:roll: :roll: :roll:
Hi all!
cvo đang gặp khó khăn trong một số bài lab về IP Access-List!
Mong môi người giúp dùm một tay nhé!
Xin đa tạ trước!

1. Given the statements:
interface ethernet 1
ip access-group 25 in
access-list 25 permit host 101.2.3.40
access-list 25 deny 203.45.0.0 0.0.255.255
access-list 25 permit any
What will the result be?

2. Given the statements:
interface ethernet 0
ip access-group 95 in
access-list 95 deny host 101.202.3.4
access-list 95 deny 203.45.6.0 0.0.0.255
access-list 95 permit any
What will the result be?

3. Given the statements:
interface serial 0
ip access-group 164 out
access-list 164 deny tcp 14.3.6.234 0.0.0.0 host 6.5.4.1 eq 23
access-list 164 deny udp any any eq tftp
access-list 164 permit ip any any
What will the result be?

4. Given the statements:
interface token-ring 7
ip access-group 13 in
ip access-group 184 out
access-list 13 permit host 201.3.4.2
access-list 13 deny 203.45.0.0 0.0.255.255
access-list 13 deny 84.7.22.240 0.0.0.7
access-list 13 permit any
access-list 184 permit ip any host 101.202.3.4 log
access-list 184 permit tcp 203.45.6.0 0.0.0.255 any eq www
access-list 184 permit udp any any
What will the result be?


5. Design an IP access list that permits TFTP traffic to TFTP servers that have host addresses ending in even numbers, denies TELNET traffic to TELNET servers that have host addresses ending in odd numbers, permits traffic to other TELNET servers, and denies all other IP traffic. Activate your list inbound on interface E1.

6. Design an extended access list that permits all IP traffic from hosts on network 215.23.45.0/24, denies all IP traffic going to subnet 52.54.0.0/16, permits anyone to open a Telnet session with either 14.63.73.66 and 221.63.62.88 (and logs such packets to the console), and denies all other IP traffic. Invoke your list inbound on the first Token Ring interface on the card in slot 2.

7. Design an access list that permits web traffic from the server at 101.54.32.2 to all hosts on subnet 149.23.8.0/24, permits pings in either direction between the hosts on network 39.0.0.0/8 and subnet 197.2.5.96/27, and denies everything else. Place this access list in force in the outbound direction on the router's E2 port.

8. Design an access list that permits all IP traffic except pings in either direction between subnets 10.20.0.0/16 and 40.50.60.0/24.

Tiếp theo nè mọi người ơi !

9. Design an access list that permits bi-directional ICMP traffic between subnets 1.0.96.0/20 and 2.0.1.64/27, permits bi-directional IP traffic between the hosts on subnets 131.5.0.0/16 through 131.8.0.0/16 and the hosts on network 239.5.6.0/24, and denies all other IP traffic except IGRP, which must be permitted everywhere

10.Given the statements:
interface ethernet 1
ip access-group 60 in
ip access-group 161 in
access-list 60 deny host 1.3.5.7 0.0.0.0
access-list 60 deny 10.0.0.0 0.0.0.0
access-list 60 deny 54.78.43.2 255.255.255.255
access-list 60 deny ip host 101.2.5.7 eq telnet
access-list 161 permit ip 205.6.23.6 34.67.22.3
access-list 161 permit ipx a0b1c2 -1
access-list 161 deny telnet
access-list 161 permit ip host 225.0.0.5 any
access-list 161 deny ip any any
How many errors can you find?

11. Given the statements:
interface token-ring 7
ip access-group 13 in
ip access-group 184 out
access-list 13 permit host 201.3.4.2
access-list 13 deny 203.45.0.0 0.0.255.255
access-list 13 deny 84.7.22.240 0.0.0.7
access-list 13 permit any
access-list 184 permit ip any host 101.202.3.4 log
access-list 184 permit tcp 203.45.6.0 0.0.0.255 any eq www
access-list 184 permit udp any any
What will the result be?

Trân trọng sự giúp đỡ

Nhiều quá mấy sư huynh ơí ! Giúp cvo với !
Hic...hic


1. Which two of the following could be used to permit or deny one computer?
A. 1.1.1.1
B. 0.0.0.0
C. Any
D. Host

2. In a wildcard mask, a bit value of zero mans that the bit must be _____________, while a bit
value of one means that the bit must be ___________.

