A little help needed with an exended ACL [CCNA2]
Jeroen1000
Member Posts: 15 ■□□□□□□□□□
in CCNA & CCENT
Hi everyone!
I've made a small network with Boson's Netsim but I've ran into some problems:
I chose to subnet 172.1.0.0 for 14 usuable hosts per subnet => 172.1.0.0/28
or 255.255.255.240.
I chose to use the 7th subnet, being 172.1.0.112(=network address). The usuable hosts go from 172.1.0.113 to 172.1.0.126.
As you might know Cisco likes to divide subnets into a "lower" part and a "higher" part.
In order to do that I converted 112 to binary, being 01110000. The last 4 bits may change because of the subnetmask. Lower part goes from 0000 to 0111 (from 112 to 119). The higher part goes from 1000 to 1111, so from 120 till 127 (the latter being the broadcast address). Please note this is NOT subnetting.
I tried to make an (extended) ACL that prevents the hosts in the lower part range to access an other network. I applied the ACL to the "inbound" direction of the routers Fa0/0 interface:
access-list 101 deny ip 172.1.0.0 0.0.0.127 any
access-list 101 permit ip any any
access-list 102 deny ip 172.1.0.112 0.0.0.127 any
access-list 102 permit ip any any
Neither of the above lists seem to work
All help is greatly appreciated since my exam is due on Tuesday!
Thank you very much,
Jeroen
I've made a small network with Boson's Netsim but I've ran into some problems:
I chose to subnet 172.1.0.0 for 14 usuable hosts per subnet => 172.1.0.0/28
or 255.255.255.240.
I chose to use the 7th subnet, being 172.1.0.112(=network address). The usuable hosts go from 172.1.0.113 to 172.1.0.126.
As you might know Cisco likes to divide subnets into a "lower" part and a "higher" part.
In order to do that I converted 112 to binary, being 01110000. The last 4 bits may change because of the subnetmask. Lower part goes from 0000 to 0111 (from 112 to 119). The higher part goes from 1000 to 1111, so from 120 till 127 (the latter being the broadcast address). Please note this is NOT subnetting.
I tried to make an (extended) ACL that prevents the hosts in the lower part range to access an other network. I applied the ACL to the "inbound" direction of the routers Fa0/0 interface:
access-list 101 deny ip 172.1.0.0 0.0.0.127 any
access-list 101 permit ip any any
access-list 102 deny ip 172.1.0.112 0.0.0.127 any
access-list 102 permit ip any any
Neither of the above lists seem to work
All help is greatly appreciated since my exam is due on Tuesday!
Thank you very much,
Jeroen
Comments
I think your going to kick yourself, these hosts will be on the same logical subnet so they do not need the router to communicate with each other.The router is only used to communicate between the devices if they have different subnets.So in your example you would have to use
172.1.0.112/29 and 172.1.0.120/29.
now getting back to the access-lists wouldnt you have wanted something like what i did below?Also as far as i can remember you cannot assign 2 different access-list to the same protocol on the same port in the same direction.Oh and remember you must assign the list to the port using access-group command,you never mentioned above.
So the lists below wont work but they will just give you a better idea of how to use the wild card masks.
access-list 101 deny ip 172.1.0.112 0.0.0.7 any
access-list 101 permit ip any any
access-list 102 deny ip 172.1.0.120 0.0.0.7 any
access-list 102 permit ip any any
access-list 101 deny ip host 172.1.0.113 any
access-list 101 deny ip host 172.1.0.114 any
etc
access-list 101 permit ip any any
i know this isn't what you are asking, but maybe something to keep in mind...........i don't know how much this is actually applied in the industry, but i asked my teacher and she said not really ...but who know!...maybe some people can comment if such acls are applied in the industry.
maybe i am wrong, but maybe a few hosts are allowed to do things and the rest are not....comments please!
Almost right
Blocking the lower part from reaching the higher part in the same subnet would be tricky indeed.
The 2 lists I posted were 2 examples I tried. They were not assigned together. I assigned the 2 lists (seperately) to the fa0/0 interface, IN direction.
As I understand a "255" in a wildcard means "do not check at all" and a "0" means check entirely. But what do wildcards like 0.0.0.7 and 0.0.0.127 (I was guessing there) mean in term of blocking or permitting hosts?
Thanks for asking your teacher for me! I'm asking this because an other group at my school got this exam question and it is likely that we will get this one as well (Questions came directely from cisco, they said)
I sort of thought you could only fill in 255 and 0. So I used .127 as a pure guess not knowing exactely what it would do (Some other student in my group claimed this was correct, but it isn't)
I'm going to try some more now maybe I'll get lucky!
its actually good ppl like us talk abou this, as you never really know what to expect...i'm doing ccna2 exam this week and i don't feel i have any problems with ACLs...having said that, we were never asked these kind of questions...........the wildcard is tricky to understand at start, but once you DO understand it, you'll master it....
so in affect, it is inverse binary.......so basically, when trying to apply a wildcard to a whole network, you basically, reverse the binary.....so for example, ...........172.123.16.0 /20 ....basically, whatever is after the 20 subnet bits, you convert to 1 and the subnet bits to zero...........remember this:
0 = check
1= ignore....(relate the 1 being similar to an i ...so i - ignore)
so back to the example, lets look at it again:
net address: 172.123.16.0
subnet mask: 255.255.240.0
the wildcard would be this 0.0.15.255
if u can notice, whatever is 0 is to check......so here they are checking the fist octet, the second octet, and then the first 4 bits of the third octet (0000 1111) and ignoring the final octet (1111111)
so in binary, the wildcard is:
00000000.00000000.00001111.11111111
so as you can see, the wildcard is ordering the acl to verify the first 20 bits of the address, and the rest it is told not to worry about.........therefore, once the first 20 bits are ok, it will permit/deny it....meaning, whatever is after the 20 bits doesn't matter........YOu know that whatever is after the first 20 bits is the host range of that network.....
another example........a normal class c address with no subnets:
200.10.10.0 /24
wildcard would be: 0.0.0.255.........once again, you notice the 0s of the wildcard verify the address and the rest is ignored.
ps...have you done the module 11 ACL exam?....there are a few trick questions in there regarding the wildcard..........
if a network has a subnet of eg 29 bits.......that means the wilcard will be 0s for the 29 bits and 1s for the remainder...therefore:
00000000.00000000.00000000.00000111.....and this will be 0.0.0.7
keep in mind that these are for networks, when doing hosts, you either do 0.0.0.0 which tells the acl to verify the whole address, or just use host before the address eg. access list 10 deny host 200.10.10.67
gee man, i hope i haven't overdone it with this response, but i hope i've been helpful for you!
do a list:
112 = 01110000
113 = 01110001
114 = 01110010
115 = 01110011
116 = 01110100
117 = 01110101
118 = 01110110
119 = 01110111
normally for this network, you would do the whole network and thus the wildcard would be 0.0.0.15...so to verify up until the network address!...
with the wildcard of 0.0.0.7, you are telling the ACL to verify not 4 bits into the octet, but 5....therefore:
instead of:
01110000 being checked, now:
01110000 will be checked.....and this is where i refer to the table above for guidance....
so now you have told the ACL to verify that the first 5 bits match the first 5 bits of the ip address given.........
therefore, as you said this will work....
a very good learning exercise ha!..
Now let's hope I've got the required 70%!
But the real reason for this reply I I'ed like to thank you 4 you help!
best regards,
Jeroen
you are most welcome my friend......any other queries you have, direct my way, if i don't know them, i'll try them in my lab.....thats usually the best way to see if things work or don't!...
cheers and best of luck!...