Access-List- Why is like this..?

Unanswered Question

Please refer to the figure http://blog.erealmedia.com/?p=26

This example is taken from Sybex CCNA Certification Guide page 491 (5th Edition Todd Lammle)Example of Standard Access-List although it can be implemented using Extended Access List

You want to stop the Accounting users from accessing the Human Resources Server attached to the Lab_B router, but allow all other users access to that LAN.

Anwer from the book:

Lab_B#config t

Lab_B(config)#access-list 10 deny 192.168.10.128 0.0.0.31

Lab_B(config)#access-list 10 permit any

Lab_B(config)#interface Ethernet 0

Lab_B(config-if)#ip access-group 10 out

My question is why you need to use IP address 192.168.10.128 in deny statement when actual IP address is 192.168.10.129

why we cannot write Lab_B(config)#access-list 10 deny 192.168.10.129 0.0.0.31 ? Is it right or wrong from exams point of view?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kevin Dorrell Fri, 10/26/2007 - 01:48

I think it would probably be wrong in the exam. In real life, the router would accept 129, but would record it as access-list 10 deny 192.168.10.128 0.0.0.31 and it would work.

I think it would be best to put 128, then you know it would be correct, and it would show that you know how the wildcard match works.

Kevin Dorrell

Luxembourg

Hi There

The reason that you are using the IP address 192.168.10.128 and not 192.168.10.129 is because you are asked to stop Accounting users accessing the HR server attached to Router B.

The accounting users are on the subnet 192.168.10.128/27 (255.255.255.224) and 192.168.10.129 is the default gateway for that subnet. The range of the accounting subnet is 192.168.10.128 --> Subnet Number

192.168.10.129 - 192.168.10.158 --> Valid Host Addresses (192.169.10.129 assigned to router)

192.168.10.159 --> Broadcast Address

If you only denied the gateway address, then only traffic which originated on the router would be blocked. The traffic from the accounting host machines (192.168.10.130 to 192.168.10.158) would all pass through the ACL to the HR server.

Hope that helps,

Michael

arifmscelectronics Mon, 10/29/2007 - 21:26

hey I have visited the site its good.

do u have some more labs ..on access list.

The answer given is right, as the whole subnet is denied.

fightermig29 Mon, 10/29/2007 - 22:58

Keeley's answer here is correct compared to other answers.

Whenever u see an address with a CIDR block prefix, always quickly mentally find out the subnet, broadcast, gateway, host range. Write it down and then work the problem. Then you will easily see the solution.

(Btw, I am taking the CCNA on Tue next week.)

keller.oliver Tue, 10/30/2007 - 01:59

By the wildcardmask 0.0.0.31 you tell the router that in the last octett, you want 00011111, which means the last 5 bits are ignored by the ACL.

Therefore, an IP 128 (10000000) is as good as an IP 129 (10000001). Any IP between 128 and 159 (10011111) would be ok, since only the first three bits will be matched.

Actions

This Discussion