On R5, configure an access list that meets the following criteria and contains the fewest configuration lines as possible:
■ Apply the access list on the outbound interface on R5's Fast Ethernet link to R4.
■ Deny any TCP packet with source address 220.127.116.11/24.
■ Deny any TCP packet with source address 18.104.22.168/24.
■ Deny any TCP packet with source address 22.214.171.124/24.
■ Deny any TCP packet with source address 126.96.36.199/24.
■ Permit all other IP traffic.
Confirm access to the network after applying the access list. (Hint: Use at most four lines of access list configuration.)
State how you can review any access violations.
The access list required here is somewhat tricky. The requirement that you use the least number of lines possible means that you should start looking for similarities in the subnets so that you can configure the correct mask.
Because you are denying TCP, you must use an extended access list, because standard access lists are based on IP only.
The first two subnets (188.8.131.52/24 and 184.108.40.206/24), when displayed in binary, look like the following. Notice that the first two octets are the same:
Only one bit (bit 2) is different (it could be 0 or 1 and hence is a don't care bit), so you can apply the mask as follows (remember, 0 means match and 1 means do not care):
10001100 (140 in decimal) 11001100 (204 in decimal) 01000000 (64 in decimal)
Example 8-69 configures the first access list line code to encompass the two networks, 220.127.116.11/24 and 18.104.22.168/24, with one line of IOS code.
Example 8-69 First Access List Line access-list 100 deny tcp 22.214.171.124 0.0.64.255 any log
The inverse mask, 0.0.64.255, means the first two octets (129 and 57) must match, followed by either 140 or 204, and you do not care about the last octet (255 or all 111111111).
The same principle of binary bit notation is followed with the second pair of networks:
11100001 (225 in decimal) 11000001 (161 in decimal) 01000000 (64 in decimal)
Example 8-70 configures the second access list line code to encompass the two networks, 126.96.36.199/24 and 188.8.131.52/24, with one line of IOS code.
Example 8-70 Second Access List Line access-list 100 deny tcp 184.108.40.206 220.127.116.11 any log
The final two conditions are met with a deny statement for all networks on 18.104.22.168/16 and an implicit permit on all other networks. Example 8-71 displays the final two IOS coded lines.
Example 8-71 Final Two Statements access-list 100 deny tcp 22.214.171.124 0.0.255.255 any log access-list 100 permit ip any any log
The log keyword ensures that any packets matching the access list are logged and available for further investigation when required. Ensure that all other legitimate IP data, such as OSPF routing updates, is encompassed in the last statement by implicitly allowing all other traffic.
Finally, apply the access list to the outbound interface on R5. Example 8-72 applies the access number 100 on the outbound interface to R5.
Example 8-72 Access List Applied to R5 Serial0/0
R5(config)#interface fastEthernet 0/0
ip access-group 100 out
Telnet to R5 and review the access list log. You should see the number of access list violations that were entered as a result of the failed access.
To view access list violations, use the IOS command show ip access-list 100.
Was this article helpful?