| Author |
Access list question
|
|
| repentantvoter 2004-04-25, 12:39 pm |
| New here. Studying for CCNA. Hope one of you fine folks can help with this question.
Given subnet 192.168.1.0/26, write an access list that blocks telnet only for the first half of the subnet, and allows all other traffic.
TIA | |
| UKBluesky 2004-04-25, 1:13 pm |
| quote:
Originally posted by repentantvoter
New here. Studying for CCNA. Hope one of you fine folks can help with this question.
Given subnet 192.168.1.0/26, write an access list that blocks telnet only for the first half of the subnet, and allows all other traffic.
TIA
hi
R(config)#access_list 101 deny telnet[Type the source ip and wildcard mask Example: 192.168.1.0 0.0.0.31][type the distination ip and wildcard]eq No.[23]
R(config)#access_list 101 permit any any
apply this access list on to the interface that you want to block the traffic on
ex:
#int s 0
#.. access_group 101 ........
I hope this would be helpful,
Good luck | |
| forbesl 2004-04-25, 3:20 pm |
| quote:
Originally posted by UKBluesky
hi
R(config)#access_list 101 deny telnet[Type the source ip and wildcard mask Example: 192.168.1.0 0.0.0.31][type the distination ip and wildcard]eq No.[23]
R(config)#access_list 101 permit any any
You were close, but here's the correction:
access-list 101 deny tcp 192.168.1.0 0.0.0.31 any eq 23
access-list 101 permit ip any any
You had put deny "telnet" instead of deny "tcp". | |
| repentantvoter 2004-04-25, 5:12 pm |
| Thanks a lot, you're a great bunch.  I'm not sure I understand the "eq 23" at the end. I think "eq" stands for "equal", right? Shouldn't that be "equal telnet"?
TIA | |
| popdevil 2004-04-25, 5:40 pm |
| EQ means "Match only packets on a given port number" | |
| repentantvoter 2004-04-25, 6:09 pm |
| quote:
Originally posted by popdevil
EQ means "Match only packets on a given port number"
OK. Are both "eq 23" and "eq telnet" valid? In other words, must I use the port number, or may I use the port name too?
TIA | |
| forbesl 2004-04-25, 6:43 pm |
| On a real router, you can put either eq 23 or eq telnet. If you put eq 23, the IOS automatically changes the 23 to "telnet". So when you do a "sh access-lists" after inputting "eq 23" it will show up as "eq telnet". The Cisco IOS automatically changes quite a few port numbers to the protocol....21 (ftp), 20 (ftp-data), 123 (ntp), 53 (domain), 25 (smtp), and a few more, but not all.
I don't know if it will work with a sim though; and for a test, I would use the port number instead of the protocol name. It's best to know your port numbers, anyway. | |
| repentantvoter 2004-04-25, 9:35 pm |
| Oh, ok, I got it now.
I don't understand what you mean by "work with a sim". Is a "sim" a kind of device I haven't heard of?? I know of routers and switches. 
TIA | |
| perfectionist 2004-04-26, 2:42 am |
| The question asked by repentantvoter:
"
Given subnet 192.168.1.0/26, write an access list that blocks telnet only for the first half of the subnet, and allows all other traffic.
"
The answer given by the forum members:
"
access-list 101 deny tcp 192.168.1.0 0.0.0.31 any eq 23
access-list 101 permit ip any any
"
I think the answer given is incorrect .. Why?? Here's why.....
The key point in the question is "first half of the subnet" not the entire subnet. And the subnet 192.168.1.0/26 has only two valid subnet address because 2 to the power of 2 is equals to 4 and 4 deducted by 2 is 2. The first valid subnet address is the 192.168.1.64 and the second one is 192.168.1.128. So the "first half of the subnet" actually refers to 192.168.1.64 .
Finally, the answer would be..
access-list 101 deny tcp 192.168.1.64 0.0.0.63 any eq 23
access-list 101 permit ip any any
I hope you guys get what I mean.... | |
| forbesl 2004-04-26, 6:05 am |
| quote:
Originally posted by perfectionist
I think the answer given is incorrect .. Why?? Here's why.....
The key point in the question is "first half of the subnet" not the entire subnet. And the subnet 192.168.1.0/26 has only two valid subnet address because 2 to the power of 2 is equals to 4 and 4 deducted by 2 is 2. The first valid subnet address is the 192.168.1.64 and the second one is 192.168.1.128. So the "first half of the subnet" actually refers to 192.168.1.64 .
