IP Access List 4 Points

On R5, configure an access list that meets the following criteria and contains the fewest configuration lines as possible:

■ Apply the access list on the outbound interface on R5's Fast Ethernet link to R4.

■ Deny any TCP packet with source address 129.57.204.0/24.

■ Deny any TCP packet with source address 129.57.140.0/24.

■ Deny any TCP packet with source address 225.133.29.0/24.

■ Deny any TCP packet with source address 161.133.29.0/24.

■ Permit all other IP traffic.

Confirm access to the network after applying the access list. (Hint: Use at most four lines of access list configuration.)

State how you can review any access violations.

IP Access List Solution

The access list required here is somewhat tricky. The requirement that you use the least number of lines possible means that you should start looking for similarities in the subnets so that you can configure the correct mask.

Because you are denying TCP, you must use an extended access list, because standard access lists are based on IP only.

The first two subnets (129.57.140.0/24 and 129.57.204.0/24), when displayed in binary, look like the following. Notice that the first two octets are the same:

140 in binary is 10001100 204 in binary is 11001100

Only one bit (bit 2) is different (it could be 0 or 1 and hence is a don't care bit), so you can apply the mask as follows (remember, 0 means match and 1 means do not care):

10001100 (140 in decimal) 11001100 (204 in decimal) 01000000 (64 in decimal)

Example 8-69 configures the first access list line code to encompass the two networks, 129.57.140.0/24 and 129.57.204.0/24, with one line of IOS code.

Example 8-69 First Access List Line access-list 100 deny tcp 129.57.140.0 0.0.64.255 any log

The inverse mask, 0.0.64.255, means the first two octets (129 and 57) must match, followed by either 140 or 204, and you do not care about the last octet (255 or all 111111111).

The same principle of binary bit notation is followed with the second pair of networks:

11100001 (225 in decimal) 11000001 (161 in decimal) 01000000 (64 in decimal)

Example 8-70 configures the second access list line code to encompass the two networks, 225.133.29.0/24 and 161.133.29.0/24, with one line of IOS code.

Example 8-70 Second Access List Line access-list 100 deny tcp 161.133.29.0 64.0.0.0 any log

The final two conditions are met with a deny statement for all networks on 182.133.0.0/16 and an implicit permit on all other networks. Example 8-71 displays the final two IOS coded lines.

Example 8-71 Final Two Statements access-list 100 deny tcp 182.133.0.0 0.0.255.255 any log access-list 100 permit ip any any log

The log keyword ensures that any packets matching the access list are logged and available for further investigation when required. Ensure that all other legitimate IP data, such as OSPF routing updates, is encompassed in the last statement by implicitly allowing all other traffic.

Finally, apply the access list to the outbound interface on R5. Example 8-72 applies the access number 100 on the outbound interface to R5.

Example 8-72 Access List Applied to R5 Serial0/0

R5(config)#interface fastEthernet 0/0

R5(config-if)#

ip access-group 100 out

Telnet to R5 and review the access list log. You should see the number of access list violations that were entered as a result of the failed access.

To view access list violations, use the IOS command show ip access-list 100.

Was this article helpful?

0 0

Post a comment