You have just been given a shiny, new router to configure. As part of the configuration, you are asked to configure an outbound access list which will only permit traffic through to specific destinations. Here are the requirements that you are given for your access-list:
Match (and permit) the following destinations using an access-list. Your access list should use the fewest number of lines, and should not overlap any other address space.
Anything within the 10.0.0.0/8 address space.
Anything within the 172.16.0.0/12 address space.
Anything within the 192.168.0.0/16 address space.
Anything within the 169.254.0.0/16 address space.
Be warned, it is estimated that a very high percentage of readers will NOT have the correct answer.
access-list 199 permit ip any object-group TEST
What just happened here? Can you really match those in a single line? The answer deals with object groups, which allow grouping of other items. The object group still needs to be configured, but the question just asked for a short access list.
You can enter in either /x notation for mask, or with subnet mask information, as shown in the following examples:
object-group network TEST 10.0.0.0 /8 172.16.0.0 /12 192.168.0.0 /16 169.254.0.0 /16
The router will convert syntax, and the following will be what remains in your config for the group:
object-group network TEST 10.0.0.0 255.0.0.0 172.16.0.0 255.240.0.0 192.168.0.0 255.255.0.0 169.254.0.0 255.255.0.0
You can also nest object groups. You could configure the individual groups as follows:
object-group network A 10.0.0.0 /8 object-group network B 172.16.0.0 /12 object-group network C 192.168.0.0 /16 object-group network RFC1918 group-object A group-object B group-object C object-group network APIPA 169.254.0.0 /16 object-group network TEST group-object RFC1918 group-object APIPA
Here, we took a brief look at network object groups. Object groups on the router also have a “service” option, which can be used to group protocols and ports. For those of you with a background configuring PIX / ASA, you may already be very familiar with configuring object groups. For the rest of you, it may be something that you want to practice before your next scheduled lab date.
For more reading:
Cisco – Object Groups for ACLs
Object groups were added in 12.4(20)T.
7 Responses to “Access List Challenge”
Leave a Reply