Acess List

Curious, how big of a part does this play in the CCNA exam? Having trouble getting some of the standard list down, i can do blocking a single host from getting through the route, but playing with wildcards to block a whole subnet is getting me.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

mikej412

Looking at the CCNA exam blueprint....

The Exam Description mentions "Managing IP traffic with Access Lists"

And then in the various categories under Exam Topics access lists are mentioned 3 times
-- Develop an access list to meet user specifications
-- Implement access lists
-- Troubleshoot an access list

And then there is also "Evaluate rules for packet control" which might relate to access lists.

Based on the exam blueprint, you'd probably want to know about access lists.

Humper

What are you confused about? I am sure we can help you

wizarddeath

Thanks Modem, heres what im trying to play with.

access-list 10 deny 172.16.50.2 0.0.0.0

I apply it to the interface, now it sucessfully blocks my host the 172.16.50.2 from pinging the network of the interface I apply it to. Im trying to modify it to be
access-list 10 deny 172.16.50.0 0.0.0.255

and block the entire network of 172.16.50.x from pinging the the network of the interface I apply it to. BUT from the router that I assisgned 172.16.50.1(router interface of the 172.16.50.x network) to, I can still ping 172.16.20.1(the router port I assigned the access list to).
Do I need to use an extended access list to do this?
Make sense?

therainesman

wizarddeath wrote:

and block the entire network of 172.16.50.x from pinging the the network of the interface I apply it to. BUT from the router that I assisgned 172.16.50.1(router interface of the 172.16.50.x network) to, I can still ping 172.16.20.1(the router port I assigned the access list to).
Do I need to use an extended access list to do this?
Make sense?

Try doing an extended ping. If you ping sole from the router it will use what ever ip address it wants (usually the closest to the destination). For example, say E 0/1 ip address is 172.16.50.1 iand E 0/2 is 172.16.20.1 and you are trying to ping 172.16.20.5. The standare ping 172.16.20.5 will work(because it would appear to orginate at E 0/2) but an extended ping orginating from E 0/1 to 172.16.20.5 should be stopped.

Then again, standard ACL should be applied to the closest interface to the origin -- meaning it should be applied to the 172.16.20.1 interface of the router.

Take my advice for what it is worth. I have yet to get my CCNA. If anyone thinks this is wrong, please say so, so I can get it right in my head! I need to go back over this.

wizarddeath

The book was stating standard should be closest to the destination, while extended should be closer to the source..unless I misread it. Hmmm I need more computers to test this out further

therainesman

wizarddeath wrote:

The book was stating standard should be closest to the destination, while extended should be closer to the source..unless I misread it.

I just cheked this out and I was wrong!

Standard ACL -- Close to destination
Extended ACL -- Close to source

Okay, now I got it. Now if I could just remember the billion other bits of knowledge floating around my head in a coherent fashion and pass the exam!

wizarddeath wrote:

Hmmm I need more computers to test this out further

Don't we all need more computers . . . and switches . . . and routers . . . and WAPs . . .and money!

darkuser

http://www.routergod.com/donking/

rossonieri#1

hello,

i think you better not get confused by standard/basic/extended ACL implementation.
slowly analyze the need - get the picture - and understand what you type when configuring ACL either standard/extended - and you will see where to put it.
there are a lot of online manual about ACL including in this techexams forum.
read well bro.

cheers...