ACL

I have a question about vague test questions just in case one comes up on the test.

OKay lets say hypothetically a question comes up about ACL's and it gives a diagram, IP's to each relevant interface and the goal of the ACL. So like if it said this ACL needs to block telnet traffic to the webserver, Where in this network should the ACL be applied. But it doesn't give the you the ACL, the ACL number, and you do not know if it is extended or standard. But lets say you could use either one and the goal could be met.

Should I assume they are talking about a Standard in which case it would go as close to the source as possible inbound?

OR Am I supposed to assume it is an extended in which case the answer would be on the destination router outbound?

OR will it always give you enough information that you don't have to assume which type of ACL to use?

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

gojericho0

like if it said this ACL needs to block telnet traffic to the webserver, Where in this network should the ACL be applied

The questions are fairly specific. In this case you would need to use an extended access list since you are requesting to block a specific type of traffic (telnet)

I would create the ACL at the destination router where the Webserver resides. Assuming the router has a WAN and LAN interface, you can have it applied to the interface where internet traffic is incoming. You could also do it to your ethernet interface which would then be outgoing in order to reach the webserver.

NeonNoodle

Standard access lists only contain the source address, so you need to put them closer to your destination.

Extended access lists contain both source and destination addresses so you should put them closer to the source.

Reference
CCNA Self-Study, CCNA ICND Exam Certification Guide, p. 452

When using access lists to filter traffic, you want to filter the traffic as soon as you can. You don't want traffic that will ultimately be filtered to travel across a network because it wastes bandwidth and processing time. But you also have to consider how wide a net you are casting. If you are filtering one subnet then use an extended access list on the router interfaces that are directly connected to that subnet.

If you want to prevent everybody and their brother from telnetting to the server, then you have two options: First, you could put a standard access list on the interface that connects to the destination network, i.e. the server's LAN. That option is quick, but it means some traffic will transit your network only to be filtered which is a waste of resources as was mentioned previously.

Second, you could apply an extended access list on every router interface that connects to a subnet where someone could telnet from, so that you prevent unecessary traffic from going across your network. The problem with this option is that you have to manage a lot of access lists and it's hard to guarantee that you have prevented every host from telnetting to your server. So, for the second option it's better to apply the access list closer to the destination because you are more likely to prevent all access and you will have to manage fewer lists.

I hope this makes sense.

Netstudent

oh ya thats what i meant. got those backwards for a second.

The questions are fairly specific

okay thanks