A little help needed with an exended ACL [CCNA2]

Jeroen1000 · May 2006

Hi everyone!

I've made a small network with Boson's Netsim but I've ran into some problems:

I chose to subnet 172.1.0.0 for 14 usuable hosts per subnet => 172.1.0.0/28
or 255.255.255.240.

I chose to use the 7th subnet, being 172.1.0.112(=network address). The usuable hosts go from 172.1.0.113 to 172.1.0.126.

As you might know Cisco likes to divide subnets into a "lower" part and a "higher" part.

In order to do that I converted 112 to binary, being 01110000. The last 4 bits may change because of the subnetmask. Lower part goes from 0000 to 0111 (from 112 to 119). The higher part goes from 1000 to 1111, so from 120 till 127 (the latter being the broadcast address). Please note this is NOT subnetting.

I tried to make an (extended) ACL that prevents the hosts in the lower part range to access an other network. I applied the ACL to the "inbound" direction of the routers Fa0/0 interface:

access-list 101 deny ip 172.1.0.0 0.0.0.127 any
access-list 101 permit ip any any

access-list 102 deny ip 172.1.0.112 0.0.0.127 any
access-list 102 permit ip any any

Neither of the above lists seem to work

All help is greatly appreciated since my exam is due on Tuesday!

Thank you very much,

Jeroen

EdTheLad · May 2006

Ok,if i understand this correctly you split the 172.1.0.112/28 subnet into two parts an upper and a lower part.You then want to prevent hosts connected to the Fa0/0 to be able to communicate between from one halve to the other?
I think your going to kick yourself, these hosts will be on the same logical subnet so they do not need the router to communicate with each other.The router is only used to communicate between the devices if they have different subnets.So in your example you would have to use
172.1.0.112/29 and 172.1.0.120/29.
now getting back to the access-lists wouldnt you have wanted something like what i did below?Also as far as i can remember you cannot assign 2 different access-list to the same protocol on the same port in the same direction.Oh and remember you must assign the list to the port using access-group command,you never mentioned above.
So the lists below wont work but they will just give you a better idea of how to use the wild card masks.

access-list 101 deny ip 172.1.0.112 0.0.0.7 any
access-list 101 permit ip any any

access-list 102 deny ip 172.1.0.120 0.0.0.7 any
access-list 102 permit ip any any

dublin_101 · May 2006

that sounds pretty tricky man..........i've just finished ccna2 and the acl module and never came across that.......i do know that they talk about it later on..........but man, for that, i'd probably just open up notepad and put in the 6 or so host statements....

access-list 101 deny ip host 172.1.0.113 any
access-list 101 deny ip host 172.1.0.114 any

etc

access-list 101 permit ip any any

i know this isn't what you are asking, but maybe something to keep in mind...........i don't know how much this is actually applied in the industry, but i asked my teacher and she said not really ...but who know!...maybe some people can comment if such acls are applied in the industry.

maybe i am wrong, but maybe a few hosts are allowed to do things and the rest are not....comments please!

Jeroen1000 · May 2006

ed_the_lad wrote:

Ok,if i understand this correctly you split the 172.1.0.112/28 subnet into two parts an upper and a lower part.You then want to prevent hosts connected to the Fa0/0 to be able to communicate between from one halve to the other?

Almost right

the lower part (or higher part) may not communicate to an other subnet, or the internet, or a remote server, ... So the router should not allow traffic from the lower part into the fa0/0 interface.

Blocking the lower part from reaching the higher part in the same subnet would be tricky indeed.

The 2 lists I posted were 2 examples I tried. They were not assigned together. I assigned the 2 lists (seperately) to the fa0/0 interface, IN direction.

As I understand a "255" in a wildcard means "do not check at all" and a "0" means check entirely. But what do wildcards like 0.0.0.7 and 0.0.0.127 (I was guessing there) mean in term of blocking or permitting hosts?

Jeroen1000 · May 2006

dublin_101 wrote:

that sounds pretty tricky man..........i've just finished ccna2 and the acl module and never came across that.......i do know that they talk about it later on..........but man, for that, i'd probably just open up notepad and put in the 6 or so host statements....

access-list 101 deny ip host 172.1.0.113 any
access-list 101 deny ip host 172.1.0.114 any

etc

access-list 101 permit ip any any

i know this isn't what you are asking, but maybe something to keep in mind...........i don't know how much this is actually applied in the industry, but i asked my teacher and she said not really ...but who know!...maybe some people can comment if such acls are applied in the industry.

maybe i am wrong, but maybe a few hosts are allowed to do things and the rest are not....comments please!

