blog
    Access List Challenge
    23 September 09

    Access List Challenge

    Posted byINE
    facebooktwitterlinkedin
    news-featured

    You have just been given a shiny, new router to configure.  As part of the configuration, you are asked to configure an outbound access list which will only permit traffic through to specific destinations.  Here are the requirements that you are given for your access-list:

    Match (and permit) the following destinations using an access-list.  Your access list should use the fewest number of lines, and should not overlap any other address space.

    Anything within the 10.0.0.0/8 address space.
    Anything within the 172.16.0.0/12 address space.
    Anything within the 192.168.0.0/16 address space.
    Anything within the 169.254.0.0/16 address space.

    Be warned, it is estimated that a very high percentage of readers will NOT have the correct answer.

    access-list 199 permit ip any object-group TEST

    What just happened here?  Can you really match those in a single line?  The answer deals with object groups, which allow grouping of other items.  The object group still needs to be configured, but the question just asked for a short access list.

    You can enter in either /x notation for mask, or with subnet mask information, as shown in the following examples:

    object-group network TEST
    
 10.0.0.0 /8
    
 172.16.0.0 /12
    
 192.168.0.0 /16
    
 169.254.0.0 /16

    The router will convert syntax, and the following will be what remains in your config for the group:

    object-group network TEST
    
 10.0.0.0 255.0.0.0
    
 172.16.0.0 255.240.0.0
    
 192.168.0.0 255.255.0.0
    
 169.254.0.0 255.255.0.0

    You can also nest object groups.  You could configure the individual groups as follows:

    object-group network A
    
 10.0.0.0 /8
    
object-group network B
    
 172.16.0.0 /12
    
object-group network C
    
 192.168.0.0 /16 

    object-group network RFC1918
    
 group-object A
    
 group-object B
    
 group-object C 
    

    object-group network APIPA
    
 169.254.0.0 /16 
    

    object-group network TEST
    
 group-object RFC1918
    
 group-object APIPA

    Here, we took a brief look at network object groups.  Object groups on the router also have a "service" option, which can be used to group protocols and ports. For those of you with a background configuring PIX / ASA, you may already be very familiar with configuring object groups.  For the rest of you, it may be something that you want to practice before your next scheduled lab date.

    For more reading:
    Cisco - Object Groups for ACLs

    Object groups were added in 12.4(20)T.

    Hey! Don’t miss anything - subscribe to our newsletter!

    © 2022 INE. All Rights Reserved. All logos, trademarks and registered trademarks are the property of their respective owners.
    Terms of servicePrivacy policy
    instagram Logofacebook Logotwitter Logolinkedin Logoyoutube Logo