Acess List

wizarddeathwizarddeath Member Posts: 115
Curious, how big of a part does this play in the CCNA exam? Having trouble getting some of the standard list down, i can do blocking a single host from getting through the route, but playing with wildcards to block a whole subnet is getting me.
70-291 Next....

Comments

  • mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    Looking at the CCNA exam blueprint....

    The Exam Description mentions "Managing IP traffic with Access Lists"

    And then in the various categories under Exam Topics access lists are mentioned 3 times
    -- Develop an access list to meet user specifications
    -- Implement access lists
    -- Troubleshoot an access list

    And then there is also "Evaluate rules for packet control" which might relate to access lists.

    Based on the exam blueprint, you'd probably want to know about access lists.
    :mike: Cisco Certifications -- Collect the Entire Set!
  • HumperHumper Member Posts: 647
    What are you confused about? I am sure we can help you :)
    Now working full time!
  • wizarddeathwizarddeath Member Posts: 115
    Thanks Modem, heres what im trying to play with.

    access-list 10 deny 172.16.50.2 0.0.0.0

    I apply it to the interface, now it sucessfully blocks my host the 172.16.50.2 from pinging the network of the interface I apply it to. Im trying to modify it to be
    access-list 10 deny 172.16.50.0 0.0.0.255

    and block the entire network of 172.16.50.x from pinging the the network of the interface I apply it to. BUT from the router that I assisgned 172.16.50.1(router interface of the 172.16.50.x network) to, I can still ping 172.16.20.1(the router port I assigned the access list to).
    Do I need to use an extended access list to do this?
    Make sense?
    70-291 Next....
  • therainesmantherainesman Member Posts: 10 ■□□□□□□□□□
    and block the entire network of 172.16.50.x from pinging the the network of the interface I apply it to. BUT from the router that I assisgned 172.16.50.1(router interface of the 172.16.50.x network) to, I can still ping 172.16.20.1(the router port I assigned the access list to).
    Do I need to use an extended access list to do this?
    Make sense?

    Try doing an extended ping. If you ping sole from the router it will use what ever ip address it wants (usually the closest to the destination). For example, say E 0/1 ip address is 172.16.50.1 iand E 0/2 is 172.16.20.1 and you are trying to ping 172.16.20.5. The standare ping 172.16.20.5 will work(because it would appear to orginate at E 0/2) but an extended ping orginating from E 0/1 to 172.16.20.5 should be stopped.

    Then again, standard ACL should be applied to the closest interface to the origin -- meaning it should be applied to the 172.16.20.1 interface of the router.

    Take my advice for what it is worth. I have yet to get my CCNA. If anyone thinks this is wrong, please say so, so I can get it right in my head! I need to go back over this.
  • wizarddeathwizarddeath Member Posts: 115
    The book was stating standard should be closest to the destination, while extended should be closer to the source..unless I misread it. Hmmm I need more computers to test this out further icon_sad.gif
    70-291 Next....
  • therainesmantherainesman Member Posts: 10 ■□□□□□□□□□
    The book was stating standard should be closest to the destination, while extended should be closer to the source..unless I misread it. icon_sad.gif


    I just cheked this out and I was wrong! icon_redface.gif

    Standard ACL -- Close to destination
    Extended ACL -- Close to source

    Okay, now I got it. Now if I could just remember the billion other bits of knowledge floating around my head in a coherent fashion and pass the exam!
    Hmmm I need more computers to test this out further icon_sad.gif

    Don't we all need more computers . . . and switches . . . and routers . . . and WAPs . . .and money!
  • darkuserdarkuser Member Posts: 620 ■■■□□□□□□□
  • rossonieri#1rossonieri#1 Member Posts: 799 ■■■□□□□□□□
    hello,

    i think you better not get confused by standard/basic/extended ACL implementation.
    slowly analyze the need - get the picture - and understand what you type when configuring ACL either standard/extended - and you will see where to put it.
    there are a lot of online manual about ACL including in this techexams forum.
    read well bro.

    cheers... icon_cool.gif
    the More I know, that is more and More I dont know.
Sign In or Register to comment.