Wednesday, April 19, 2006


Access Lists. (Question #55)

Assume that the network has a collection of Linux and Windows PCs on it. The addressing scheme is such that the Linux PCs have the addresses

and so on through to while the Windows PCs have the addresses

and so on through to

All the PCs connect to the core network via a router on the same subnet.

One day all the Windows PCs get infected by a virus and start sourcing large amounts of network traffic. Your task is to create an access list to be used on the router for the subnet which drops all network traffic from the Windows PCs while allowing traffic from the Linux PCs.

Can you create an ACL with just two access list entries that will match traffic sourced from all the Windows PCs and drop them while allowing all other traffic?

access-list 13 deny
access-list 13 permit any
This comment has been removed by a blog administrator.
I have to admit, this one has been tricky for me. I think I have one that works, that definately narrows it down to the exact subnet, only permitting the odd addresses.


This would include an implicit deny any at the end. So the way I read it is:

deny all even traffic (the could probably be a few different numbers here, as in all reality, we only care about the last bit)

second line would then only permit through the addresses part of the subnet

then all other traffic would be denied.
A cleaner statement would probably be:


Although either one seems to work (Although, I havent yet put this in a lab to verify)
Ryan's suggestion looks good to me. I personally find it easier to just use the "standard" deny even's with (easy for me to always remember this and the "standard" odd)

and then allow what falls though to the /28 network as Ryan has.

One thing I just realized is I believe one could do this in one line:


Since there is an implicit deny, would that in fact work?
so what's the correct solution to the problem?
The answer I had in mind when I framed the question was the following.

access-list 10 permit

will match all the PCs with odd addresses (Linux PCs).

access-list 10 permit

will match all the PCs with even addresses (Windows PCs).

So, to match the Windows PCs traffic in order to deny them one would do something like

access-list 10 deny
access-list 10 permit any

However, I liked Ryan's final attempt at the answer with the single statement that relies on the implict deny at the end

access-list 10 permit

This was basically an attempt on my part to elicit the trick with matching odd or even networks by framing something like a real world problem where that knowledge could have been applied fruitfully.
isn't matching all even numbers between 18 and 30? since 16 is the network number and will be dropped by the router if it's sourced from the inside the subnet therefire it should cover the requirement? does match all the even networks of interest and so it would work but it also matches much more. For instance it would also match I guess with ACLs it's usually best to be as restrictive as possible and only allow what should be allowed and nothing else. That assumption was implicit in the question but your answer would also work for the question as it is currently stated.

It occurs to me after having run into such alternate answers from readers more than once that even on the real Cisco exam people must be coming up with answers that are right but not the "expected" answer. One hopes that the Cisco exam folks take that into account and do give credit where credit is due with such alternate correct answers when there is some ambiguity in the question itself.
Post a Comment

Links to this post:

Create a Link

<< Home

This page is powered by Blogger. Isn't yours?