Thanks for asking your teacher for me! I'm asking this because an other group at my school got this exam question and it is likely that we will get this one as well (Questions came directely from cisco, they said)

I sort of thought you could only fill in 255 and 0. So I used .127 as a pure guess not knowing exactely what it would do (Some other student in my group claimed this was correct, but it isn't)

I'm going to try some more now maybe I'll get lucky!

dublin_101 · May 2006

Jeroen1000 wrote:

Thanks for asking your teacher for me! I'm asking this because an other group at my school got this exam question and it is likely that we will get this one as well (Questions came directely from cisco, they said)

I sort of thought you could only fill in 255 and 0. So I used .127 as a pure guess not knowing exactely what it would do (Some other student in my group claimed this was correct, but it isn't)

I'm going to try some more now maybe I'll get lucky!

its actually good ppl like us talk abou this, as you never really know what to expect...i'm doing ccna2 exam this week and i don't feel i have any problems with ACLs...having said that, we were never asked these kind of questions...........the wildcard is tricky to understand at start, but once you DO understand it, you'll master it....

so in affect, it is inverse binary.......so basically, when trying to apply a wildcard to a whole network, you basically, reverse the binary.....so for example, ...........172.123.16.0 /20 ....basically, whatever is after the 20 subnet bits, you convert to 1 and the subnet bits to zero...........remember this:

0 = check
1= ignore....(relate the 1 being similar to an i ...so i - ignore)

so back to the example, lets look at it again:

net address: 172.123.16.0
subnet mask: 255.255.240.0

the wildcard would be this 0.0.15.255

if u can notice, whatever is 0 is to check......so here they are checking the fist octet, the second octet, and then the first 4 bits of the third octet (0000 1111) and ignoring the final octet (1111111)

so in binary, the wildcard is:

00000000.00000000.00001111.11111111

so as you can see, the wildcard is ordering the acl to verify the first 20 bits of the address, and the rest it is told not to worry about.........therefore, once the first 20 bits are ok, it will permit/deny it....meaning, whatever is after the 20 bits doesn't matter........YOu know that whatever is after the first 20 bits is the host range of that network.....

another example........a normal class c address with no subnets:

200.10.10.0 /24

wildcard would be: 0.0.0.255.........once again, you notice the 0s of the wildcard verify the address and the rest is ignored.

ps...have you done the module 11 ACL exam?....there are a few trick questions in there regarding the wildcard..........

if a network has a subnet of eg 29 bits.......that means the wilcard will be 0s for the 29 bits and 1s for the remainder...therefore:

00000000.00000000.00000000.00000111.....and this will be 0.0.0.7

keep in mind that these are for networks, when doing hosts, you either do 0.0.0.0 which tells the acl to verify the whole address, or just use host before the address eg. access list 10 deny host 200.10.10.67

gee man, i hope i haven't overdone it with this response, but i hope i've been helpful for you!

Jeroen1000 · May 2006

dublin_101 wrote:

Jeroen1000 wrote:

gee man, i hope i haven't overdone it with this response, but i hope i've been helpful for you!

You were very helpful because now I found the answer! Besides of the fact that you have to reload netsim everytime you make an ip change to a host (simple pc), I wasn't quite sure of my answers. (at some point I HAD the right answer but the reloading issue made me doubt).

I applied the list in packet tracer and it worked right from the start

IF I understand correctely now, I had to transform 112 to binary (=0111 0000).

Because of the subnet 255.255.255.240 (or /"28") the last 4 bits are variable and can be at most 16-2 (so minus network address and broadcast).

Using this info the wildcard became 0.0.0.7. The last 3 bits are allowed to vary and they can form at the most 7. So 112+7=119 so this wildcard can be used to deny the hosts from 112 till 119.

ACl: access-list 113 deny ip 172.0.1.112 0.0.0.7 any
access-list 113 permit ip any any

I hope that is a good way to deal with this!

dublin_101 · May 2006

Jeroen1000 wrote:

Using this info the wildcard became 0.0.0.7. The last 3 bits are allowed to vary and they can form at the most 7. So 112+7=119 so this wildcard can be used to deny the hosts from 112 till 119.

ACl: access-list 113 deny ip 172.0.1.112 0.0.0.7 any
access-list 113 permit ip any any

I hope that is a good way to deal with this!

do a list:

112 = 01110000
113 = 01110001
114 = 01110010
115 = 01110011
116 = 01110100
117 = 01110101
118 = 01110110
119 = 01110111

normally for this network, you would do the whole network and thus the wildcard would be 0.0.0.15...so to verify up until the network address!...

with the wildcard of 0.0.0.7, you are telling the ACL to verify not 4 bits into the octet, but 5....therefore:

instead of:
01110000 being checked, now:

01110000 will be checked.....and this is where i refer to the table above for guidance....

so now you have told the ACL to verify that the first 5 bits match the first 5 bits of the ip address given.........

therefore, as you said this will work....

a very good learning exercise ha!..

Jeroen1000 · May 2006

I did my exam today and I think I did ok. I only wrote 2 mistakes

Had to write deny tcp and I wrote deny ip

Now let's hope I've got the required 70%!

But the real reason for this reply I I'ed like to thank you 4 you help!

best regards,

Jeroen

dublin_101 · May 2006

Jeroen1000 wrote:

I did my exam today and I think I did ok. I only wrote 2 mistakes Had to write deny tcp and I wrote deny ip

Now let's hope I've got the required 70%!

But the real reason for this reply I I'ed like to thank you 4 you help!

best regards,

Jeroen

you are most welcome my friend......any other queries you have, direct my way, if i don't know them, i'll try them in my lab.....thats usually the best way to see if things work or don't!...

cheers and best of luck!...

A little help needed with an exended ACL [CCNA2]

Comments