Answers to the Chapter 7 Q&A Section 757
Answers to the Chapter 7 Q&A Section
1
Configure a numbered IP access list that would stop packets from subnet 134.141.7.0,
255.255.255.0, from exiting serial 0 on some router. Allow all other packets.
access-list 4 deny 134.141.7.0 0.0.0.255
access-list 4 permit any
interface serial 0
ip access-group 4
The first access list statement denied packets from that subnet. The other statement is
needed because the default action to deny packets is not explicitly matched in an access
list statement.
2
Configure an IP access list that allows only packets from subnet 193.7.6.0, 255.255.255.0,
going to hosts in network 128.1.0.0 and using a Web server in 128.1.0.0, to enter serial 0
on some router.
access-list 105 permit tcp 193.7.6.0 0.0.0.255
128.1.0.0 0.0.255.255 eq www
!
interface serial 0
ip access-group 105 in
A "deny all" is implied at the end of the list.
3
How would a user who does not have the enable password find out what access lists have
been configured and where they are enabled?
The show access-list command lists all access lists. The show ip interfaces and show ipx
interfaces commands identify interfaces on which the access lists are enabled.
4
Configure and enable an IP access list that would stop packets from subnet 10.3.4.0/24
from getting out serial interface S0 and that would stop packets from 134.141.5.4 from
entering S0. Permit all other traffic.
access-list 1 deny 10.3.4.0 0.0.0.255
access-list 1 permit any
access-list 2 deny 134.141.5.4
access-list 2 permit any
interface serial 0
ip access-group 1
ip access-group 2 in
apA.fm Page 757 Monday, March 20, 2000 5:24 PM