Standard Access-List


Scenario:

This morning you woke up in a cell feeling dizzy and nauseous, it appears you were kidnapped by a mixture of agents from federal agencies. Your task is to finish this security test, if you pass you might end up becoming their next security agent…with blurry eyes you start your task!

Goal:

  • All IP addresses have been configured for you, look at the topology picture for the IP addresses.
  • OSPF has been configured for full connectivity.
  • Make sure you use the most specific wildcard for all your access-lists.
  • You are only allowed to use standard access-lists.
  • Configure your network so traffic from router CIA’s L0 interface can’t reach any networks on router FBI.
  • Extend the access-list you just created to include router CIA’s L1 and L2 interface.
  • Configure your network so traffic from router FBI’s L0 and L1 interface are unable to reach any networks on router NSA.

Topology:

Standard Access-List

Video Solution:

Configuration Files

You need to register to download the GNS3 topology file. (Registration is free!)

Once you are logged in you will find the configuration files right here.

Opt In Image
Do you want your CCNA or CCNP Certificate?

The How to Master series helps you to understand complex topics like spanning-tree, VLANs, trunks, OSPF, EIGRP, BGP and more.

Written by René Molenaar - CCIE #41726

You May Also Like

About the Author: Rene Molenaar

René - CCIE #41726 is the creator of GNS3Vault.com where he shares CCNA, CCNP and CCIE R&S labs. He also blogs about networking on http://networklessons.com

24 Comments

  1. Why do you have 0.0.254.255 for your wildcard mask?
    access-list 2 deny 2.2.0.0 0.0.254.255

    I thought for /23, you would use the following?
    255.255.255.255 – 255.255.254.0 = wildmask
    NSA(config)#access-list 5 deny 2.2.2.0 0.0.1.255

    1. I think best and most effective wildcard mask for 2.2.2.2/23

      NSA(config)#access-list 5 deny 2.2.2.0 0.0.1.255

      ip address – 2.2.2.2/23
      mask – 255.255.254.0
      Subnet ID – 2.2.2.0
      Broadcast IP – 2.2.3.255

  2. You are totally right! It should be:

    access-list 2 deny 2.2.0.0 0.0.254.255

    Just did it on top of my head and made a mistake while recording the video (*shame on me*)!

    Rene

  3. I went to do this lab and no configs for IP address or OSPF are on the routers. Can you provide the pre configs so I dont have to do this?

    1. I just checked the configs, all routers have a startup-config that has IP addresses and OSPF pre-configured.

      Did you check if GNS3 is using the configs or just opening the topology.net file?

  4. Hi Rene,

    For 2.2.2.2/23 the wildcard mask isn’t it 0.0.1.255?
    Great work by the way:)
    Thanks!

  5. hey everyone

    why do you use wildcard mask 0.0.0.127 in router FBI to deny access from int loop0?
    why don’t you use 0.0.0.0?

    im waiting for your answer,
    thank you very much

    1. it is done as the subnet mask, which is specified in the lab
      if you do 0.0.0.0 mean only 1 ip address v’ll be allowed

    2. Which loopback0 interface do you mean? From which router?

      A wildcard is a reverse subnet mask. You take the subnet mask, write it down in binary and change the 0 to 1 and vice versa. Calculate it back into decimal and you have a wildcard.

      1. I build everything from scratch for more practice. I learn better that way 🙂 but thanks alot for the premade CFG’s. Anyway,

        Can anyone kindly explain the wildcard mask situation on all these routers? I thought like others here that it would also be 0.0.1.255 for L0 on FBI router 2.2.2.2/23. ?

        1. on FBI router i applied ACL inbound like this :

          Standard IP access list DENY_LOOPBACKs_from_CIA
          10 deny 1.1.1.0, wildcard bits 0.0.0.127 log (5 matches)
          20 deny 11.11.11.0, wildcard bits 0.0.0.63 (11 matches)
          30 deny 111.111.111.0, wildcard bits 0.0.0.31
          40 permit any log (55 matches)

          This is the ACL i applied for NSA router

          Standard IP access list DENY_LOOPBACKS_FROM_FBI
          10 deny 2.2.2.0, wildcard bits 0.0.0.255 log
          20 deny 22.22.22.20, wildcard bits 0.0.0.3 log (5 matches)
          30 permit any (107 matches)

          I got everything working the way I wanted to. However I know I may not have used the best and most effective wildcard mask.

          What could I had done differently or better next time?

          Thanks so much everyone.

          Go CISCO !!

  6. am trying repeatedly to advertise loopback 2 of CIA router and L1 of FBI but only in vain. it is not shown in route table to other routers. they are not learning route 111.111.111.0/27 and 22.22.22.22/30 not sure why. i tried many things like disbaling the interfacing and configuring again. i have mentioned ip ospf point-to-point in every loopback. am able to ping these 2 loopbacks from respective routers but not from other 2 router.

    advertised as network 111.111.111.0 0.0.0.31 area 0

    network 22.22.22.0 0.0.0.3 area 0

  7. Hi Rene,

    These are Awesome labs and really helpful.

    I have a query.

    When you mention ‘traffic from L0 interface cant reach’ that should mean the single IP has to be blocked not whole subnet.

    correct me if I am wrong.

  8. Hello! Have you valid ios for GNS3? I have different ios and any time any lab i need find ios

  9. i have configure this on NSA router to block FBI traffic of Lo 0 and Lo 1

    Standard IP access list 2
    10 deny 2.2.2.0, wildcard bits 0.0.1.255
    20 deny 22.22.22.0, wildcard bits 0.0.0.3
    30 permit any (22 matches)

    but ping goes successfull

Comments are closed.