Review Question

wait2dominatewait2dominate Member Posts: 74 ■■□□□□□□□□
I was looking in a review book, and a question they had in there I wasn't sure if their answer was right.

Question: You've configured an interface with the access list shown. Based on the access list, which information packets in the left column would be permitted, and which poackets would be denied?

Access-list 107 deny tcp 207.16.12.0 0.0.3.255 any eq http
Access-list 107 permit ip any any

A) Source IP : 207.16.32.14, destination application: http
B) Source IP : 207.16.15.9, destination port 23
C) Source IP: 207.16.14.7, destination port 80
D) Source IP : 207.16.13.14, destination application http
E) Source IP : 207.16.16.14, destination port 53

Book Answer:
Allowed D, C
Denied A,B,E

Reason: The wildcard 0.0.3.255 is a block size of 4, which means that the third octet will permit anything from 12 to 15. Also, the application is http, so the access list will only permit port 80





My answer:
Allowed - A, B, E
Denied - C, D


Is it just me, or are the 'deny/permit' statement backwards in the answer? Just want to make sure.
Brake lights are a sign your car doesn't handle well enough.

CCNP or MCSE is next to come.

Comments

  • georgemcgeorgemc Member Posts: 429
    The wildcard mask 0.0.3.255 is a block size of 4, which means that the third octet will match anything from 12 to 15. Also, the application is http, so the deny statment will only match port 80.

    Thus, C and D will match the deny statement in the access-list and A, C, and E will match the permit.

    George
    WGU BS: Business - Information Technology Management
    Start Date: 01 October 2012
    QFT1,PFIT in progress.
    TRANSFERRED/COMPLETED: AGC1,BBC1,LAE1,QBT1,LUT1,QLC1,QMC1,QLT1,IWC1,INC1,INT1,BVC1,CLC1,MGC1, CWV1 BNC1, LIT1,LWC1,QAT1,WFV1,EST1,EGC1,EGT1,IWT1,MKC1,MKT1,RWT1,FNT1,FNC1, BDC1,TPV1 REQUIRED:
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    Access-list 107 deny tcp 207.16.12.0 0.0.3.255 any eq http
    Access-list 107 permit ip any any

    A) Source IP : 207.16.32.14, destination application: http
    B) Source IP : 207.16.15.9, destination port 23
    C) Source IP: 207.16.14.7, destination port 80
    D) Source IP : 207.16.13.14, destination application http
    E) Source IP : 207.16.16.14, destination port 53

    C,D will match the deny statement
    A,B,E will match the permit ip any any statement

    B, E are easy because they're not using http for the destination port so that only leaves weeding out the other 3. I always find it's easiest to eliminate the ones that cannot be correct and choose from what's left.
    The only easy day was yesterday!
  • wait2dominatewait2dominate Member Posts: 74 ■■□□□□□□□□
    That's what I thought....just wanted to make sure I wasn't missing anything
    Brake lights are a sign your car doesn't handle well enough.

    CCNP or MCSE is next to come.
  • kafifi13kafifi13 Member Posts: 259
    Does anybody have a good link i can go to for the wild card masks. I have the ICND and the only thing not sinking in my head is when you use a wild card mask like the one listed below. For some reason it's just not clicking.
  • The Prize Is LobsterThe Prize Is Lobster Member Posts: 71 ■■□□□□□□□□
    what about them dont you understand?


    the whole block thing seems overexplained. I just learned it as subtract from 255 for each octet = wildcard mask.
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    In many cases the wildcard mask used is just an inverted subnet mask (the ones turned to zeros and the zeros turned to ones). the easy way to find them is to take the mask and subtract from 255.255.255.255:
                255.255.255.255
    Subnet Mask 255.255.255.192
                 0 . 0 . 0 . 63
    

    So if you wanted to match all the hosts on the 192.0.2.64/27 network you would use the entry 192.0.2.64 0.0.0.63 in your access-list.

    The case really becomes that the address you specify is a match condition, and the wildcard mask determines what part to match and what part to wildcard. The other key is a wildcard mask does not need to be contigious like a subnet mask.

    For example let's say you want to match all IP's with an even third octet (not very practical but you can do it). In this case you would use the 0.0.0.0 255.255.254.255 in your access list, basically ensuring all the matched addresses have a '0' in the low order bit of the third octet which determines even and odd (yes I know this would match 0 and it's neither even or odd but you get the point)
    The only easy day was yesterday!
Sign In or Register to comment.