Mistake on Standard ACL's

PashPash Posts: 1,601Member ■■■■■□□□□□
For anyone who has the ICND ciscopress book on page 454 I consider a mistake to be printed in the example 12-5. My reasoning: well cisco always say put the standard ACL's as close to the destination as possible.

For anyone who does not have that book check my rough boson netsim layout here:

http://www.digitalempathy.myby.co.uk/labACL.jpg

What interface would you place the standard ACL on to stop PC2 reaching the PC1 network?

Unless of course my understanding is completely wrong icon_sad.gif
DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.

Comments

  • bmaurobmauro Posts: 307Member
    First off - where does the book say it should be placed?

    If this is a standard ACL to block PC2 from reaching PC1 you would block (assuming that PC1 is off Ethernet 0) E0 OUT
  • EdTheLadEdTheLad Posts: 2,112Member ■■■■□□□□□□
    Pash wrote:
    For anyone who has the ICND ciscopress book on page 454 I consider a mistake to be printed in the example 12-5. My reasoning: well cisco always say put the standard ACL's as close to the destination as possible.

    For anyone who does not have that book check my rough boson netsim layout here:

    http://www.digitalempathy.myby.co.uk/labACL.jpg

    What interface would you place the standard ACL on to stop PC2 reaching the PC1 network?

    Unless of course my understanding is completely wrong icon_sad.gif

    The standard access-list should be placed as close to the destination as possible,the standard access-list filters using the source ip address.If you filter close to the source you effectively block all traffic from that source.If you place the standard access-list near the destination you will block traffic from the source to that destination only, so the source can still communicate with other destinations.
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
  • NetwurkNetwurk Posts: 1,155Member ■■■■□□□□□□
    I think the ICND book is trying to give you examples of how to apply the ACL in both an inbound and an outbound direction. Also, there are always exceptions to the rules. If you need a certain type of traffic coming in on your ethernet port to go out to serial 1 but be denied on serial 2, then you have to use the access-group # out command.

    So it all depends on the situation.
  • PashPash Posts: 1,601Member ■■■■■□□□□□
    bmauro wrote:
    First off - where does the book say it should be placed?

    If this is a standard ACL to block PC2 from reaching PC1 you would block (assuming that PC1 is off Ethernet 0) E0 OUT

    The book does say place standard ACL's as close to the destination as possible.

    Yeh sorry I should of explained the requirements of the ACL a little better. Basically pc2 should not be able to enter the network that pc1 is on, but there were no other explicit requirements saying that pc2 should not be able to access other networks. And in the book they gave the example of using a deny host ACL on Router2 and applying it to both serial connections "out", basically stopping the traffic from pc2 going anywhere else on the network. It just threw me off a bit and I HOPE my understanding of it is still correct, my exam date beckons and the jitters are kicking in icon_sad.gif

    Cheers for the fast response, this forum is great :)
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • hedhrtshedhrts Posts: 74Member ■■□□□□□□□□
    I have the book and see what you're talking about. I agree with your conclusion, but at this stage in the book I don't think they were demonstrating proper placement of the acl (otherwise 2 different acl's would be placed on 2 different routers). I think they were demonstrating the general operation of a standard acl, and I guess it was easier to show the operations on 1 router.

    This is very early in the chapter and the acl rules aren't mentioned until the end of the chapter (after both standard and extended were covered).
  • PashPash Posts: 1,601Member ■■■■■□□□□□
    hedhrts wrote:
    I have the book and see what you're talking about. I agree with your conclusion, but at this stage in the book I don't think they were demonstrating proper placement of the acl (otherwise 2 different acl's would be placed on 2 different routers). I think they were demonstrating the general operation of a standard acl, and I guess it was easier to show the operations on 1 router.

    This is very early in the chapter and the acl rules aren't mentioned until the end of the chapter (after both standard and extended were covered).

    Thanks for the response, yeh I guess thats the authors reasoning, aslong as my understanding is still ok then im fine :)
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
Sign In or Register to comment.