Question on CCNA Exam re ACL 3

[y2k1981]

Hi All,

I've just sat and failed my CCNA for the second time today. First time I got 79% and the second time I got 82%. I got the exact same ACL simulation question both times, but I'm a little unsure on what they're asking, so if somebody could help me out, I'd really appreciate it. Or better still, if anybody's recently sat their CCNA and gotten this question, I'd really appreciate a response.

It's the usual physical setup, three routers connected in a line each with a switch and two workstations from the switch. The question goes something like this:

Configure and apply an access list to block telnet acces to all networks attached to router3. the list should contain no more than 3 lines etc etc etc

Let's assume that the E0 interface on Router 3 is 192.168.3.1 and S0 is 192.168.2.1. Should my access list read something like this:

access-list 101 deny tcp any 192.168.3.0 0.0.0.255 eq 23
access-list 101 deny tcp any 192.168.2.0 0.0.0.255 eq 23
access-list 101 permit ip any

and should it then be applied to the outbound traffic on E0 and S0?

I'd really appreciate any feedback on this as I can't locate a sample question similar to this anywhere. Any sample questions just ask that you prevent telnet access to the router itself.

Again, any feedback would be really appreciated.

Thanks in advance

 

[rburke]

I'm assuming that the question is wanting to block those IP blocks from starting a telnet session, not stopping hte rest of the world for telneting into those IP blocks.

Under that assumption then no the ACL is not correct. You alway want to stop the packets at hte entry point if you know you are going ot drop them so that you save bandwidth and CPU cycles on the interveining routers (in this case only 1). So the ACL should look like this:

access-list 101 deny tcp 192.168.3.0 0.0.0.255 any eq 23
access-list 101 deny tcp 192.168.2.0 0.0.0.255 any eq 23
access-list 101 permit ip any


Then, you should apply it inbound on both E0 and S0. The inbound ACL will scan any packet entering the interfaces and then drop them if they match. If my assumption is correct then that should be the answer.

Burke

 

[y2k1981]

>>I'm assuming that the question is wanting to block those IP blocks from starting a telnet session, not stopping hte rest of the world for telneting into those IP blocks.

that's what I'm trying to establish. I don't understand what it is they want me to do. It would make more sense the way you've said, but the question says prevent telnet access to all the networks attached to router 3.

any ideas?

 

[dinoteo]

Let's assume that the E0 interface on Router 3 is 192.168.3.1 and S0 is 192.168.2.1. Should my access list read something like this:

access-list 101 deny tcp any 192.168.3.0 0.0.0.255 eq 23
access-list 101 deny tcp any 192.168.2.0 0.0.0.255 eq 23
access-list 101 permit ip any

I got this question in my CCNA Exam.. I think i got the answer right.. here's my answer

router(config)#access-list 101 deny tcp any host 192.168.3.0 eq 23
router(config)#access-list 101 deny tcp any host 192.168.2.0 eq 23
router(config)#access-list 101 permit ip any

router(config)#int s0
router(config-if)#ip access-group 101 in
router(config-if)#exit
router(config)#int e0
router(config-if)#ip access-group 101 in

u are supposed to block telnet access to the router..and there are 2 ways to access the router, namely via E0 (from internal networks)and S0 (external networks).. so u need to block inbound traffic going into the router coming from outside.That's about it

 

[geirendre]

Not think you got that right "dinoteo",in :
access-list 101 deny tcp any host 192.168.3.0 eq 23
access-list 101 deny tcp any host 192.168.2.0 eq 23

192.168.2.0 and 192.168.3.0 are subnets, not host-addresses.
So "host 192.168.3.0" is not a valid address.
"192.168.3.0 0.0.0.255" would do better I think.

When it comes to design and placing ACL's, Cisco
stresses some common points:
1. Start with the most spesific criterias at the
top of the ACL-list.
2. Standard ACL's should be placed as close to
the destination as possible.
3. Extended ACL's should be places as close to
the origin as possible.
4. It's best to place an ACL outbound on an interface
rather than inbound.

Hope this helps

 

[dinoteo]

yeah geirendre , u are right on that

if I want to use host, it should be this way,right?

access-list 101 deny tcp any host 192.168.3.1 eq 23
access-list 101 deny tcp any host 192.168.2.1 eq 23

 

[geirendre]

Yes, You deny anyone to telnet to this two hosts, just remember they are on different subnets.

 

[ArtistRhetta]

Y2k1981,
I faired about the same on the CCNA. And our test scores were almost exactly alike. I have been hesitant to taking it over again. I plan on taking it again in the future. So, I do appreciate the refresher course. I am just about to graduate and then I was going to concentrate on the CCNA. Good Luck.

ArtistRhetta A+/Cisco Track

 

[y2k1981]

Hi all,

Sorry, I have been meaning to respond to this thread for ages, but I just never managed to find the time. Thanks to dinoteo for your reply and thanks to geirendre for spotting the little glitch . I hadn't noticed that dinoteo had used host, I was more interested in what addresses to use etc.

