Saturday, January 22, 2011

CCNA 640-802 Study Note ACL Answer

Here is my answer for the question of my previous post.

For the first case, we want to achieve the following by implementing ACL on the CoreRouter.

  • Only Laptop0 in the IT Department Network is allow to FTP to the FTPServer in the Server Network.
  • All other traffics from all hosts should be allow into the Server Network.

This is how I will implement the ACL.

CoreRouter(config)#access-list 101 permit tcp host 10.2.2.7 host 10.1.1.7 eq ftp
CoreRouter(config)#access-list 101 deny tcp any host 10.1.1.7 eq ftp
CoreRouter(config)#access-list 101 permit ip any any
CoreRouter(config)#int fa0/0
CoreRouter(config-if)#ip access-group 101 out

The first line is to allow Laptop0 to FTP to the FTPServer.  The second line blocks all other hosts from FTPing to the FTPServer.  The third line allows all other traffics from all hosts to pass through.  Remember that there is an implicit deny in the end if there is no match to any of the line so the third line is important.  We also need to bind the ACL to an interface and state the direction.  In this case, we bind it to the fa0/0 interface and the outbound traffic.

For the second case, we have 2 choices.  The first choice is to create a different ACL as shown below and bind it to the inbound traffic of the s0/0/1 interface.

CoreRouter(config)#access-list 102 deny ip host 10.3.3.6 10.1.1.0 0.0.0.255
CoreRouter(config)#access-list 102 permit ip any any
CoreRouter(config)#int s0/0/1
CoreRouter(config-if)#ip access-group 102 in

The other choice is to modify the first ACL to include the blocking of PC4 in the Sales Department Network from accessing all resources in the Server Network.  The modified ACL will look like this.  Since the Packet Tracer does not support line numbered ACL, you will need to remove the permit ip any any statement first, add in the additional deny statement and add back the permit ip any any statement.

CoreRouter(config)#access-list 101 permit tcp host 10.2.2.7 host 10.1.1.7 eq ftp
CoreRouter(config)#access-list 101 deny tcp any host 10.1.1.7 eq ftp
CoreRouter(config)#access-list 101 deny ip host 10.3.3.6 10.1.1.0 0.0.0.255
CoreRouter(config)#access-list 101 permit ip any any
CoreRouter(config)#int fa0/0
CoreRouter(config-if)#ip access-group 101 out

The above is my answer to the question so you might have solved it differently.  In any case, do perform some simple testing to ensure your solution works.  Do make sure you practise implementing ACL and be very familiar with it.

Posted by Alex Siow at 9:28 PM
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)