CCNA - ACL question

Answered Question
Sep 23rd, 2007
User Badges:

Hi,


I'm studying for the CCNA 640-801 exam and in some study materials there is the following ACL question and I don't understand why the answer is what it is. I was hoping someone in here could help with explaining why. Thanks.


Router1-s0--------s0-Router2-s0--------s0-Router3

___|________________|_______________|____


PCA through PCF all seem to be connected to a common backbone. All three routers appear to also be connected to the same backbone as the PCs. Router1 conects to Router2 which connects to Router3.


PCA - 5.1.1.8/24

PCB - 5.1.1.10/24

PCC - 5.1.2.10/24

PCD - 5.1.2.20/24

PCE - 5.1.3.8/24

PCF - 5.1.3.10/24


You're the systems administrator at Cisco, and you create the following access control lists.


access-list 101 deny tcp 5.1.1.10 0.0.0.0 5.1.3.0 0.0.0.255 eq telnet

access-list 101 permit any any


You then enter the command "ip access-group 101 in" to apply access control list

101 to router1's e0 interface.

Which of the following Telnet sessions will be blocked as a result of your access

lists? (Select all that apply)


A. Telnet sessions from host A to host 5.1.1.10

B. Telnet sessions from host A to host 5.1.3.10

C. Telnet sessions from host B to host 5.1.2.10

D. Telnet sessions from host B to host 5.1.3.8

E. Telnet sessions from host C to host 5.1.3.10

F. Telnet sessions from host F to host 5.1.1.10


Answer D & F


I understand answer D, that is straight forward and easy to understand however I don't understand answer F. The ACL statement, 'access-list 101 deny tcp 5.1.1.10 0.0.0.0' specifically has the source host listed which is not PCF. I would think only addresses matching the source address in the ACL should be blocked. Thanks to anyone who can help.

Correct Answer by Richard Burts about 9 years 6 months ago

Riley


I have an issue with their solution and an issue with your solution.


I think that the major flaw in their solution is putting the access-group on the serial interface as an inbound filter. As an inbound filter on the serial 192.168.1.1 or 192.168.118.0 would be the source address and their access list has it as the destination. Putting the access list as inbound on Ethernet 0 is effective. Putting it also on serial 1 adds no effectiveness. I am not clear whether they were again trying to point out the possibility of preventing telnet by denying the response traffic. But you can not do both in one access list which is limited to 3 statements.


Another (small) issue with their access list is in the second line:

access-list 101 deny tcp any 192.168.118.0 0.0.0.0 eq 23

The mask is for a specific host but 192.168.118.0 is not a host. It is the network/subnet address and no legitimate traffic will ever have that as a source address.


The main issue in your access list is the placement of "eq 23". You have it coming before the source address and the "eq port" comes after an address specification (after either the source or after the destination) and not before both of the addresses. Also if your access list is inbound on interface Ethernet 0 then telnet traffic to router 1 will have port 23 (telnet) as the destination port.


There is an apparent difference between your list and their list but it does not matter. You specify 192.168.134.0/24 as the source address and they specify any as the source address. Since the network explanation indicates that 192.168.134.0 is the only network behind E 0 the effect of the access lists does not change between the two source address specifications.


I agree with Kevin that there does not appear to be a lot of effective proof reading of this material. I have taught Cisco classes and I have written training material and I appreciate that this is difficult to do. But it is highly unfortunate and lowers the credibility of the material (and their source) when these kinds of mistakes are apparent.


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Sun, 09/23/2007 - 09:22
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Riley


I believe that the question is attempting to explore a subtle aspect of how access lists affect traffic. It is obvious that the access list can stop a telnet when it blocks traffic with source address as the machine that initiates the telnet request to the telnet destination (choice D). It may not be as obvious but it is true that the access list can stop a telnet when it blocks the response traffic from the telnet destination. So choice F is suggesting that PCF initiates a telnet to PCB and the response traffic will be inspected by access list 101 inbound on router1 will have PCB as the source and PCF as the destination. If this is blocked by the access list then the telnet is stopped.


