services on web server S4.

3) Repeat #2, but for an ACL that will be placed on R1’s F0/1 as an outbound ACL.

Enjoy! Answers in a few days.

ACL Practice Drills
Question: STP and Choosing a Root Port
Subscribe
Notify of
guest

8 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Dexter

permit tcp host 10.1.1.1 192.168.2.224 0 0.0.0.31 eq 23

Dexter

Erratum
permit tcp host 10.1.1.1 192.168.2.224 0 0.0.31 eq 23

Dexter

2) deny tcp 10.1.100.0 0.0.3.255 host 192.168.3.250 eq www

Samir

1)access-list 101 permit tcp host 10.1.1.1 192.168.2.224 0.0.0.31 eq telnet
2)access-list 101 deny tcp 10.1.100.0 0.0.3.255 host 192.168.3.250 eq www
3)access-list 101 deny tcp host 192.168.3.250 eq www 10.1.100.0 0.0.3.255

lyjo

Hi Dexter and Samir. The answer post is up! Should be the next post in chronological sequence, linked near where you see this post. But I like your answers! 🙂
Wendell

Starter

if I whrite like this woud it be correct answer to :

permit tcp host 10.1.1.1 192.168.2.254 0.0.0.31 eq 23

deny tcp 10.1.101.145 0.0.3.255 host 192.168.3.250 eq 80

deny tcp host 192.168.3.250 eq 80 10.1.101.145 0.0.3.255
Or i need to use subnet address as destination!! thanks for Reply

lyjo

Hi Starter,
Thanks for the post.
Your logic is pretty good. The one issue with your answers is that when you match a subnet, you’re still using the specific IP address along with the wildcard masks. You picked the correct wildcard masks, but you also need to use the subnet ID rather than the specific IP address.

EG, on your first command:
permit tcp host 10.1.1.1 192.168.2.224 0.0.0.31 eq 23

Note the link at the bottom of the post to the post that lists the answers as well. 🙂
Wendell

Jayson

Question #3 is confusing to me. Looking at other people’s take on the question, it is filtering mostly the return/reverse message from S1. After looking at it that way, I understand how the ACL command would be configured but I did not get to that conclusion from the question alone. Must just be me.

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

8
0
Would love your thoughts, please comment.x
()
x