I sat my CCNA again last Saturday and sure enough, this was my ACL question for the third time !! However, this time I got it right -- woohoo !! But I don't think you should apply it to the E0 interface. Reason being that it's the third router in the line (ie, the one on the right) so in order to gain access to the network E0 is attached to (from either of the other networks) you'd first have to go through the S0 interface. Anyway, I just applied it to the S0 interface and I'm glad to say that I passed !! However, I was so nervous I managed to mess up the simply OSPF simulation question, so my mark wasn't as high as I'd hoped for ... but hey I'm now a CCNA so cool !!

ArtistRhetta, best of luck with the exam. After I failed it the first time, I dreaded the thought of going back to studying it again and kept putting it off. But once I did, it wasn't as bad. Dont' really have many tips to give you, but the 3 sims you're more than likely to get are configure three routers with RIP, fix up OSPF and an ACL. Obviously, know subnetting very well as I got alot of them in my second exam and because it's just maths, they're easy marks to get. Also, you'll probably get a few questions where you'll have to say what an ACL is doing or where it should be put and in what direction.

Anyway, best of luck with it and thanks again to everybody for your help.

Martin
A+, CCNA !!!!!!!!!!!!

 

[geirendre]

Did you put the ACL inbound on S0 on Router3 ?
How about placing it outbound on Router2 on the interface facing Router3 ?
Not only would it deny the traffic, but it would also save bandwith on the link at the same time.
Presume the topology in the question is like this:

--[sw]--(Router1)---(Router2)---(Router3)--[sw]--

 

[y2k1981]

Ya, that would have been an idea actually. But no, I just applied it inbound to router3's S0 interface. I don't know if it would have made any difference in terms of whether the question was marked right or wrong, because I don't know if they check the startup-config's of all 3 routers or just the one you're suposed to have changed?

Also, if I were to apply it to router 2, I'd also have to create it there, so that'd be two ACL's I'd be creating. But I do see your point.

Thanks ofr your reply

 

[dinoteo]

So far, all of my friends who went through the ccna paper got the same kind of simulation questions.. one ospf, one rip and one access list. For those who haven't took the paper.. here goes my two cents worth of simulations..

For the ospf simulation, it will just tell you that there is no communication between the routers, the affected router will have the wildcard mask and area for one of the networks published wrongly. Do a no router ospf <num> to remove the existing routing protocol and republish the networks.

For the RIP configuration, the question will tell you which router isn't configured while the rest are already configured. just go to that router and configure the routing protocol.Don't go to any other routers and configure the routing protocol or do a show run, show ip route.Keying in unneccessary commands will minus off some marks.

For the access-list question, hmm it's the same as above asking you to block ALL telnet access to the router. What I did was that i block inbound telnet access at S0 And E0, reason being blocking S0 will prevent users from router 1 and router 2 from telnetting to router 3, blocking E0 will prevent users from my network from telnetting to router 3. The word here is to block ALL access, so it would be advisable to block S0 and E0.

Hehe..and remember to copy run start

Hope that helps.

 

[geirendre]

Jepp, probably a good idea to end all sim's with
Copy run start to save your work,
disable to exit priv mode and finaly
exit to totaly exit out off the router.

Can't hurt to do it.
Took the INTRO exam (640-821) 3 week ago,
got 2 sim's, the first was just to configure
a password on the console and VTY-port's,
in the other the task was
to configure the IP-address on interface E0.
Pretty easy? yes it was
Managed to get 984 points, so I left the testsenter
with a big
Now preparing for the second test (640-811), plan is
to take it in late May, early June.

 

[ArtistRhetta]

Congratulations on passing the CCNA!!!! Thanks, for the tips. Right now, I am trying to get through my Algebra classes that is needed for my Associates Degree/IT/Cisco Track but hope to get back to gearing toward passing the CCNA. I have some Routers that I have been practising with a home. All the tips are very appreciated.

ArtistRhetta

 

[dirtyhat]

Hey guys, Thanks for all the great information. I am planning on taking the CCNA on Monday. I have about 4 years exp. in the IT/Security field and am using only the Sybex 640-607 book as a study source (and this site ofcourse). Can anyone tell me if the 640-801 test is looking for commands using RIP v1 or RIP v2.

Thanks

 

[dinoteo]

dirkdiggy ,

640-801 will only test u on configuration of RIP v1 but it will ask u questions like which protocols support vlsm..rip v2 is one of them. Other than that, rip v2 belongs to CCNP.

Dino

 

[dirtyhat]

Thank you.

Can anyone tell me if the 640-801 exam takes points off for not typing out the full command when doing the router sims?

 

[y2k1981]

I don't know for definite, but I can't image they'd do that - after all if the router does it that way, no reason why you shouldn't be able to do it on the SIM

 

[bierhunter]

Hopefully this will help clear up where to put the access list.

With extended access lists, put them closest to the source. With standard access lists, put them closest to the destination.

Example:

Traffice flow -------->

Internet -------S0(router)E0------LAN

Traffic being controlled from coming in from the Internet: An extended access list would go on S0 inbound whereas a Standard access list would go on E0 outbound.

It's a rule of practice stated on Cisco's website, but I haven't looked it up since I took my CCNP exams in the past.

Hope that helps.

BierHunter
CNE, MCSE, CCNP

 

[martin1234321]

If you type only a partial command on the exam sims and it works you wont lose any points. The only problem is most abbreviated commands dont work so your better off trying to always use the full command.