However the technecality is that the access list specifies telnet as the destination port. To achieve what they are suggesting they would need to add this line in the access list:

access-list 101 deny tcp 5.1.1.10 0.0.0.0 eq telnet 5.1.3.0 0.0.0.255


HTH


Rick

Kevin Dorrell Sun, 09/23/2007 - 09:45
User Badges:
  • Green, 3000 points or more

I agree you and with with Rick: the answer 'F' is wrong. I think the writers of the study materials have tried to be too clever by half, and got the answer wrong themselves. Either they thought that a telnet session uses TCP/23 as a source port (which it doesn't - it sources from a dynamic port - only the destination port is TCP/23), or they didn't realise that the position of the "eq telnet" in the command actually matters.


I find this sort of thing irritating. How anyone is supposed to learn from materials that get the answer wrong is beyond me. I think the study material writers have a duty of care towards their readers, a duty they all too often neglect.


Kevin Dorrell

Luxembourg


rileymartin Sun, 09/23/2007 - 10:44
User Badges:

Thanks. Could I run another ACL question by you guys?


You have the following: Router1 connected to LAN1, Router2 connected to LAN2 and Router3 connected to LAN3. Router1 also connects to Router2 which connects to Router3.


Router1-s0----s0-Router2-s1----s1-Router3


You are the administrator of the Cisco network which is composed of three

routers connected together via a WAN as shown in the diagram. Your assignment is

to configure and apply an access control list that will block telnet access to the

Router1 router without inhibiting all other traffic. The access list won't need

more then 3 statements and it should be applied to the Router3 router.


Router1

E0 192.168.1.1

S0 192.168.118.1


Router2

E0 192.168.121.1

S0 192.168.5.1

S1 192.168.118.2


Router3

E0 192.168.134.1

S1 192.168.5.2


Answer:

-------


Router3(config)#access-list 101 deny tcp any 192.168.1.1 0.0.0.0 eq 23

Router3(config)#access-list 101 deny tcp any 192.168.118.0 0.0.0.0 eq 23

Router3(config)#access-list 101 permit ip any any

Router3(config)#interface Ethernet 0

Router3(config-if)#ip access-group 101 in

Router3(config-if)#exit

Router3(config)#interface serial 1

Router3(config-if)#ip access-group 101 in



I answered the following:

------------------------


access-list 100 deny tcp eq 23 192.168.134.0 0.0.0.255 host 192.168.1.1

access-list 100 deny tcp eq 23 192.168.134.0 0.0.0.255 host 192.168.118.1

permit ip any any

int e0

ip access-group 100 in

Correct Answer
Richard Burts Sun, 09/23/2007 - 11:57
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Riley


I have an issue with their solution and an issue with your solution.


I think that the major flaw in their solution is putting the access-group on the serial interface as an inbound filter. As an inbound filter on the serial 192.168.1.1 or 192.168.118.0 would be the source address and their access list has it as the destination. Putting the access list as inbound on Ethernet 0 is effective. Putting it also on serial 1 adds no effectiveness. I am not clear whether they were again trying to point out the possibility of preventing telnet by denying the response traffic. But you can not do both in one access list which is limited to 3 statements.


Another (small) issue with their access list is in the second line:

access-list 101 deny tcp any 192.168.118.0 0.0.0.0 eq 23

The mask is for a specific host but 192.168.118.0 is not a host. It is the network/subnet address and no legitimate traffic will ever have that as a source address.


The main issue in your access list is the placement of "eq 23". You have it coming before the source address and the "eq port" comes after an address specification (after either the source or after the destination) and not before both of the addresses. Also if your access list is inbound on interface Ethernet 0 then telnet traffic to router 1 will have port 23 (telnet) as the destination port.


There is an apparent difference between your list and their list but it does not matter. You specify 192.168.134.0/24 as the source address and they specify any as the source address. Since the network explanation indicates that 192.168.134.0 is the only network behind E 0 the effect of the access lists does not change between the two source address specifications.


I agree with Kevin that there does not appear to be a lot of effective proof reading of this material. I have taught Cisco classes and I have written training material and I appreciate that this is difficult to do. But it is highly unfortunate and lowers the credibility of the material (and their source) when these kinds of mistakes are apparent.


HTH


Rick

Richard Burts Sun, 09/23/2007 - 12:40
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Riley


I am glad that my responses have been helpful. ACLs and the implications of how to use them are an important (and sometimes not well understood) topic. Thank you for using the rating system to indicate that your questions were resolved (and thanks for the rating). It makes the forum more useful when people can read questions and can know that they will read responses that successfully resolved the questions. I encourage you to continue your participation in the forum.


HTH


Rick

Actions

This Discussion