Access Control Lists (How to Fail a Task without Really Trying)

Hello to all our faithful blog readers, I hope this post find you very well, and enjoying your studies!

Access list tasks are a common CCIE Lab Exam feature, and I wanted to take a moment to show how easy it can be for a candidate to miss one thing or many things in such a task.

Here is the task topology and the task itself. Following that we have the proposed solution by a Mock Student :-)

Can you find the errors in his or her ways?

The Topology

The Task

Security

Traffic Filtering

8.1 Configure a security filter on R3 that will accomplish the following for traffic entering the router from the direction of R2:

• Allow Telnet from R2 (S0/1) to R1 (Lo1)
• Allow BGP traffic through the router
• Allow ICMP ping traffic between R1 (Lo1) and R2 (Lo1)
• Block any traffic sourced from RFC 1918 addresses – log these violations and include Layer 2 address information

4 points

The Proposed Solution

!
access-list 100 permit tcp host 32.0.1.2 eq telnet host 192.168.100.1 eq telnet
access-list 100 permit tcp any any eq bgp
access-list 100 permit icmp host 22.10.1.2 host 192.168.100.1
access-list 100 permit icmp host 192.168.100.1 host 22.10.1.2
access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
access-list 100 deny ip 172.16.0.0 0.0.255.255 any log
access-list 100 deny ip 192.168.0.0 0.0.255.255 any log
!
interface Serial1/2
ip access-group 100 in

NOTE: I have posted a solution to this blog in the comments. The solution post date is November 20th, 2008.