3. In a subnet mask, a bit value of zero mans that the
one means that the bit must be _____________.

4. Why should each Access Control List (ACL) have to have at least one permit statement in it?

5. After you have successfully entered the command below*, will a host with an IP address of
172.16.10.25 be allowed, denied, or neither?
RouterA(config)#access-list 10 deny 172.16.10.0 0.0.0.255
Answer:____________

6. Finish the command below such that it allows IP Addresses 112.85.96-99.0-255
Answer: RouterA(config)#access-list 86 deny 133.9.16.0 ______________
Finish the command below such that it denies IP Addresses 133.8-15.0-31.0-255
Answer: RouterA(config)#access-list 86 deny 133.9.16.0 ______________


7. Given the IP Address 192.168.123.0, what wildcard mask would you use to refer to the following
hosts?
Answer: ____.____.____.____
192.168.123.0 192.168.123.2 192.168.123.16 192.168.123.18 192.168.123.64
192.168.123.66 192.168.123.80 192.168.123.82 192.168.123.128 192.168.123.130
192.168.123.144 192.168.123.146 192.168.123.192 192.168.123.194 192.168.123.208
192.168.123.210 :cry: :cry: :cry: :cry:

1. Given the statements:

interface ethernet 1
ip access-group 25 in

access-list 25 permit host 101.2.3.40
access-list 25 deny 203.45.0.0 0.0.255.255
access-list 25 permit any
What will the result be?

Trả lời:

Access-list này sẽ cho phép traffic từ máy có IP là 101.2.3.40 đi vào cổng E1 của router. Các traffic từ mạng 203.45.0.0 sẽ bị cấm. Ngoài ra tẩt cả các địa chỉ còn lại đều được cho phép.

2. Given the statements:
interface ethernet 0
ip access-group 95 in
access-list 95 deny host 101.202.3.4
access-list 95 deny 203.45.6.0 0.0.0.255
access-list 95 permit any
What will the result be?


Trả lời:

Các traffic từ máy có IP là 101.202.3.4 và tất cả các host từ mạng 203.45.6.0 sẽ bị từ chối. Tất cả các traffic còn lại đều được cho phép đi vào cổng E0 của router.

3. Given the statements:
interface serial 0
ip access-group 164 out
access-list 164 deny tcp 14.3.6.234 0.0.0.0 host 6.5.4.1 eq 23
access-list 164 deny udp any any eq tftp
access-list 164 permit ip any any
What will the result be?

Trả lời:

Tất cả các telnet traffic từ máy 14.3.6.234 đến máy 6.5.4.1 sẽ bị từ chối. Tất cả các TFTP traffic sẽ bị từ chối.

Mọi traffic còn lại đều được cho phép.

4. Given the statements:
interface token-ring 7
ip access-group 13 in
ip access-group 184 out
access-list 13 permit host 201.3.4.2
access-list 13 deny 203.45.0.0 0.0.255.255
access-list 13 deny 84.7.22.240 0.0.0.7
access-list 13 permit any
access-list 184 permit ip any host 101.202.3.4 log
access-list 184 permit tcp 203.45.6.0 0.0.0.255 any eq www
access-list 184 permit udp any any
What will the result be?

Trả lời:

Mọi traffic từ máy 201.3.4.2 đi vào cổng Token Ring của router sẽ được cho phép. Mọi traffic từ mạng 203.45.0.0 và mạng 84.7.22.240 sẽ bị từ chối khi đi vào cổng TokenRing. Các traffic còn lại đều được cho phép.

Các ip traffic đến máy 101.202.3.4 sẽ được cho phép đi ra. Các web trafic xuất phát từ mạng 203.45.6.0 và các udp traffic sẽ được cho phép đi ra trên cổng này. Mọi traffic còn lại sẽ bị từ chối.

5. Design an IP access list that permits TFTP traffic to TFTP servers that have host addresses ending in even numbers, denies TELNET traffic to TELNET servers that have host addresses ending in odd numbers, permits traffic to other TELNET servers, and denies all other IP traffic. Activate your list inbound on interface E1.


Trả lời:

Access-list 101 permit udp any 0.0.0.0 255.255.255.254 eq 69
Access-list 101 deny tcp any 0.0.0.1 255.255.255.254 eq 23
Access-list 101 permit tcp any any eq 23

Interface E1
ip access-group 101 in

5. Design an IP access list that permits TFTP traffic to TFTP servers that have host addresses ending in even numbers, denies TELNET traffic to TELNET servers that have host addresses ending in odd numbers, permits traffic to other TELNET servers, and denies all other IP traffic. Activate your list inbound on interface E1.


Trả lời:

Access-list 101 permit udp any 0.0.0.0 255.255.255.254 eq 69
Access-list 101 deny tcp any 0.0.0.1 255.255.255.254 eq 23
Access-list 101 permit tcp any any eq 23

Interface E1
ip access-group 101 in

7. Design an access list that permits web traffic from the server at 101.54.32.2 to all hosts on subnet 149.23.8.0/24, permits pings in either direction between the hosts on network 39.0.0.0/8 and subnet 197.2.5.96/27, and denies everything else. Place this access list in force in the outbound direction on the router's E2 port.

