Scribd
Upload
71 views3 pages

CCNA 200-301 Official Cert Guide, Volume 2-29

Uploaded by

Arif Hasan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
71 views3 pages

CCNA 200-301 Official Cert Guide, Volume 2-29

Uploaded by

Arif Hasan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Chapter 2: Basic IPv4 Access Control Lists 39

has been enabled on the wrong interface, or for the wrong direction, to match the packets
as configured for the ACL.
For example, Figure 2-9 repeats the same ACL shown earlier in Figure 2-7. The first line of
that ACL matches the specific host address 10.1.1.1. If that ACL exists on Router R2, plac-
ing that ACL as an inbound ACL on R2’s S0/0/1 interface can work, because packets sent
by host 10.1.1.1—on the left side of the figure—can enter R2’s S0/0/1 interface. However,
2
if R2 enables ACL 1 on its F0/0 interface, for inbound packets, the ACL will never match
a packet with source IP address 10.1.1.1, because packets sent by host 10.1.1.1 will never
enter that interface. Packets sent by 10.1.1.1 will exit R2’s F0/0 interface, but never enter it,
just because of the network topology.

ACL 1
access-list 1 permit 10.1.1.1
access-list 1 deny 10.1.1.0 0.0.0.255
access-list 1 permit 10.0.0.0 0.255.255.255
10.1.1.1
A
S0/0/1 F0/0
F0/0 S0/0/0 S1
B R1 R2
F0/1
10.1.1.2
C Can Match Cannot Match
10.3.3.3 10.1.1.1 10.1.1.1
Figure 2-9 Example of Checking the Interface and Direction for an ACL

Practice Applying Standard IP ACLs


Some CCNA topics, like ACLs, simply require more drills and practice than others. ACLs
require you to think of parameters to match ranges of numbers, and that of course requires
some use of math and some use of processes.
This section provides some practice problems and tips, from two perspectives. First, this
section asks you to build one-line standard ACLs to match some packets. Second, this sec-
tion asks you to interpret existing ACL commands to describe what packets the ACL will
match. Both skills are useful for the exams.

Practice Building access-list Commands


In this section, practice getting comfortable with the syntax of the access-list command,
particularly with choosing the correct matching logic. These skills will be helpful when read-
ing about extended and named ACLs in the next chapter.
First, the following list summarizes some important tips to consider when choosing match-
ing parameters to any access-list command:
■ To match a specific address, just list the address.
■ To match any and all addresses, use the any keyword.
■ To match based only on the first one, two, or three octets of an address, use the
0.255.255.255, 0.0.255.255, and 0.0.0.255 WC masks, respectively. Also, make the
source (address) parameter have 0s in the wildcard octets (those octets with 255 in the
wildcard mask).
40 CCNA 200-301 Official Cert Guide, Volume 2

■ To match a subnet, use the subnet ID as the source, and find the WC mask by subtract-
ing the DDN subnet mask from 255.255.255.255.

Table 2-2 lists the criteria for several practice problems. Your job: Create a one-line stan-
dard ACL that matches the packets. The answers are listed in the section “Answers to Earlier
Practice Problems,” later in this chapter.

Table 2-2 Building One-Line Standard ACLs: Practice


Problem Criteria
1 Packets from 172.16.5.4
2 Packets from hosts with 192.168.6 as the first three octets
3 Packets from hosts with 192.168 as the first two octets
4 Packets from any host
5 Packets from subnet 10.1.200.0/21
6 Packets from subnet 10.1.200.0/27
7 Packets from subnet 172.20.112.0/23
8 Packets from subnet 172.20.112.0/26
9 Packets from subnet 192.168.9.64/28
10 Packets from subnet 192.168.9.64/30

Reverse Engineering from ACL to Address Range


In some cases, you may not be creating your own ACL. Instead, you may need to interpret
some existing access-list commands. To answer these types of questions on the exams, you
need to determine the range of IP addresses matched by a particular address/wildcard mask
combination in each ACL statement.
Under certain assumptions that are reasonable for CCNA certifications, calculating the
range of addresses matched by an ACL can be relatively simple. Basically, the range of
addresses begins with the address configured in the ACL command. The range of addresses
ends with the sum of the address field and the wildcard mask. That’s it.
For example, with the command access-list 1 permit 172.16.200.0 0.0.7.255, the low end
of the range is simply 172.16.200.0, taken directly from the command itself. Then, to find
the high end of the range, just add this number to the WC mask, as follows:
172.16.200.0
+ 0. 0. 7.255
172.16.207.255

For this last bit of practice, look at the existing access-list commands in Table 2-3. In each
case, make a notation about the exact IP address, or range of IP addresses, matched by the
command.

Table 2-3 Finding IP Addresses/Ranges Matching by Existing ACLs


Problem Commands for Which to Predict the Source Address Range
1 access-list 1 permit 10.7.6.5
2 access-list 2 permit 192.168.4.0 0.0.0.127
3 access-list 3 permit 192.168.6.0 0.0.0.31
Chapter 2: Basic IPv4 Access Control Lists 41

Problem Commands for Which to Predict the Source Address Range


4 access-list 4 permit 172.30.96.0 0.0.3.255
5 access-list 5 permit 172.30.96.0 0.0.0.63
6 access-list 6 permit 10.1.192.0 0.0.0.31
7 access-list 7 permit 10.1.192.0 0.0.1.255 2
8 access-list 8 permit 10.1.192.0 0.0.63.255

Interestingly, IOS lets the CLI user type an access-list command in configuration mode,
and IOS will potentially change the address parameter before placing the command into
the running-config file. This process of just finding the range of addresses matched by the
access-list command expects that the access-list command came from the router, so that
any such changes were complete.
The change IOS can make with an access-list command is to convert to 0 any octet of an
address for which the wildcard mask’s octet is 255. For example, with a wildcard mask of
0.0.255.255, IOS ignores the last two octets. IOS expects the address field to end with two
0s. If not, IOS still accepts the access-list command, but IOS changes the last two octets of
the address to 0s. Example 2-5 shows an example, where the configuration shows address
10.1.1.1, but wildcard mask 0.0.255.255.
Example 2-5 IOS Changing the Address Field in an access-list Command
R2# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)# access-list 21 permit 10.1.1.1 0.0.255.255
R2(config)# ^Z
R2#
R2# show ip access-lists
Standard IP access list 21
10 permit 10.1.0.0, wildcard bits 0.0.255.255

The math to find the range of addresses relies on the fact that either the command is fully
correct or that IOS has already set these address octets to 0, as shown in the example.

NOTE The most useful WC masks, in binary, do not interleave 0s and 1s. This book
assumes the use of only these types of WC masks. However, Cisco IOS allows WC masks
that interleave 0s and 1s, but using these WC masks breaks the simple method of calculating
the range of addresses. As you progress through to CCIE studies, be ready to dig deeper to
learn how to determine what an ACL matches.

Chapter Review
One key to doing well on the exams is to perform repetitive spaced review sessions. Review
this chapter’s material using either the tools in the book or interactive tools for the same mate-
rial found on the book’s companion website. Refer to the “Your Study Plan” element for more
details. Table 2-4 outlines the key review elements and where you can find them. To better
track your study progress, record when you completed these activities in the second column.

You might also like