Finally, the answer would be..
access-list 101 deny tcp 192.168.1.64 0.0.0.63 any eq 23
access-list 101 permit ip any any
I hope you guys get what I mean....
Sorry my friend, but 192.168.1.0/26 IS a valid subnet. It is known as "subnet zero". Search for "subnet zero" on cisco.com if you need more info. So the original answer is correct.
The answer you have given is for subnet 192.168.1.64/26, and you have included the whole subnet, not just half of it. The question didn't ask for 192.168.1.64/26. You've answered a completely different question than was asked. | |
| stnosc 2004-04-26, 7:39 am |
| forbesl is correct. The question asked was specifically for 192.168.1.0/26, which covers IP address 192.168.1.1 through 192.168.1.63(broadcast). The first half of that subnet would be covered by the statement "deny tcp 192.168.1.0 0.0.0.31 any eq 23".
Here's a good link for info on subnet zero.
http://www.cisco.com/en/US/tech/tk648/tk361/ technologies_tech_note09186a00
80093f18.shtml
(url word-wrapped) | |
| repentantvoter 2004-04-26, 10:00 am |
| quote:
Originally posted by stnosc
forbesl is correct. The question asked was specifically for 192.168.1.0/26, which covers IP address 192.168.1.1 through 192.168.1.63(broadcast). The first half of that subnet would be covered by the statement "deny tcp 192.168.1.0 0.0.0.31 any eq 23".
Here's a good link for info on subnet zero.
http://www.cisco.com/en/US/tech/tk6...
80093f18.shtml
(url word-wrapped)
Isn't it true that "192.168.1.0/26" means "192.168.1.0 mask 255.255.255.192" which means IP addresses "192.168.1.0 through 192.168.1.63"?? I don't understand why you left 192.168.1.0 out?!
Could somebody please tell me what's a "sim"?? | |
| forbesl 2004-04-26, 10:21 am |
| quote:
Originally posted by repentantvoter
I don't understand why you left 192.168.1.0 out?!
Could somebody please tell me what's a "sim"??
192.168.1.0 was left out because that is the network IP address, it can't be used as a host.
A "sim" is a router simulator. | |
| repentantvoter 2004-04-26, 10:49 am |
| quote:
Originally posted by forbesl
192.168.1.0 was left out because that is the network IP address, it can't be used as a host.
A "sim" is a router simulator.
Oh, yes, I understand that 192.168.1.0 is the network address, but from what I read in my books, a subnet contains the network address, and the broadcast address, and host addresses in between. I guess what confused me in Mr. stnosc's answer was the asymmetry of "192.168.1.1 through 192.168.1.63". But I think now I understand what he meant. | |
| perfectionist 2004-04-26, 10:53 pm |
| Thanks for the explanation guys!!! Really learn alot from you guys.... But one more thing that need to be clarified.
Now, you guys have said that 192.168.1.0 is a valid subnet address...Ok I agree with you guys ..So, now we have subnet 192.168.1.0, 192.168.1.64, and subnet 192.168.1.128. I sdthis what it means??
So what does the "frist half of the subnet" implies??
"deny tcp 192.168.1.0 0.0.0.31 any eq 23". The given acccess-list is trying to block all source addresses from the subnet 192.168.1.0/27 from telnetting to any host.. Why subnet 192.168.1.0/27 while the question is subnet 192.168.1.0/26??
Sorry for my ignorance.. | |
| forbesl 2004-04-27, 7:57 am |
| quote:
Originally posted by perfectionist
"deny tcp 192.168.1.0 0.0.0.31 any eq 23". The given acccess-list is trying to block all source addresses from the subnet 192.168.1.0/27 from telnetting to any host.. Why subnet 192.168.1.0/27 while the question is subnet 192.168.1.0/26??
You're not blocking a subnet, you're blocking an IP address range. However, if you want to look at it that way:
Take a look at the IP address range in 192.168.1.0/26, then take a look at the IP address range in 192.168.1.0/27 and you will see that covers the first half of the IP address range in 192.168.1.0/26. | |
|
|
| perfectionist 2004-04-27, 12:02 pm |
| OH! IC!! IC!! THANKS!!
Finally I understand what it means by "first half of the subnet"... It means first half of the hosts of the given subnet address. I perceived the question wrongly by thinking that it means first half of the subnets of the given network address.
Thanks forbesl for making the effort to explaine and thanks repentantvoter for asking the question!! |
|
|
|
).