Trả lời:
access-list 101 permit tcp host 101.54.32.2 149.23.8.0 0.0.0.255 eq http
access-list 101 permit ip 39.0.0.0 0.255.255.255 197.2.5.96 0.0.0.31 eq icmp
access-list 101 permit ip 197.2.5.96 0.0.0.31 39.0.0.0 0.255.255.255 eq icmp
int e2
ip access-group 101 out

8. Design an access list that permits all IP traffic except pings in either direction between subnets 10.20.0.0/16 and 40.50.60.0/24.

Trả lời:
access-list 101 deny ip 10.20.0.0 0.0.255.255 40.50.60.0 0.0.0.255 eq icmp
access-list 101 deny ip 40.50.60.0 0.0.0.255 10.20.0.0 0.0.255.255 eq icmp
access-list 101 permit ip any any

còn câu 6, "permits anyone to open a Telnet session with either 14.63.73.66 and 221.63.62.88 (and logs such packets to the console), and denies all other IP traffic" chẳng hiểu? bạn xem lại đề xem.

10.Given the statements:
interface ethernet 1
ip access-group 60 in
ip access-group 161 in
access-list 60 deny host 1.3.5.7 0.0.0.0
access-list 60 deny 10.0.0.0 0.0.0.0
access-list 60 deny 54.78.43.2 255.255.255.255
access-list 60 deny ip host 101.2.5.7 eq telnet
access-list 161 permit ip 205.6.23.6 34.67.22.3
access-list 161 permit ipx a0b1c2 -1
access-list 161 deny telnet
access-list 161 permit ip host 225.0.0.5 any
access-list 161 deny ip any any
How many errors can you find?
Trả lời:
Lỗi 1: Trong 1 interface chỉ có thể có tối đa 2 ACL theo 2 chiều ngược nhau, ở đây 2 ACl đều là chiều in->sai
Lỗi 2:access-list 60 deny host 1.3.5.7 0.0.0.0 . Không có 0.0.0.0
Lỗi 3:access-list 60 deny 10.0.0.0 0.0.0.0
. Phải là 10.0.0.0 0.255.255.255
Lỗi 4:access-list 60 deny 54.78.43.2 255.255.255.255. Phải là: 54.78.43.2 0.0.0.0
Lỗi 4:access-list 60 deny ip host 101.2.5.7 eq telnet
Sai cú pháp
Lỗi 5:access-list 161 permit ip 205.6.23.6 34.67.22.3
Phải là: access-list 161 permit ip host 205.6.23.6 host 34.67.22.3
Lỗi 6:access-list 161 deny telnet.Sai cú pháp

Lỗi 7:access-list 161 permit ip host 225.0.0.5 any. 255.0.0.5 là địa chỉ multicast.

Mời các bạn tham gia vào diễn đàn của netpro, tại địa chỉ www.netpro.com.vn/forum

1. Which two of the following could be used to permit or deny one computer?
A. 1.1.1.1
B. 0.0.0.0
C. Any
D. Host

ANS:B,D

2. In a wildcard mask, a bit value of zero mans that the bit must be _____________, while a bit
value of one means that the bit must be ___________.

ANS:Match,not match
3. In a subnet mask, a bit value of zero mans that the one means that the bit must be _____________.

ANS:chẳng hiểu

4. Why should each Access Control List (ACL) have to have at least one permit statement in it?

ANS:because it implicit to be denied by default

5. After you have successfully entered the command below*, will a host with an IP address of
172.16.10.25 be allowed, denied, or neither?
RouterA(config)#access-list 10 deny 172.16.10.0 0.0.0.255
Answer: deny

6. Finish the command below such that it allows IP Addresses 112.85.96-99.0-255
Answer: RouterA(config)#access-list 86 deny 133.9.16.0 ______________ (chẳng hiểu đề)
Finish the command below such that it denies IP Addresses 133.8-15.0-31.0-255
Answer: RouterA(config)#access-list 86 deny 133.9.16.0 ______________ ( cũng chẳng hiểu nốt)

6. Finish the command below such that it allows IP Addresses 112.85.96-99.0-255
Answer: RouterA(config)#access-list 86 deny 133.9.16.0 ______________ (chẳng hiểu đề)
Finish the command below such that it denies IP Addresses 133.8-15.0-31.0-255
Answer: RouterA(config)#access-list 86 deny 133.9.16.0 ______________ ( cũng chẳng hiểu nốt)


Hi at3g!

không biết ý của câu này có phải là yêu cầu mình bổ sung wildcard mask để đại diện cho một nhóm các subnetwork từ 112.85.96.0 -112.85.99.255, và
133.8.0.0 - 133.15.31.255 không nhỉ?

Trân trọng sự giúp đỡ
Thân mến

Hi cvo15303
quả thực tôi cũng không hiểu đề nó như thế nào nữa
càng đọc càng thấy rối, đã cho là ACL allow mạng 112... ở dưới lại là 113... chịu thôi, hay bạn ghi sai để

Có lẽ phải căn cứ vào topo nữa, Có thể trong đề bài có địa chỉ các mạng nữa và phải qua đó để xác định ACL