Access Control Lists (How to Fail a Task without Really Trying)
Hello to all our faithful blog readers, I hope this post find you very well, and enjoying your studies!
Access list tasks are a common CCIE Lab Exam feature, and I wanted to take a moment to show how easy it can be for a candidate to miss one thing or many things in such a task.
Here is the task topology and the task itself. Following that we have the proposed solution by a Mock Student :-)
Can you find the errors in his or her ways?
8.1 Configure a security filter on R3 that will accomplish the following for traffic entering the router from the direction of R2:
- Allow Telnet from R2 (S0/1) to R1 (Lo1)
- Allow BGP traffic through the router
- Allow ICMP ping traffic between R1 (Lo1) and R2 (Lo1)
- Block any traffic sourced from RFC 1918 addresses – log these violations and include Layer 2 address information
The Proposed Solution
access-list 100 permit tcp host 188.8.131.52 eq telnet host 192.168.100.1 eq telnet
access-list 100 permit tcp any any eq bgp
access-list 100 permit icmp host 184.108.40.206 host 192.168.100.1
access-list 100 permit icmp host 192.168.100.1 host 220.127.116.11
access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
access-list 100 deny ip 172.16.0.0 0.0.255.255 any log
access-list 100 deny ip 192.168.0.0 0.0.255.255 any log
ip access-group 100 in
NOTE: I have posted a solution to this blog in the comments. The solution post date is November 20th, 2008.