Mistake on Standard ACL's

For anyone who has the ICND ciscopress book on page 454 I consider a mistake to be printed in the example 12-5. My reasoning: well cisco always say put the standard ACL's as close to the destination as possible.

For anyone who does not have that book check my rough boson netsim layout here:

http://www.digitalempathy.myby.co.uk/labACL.jpg

What interface would you place the standard ACL on to stop PC2 reaching the PC1 network?

Unless of course my understanding is completely wrong

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

bmauro

First off - where does the book say it should be placed?

If this is a standard ACL to block PC2 from reaching PC1 you would block (assuming that PC1 is off Ethernet 0) E0 OUT

EdTheLad

Pash wrote:

For anyone who has the ICND ciscopress book on page 454 I consider a mistake to be printed in the example 12-5. My reasoning: well cisco always say put the standard ACL's as close to the destination as possible.

For anyone who does not have that book check my rough boson netsim layout here:

http://www.digitalempathy.myby.co.uk/labACL.jpg

What interface would you place the standard ACL on to stop PC2 reaching the PC1 network?

Unless of course my understanding is completely wrong

The standard access-list should be placed as close to the destination as possible,the standard access-list filters using the source ip address.If you filter close to the source you effectively block all traffic from that source.If you place the standard access-list near the destination you will block traffic from the source to that destination only, so the source can still communicate with other destinations.

Netwurk

I think the ICND book is trying to give you examples of how to apply the ACL in both an inbound and an outbound direction. Also, there are always exceptions to the rules. If you need a certain type of traffic coming in on your ethernet port to go out to serial 1 but be denied on serial 2, then you have to use the access-group # out command.

So it all depends on the situation.

Pash

bmauro wrote:

First off - where does the book say it should be placed?

If this is a standard ACL to block PC2 from reaching PC1 you would block (assuming that PC1 is off Ethernet 0) E0 OUT

The book does say place standard ACL's as close to the destination as possible.

Yeh sorry I should of explained the requirements of the ACL a little better. Basically pc2 should not be able to enter the network that pc1 is on, but there were no other explicit requirements saying that pc2 should not be able to access other networks. And in the book they gave the example of using a deny host ACL on Router2 and applying it to both serial connections "out", basically stopping the traffic from pc2 going anywhere else on the network. It just threw me off a bit and I HOPE my understanding of it is still correct, my exam date beckons and the jitters are kicking in

Cheers for the fast response, this forum is great

hedhrts

I have the book and see what you're talking about. I agree with your conclusion, but at this stage in the book I don't think they were demonstrating proper placement of the acl (otherwise 2 different acl's would be placed on 2 different routers). I think they were demonstrating the general operation of a standard acl, and I guess it was easier to show the operations on 1 router.

This is very early in the chapter and the acl rules aren't mentioned until the end of the chapter (after both standard and extended were covered).

Pash

hedhrts wrote:

I have the book and see what you're talking about. I agree with your conclusion, but at this stage in the book I don't think they were demonstrating proper placement of the acl (otherwise 2 different acl's would be placed on 2 different routers). I think they were demonstrating the general operation of a standard acl, and I guess it was easier to show the operations on 1 router.

This is very early in the chapter and the acl rules aren't mentioned until the end of the chapter (after both standard and extended were covered).

Thanks for the response, yeh I guess thats the authors reasoning, aslong as my understanding is still ok then im fine