Question about ACLs.

/usr

I'm not sure why this just popped into my head...

If any ACL is applied on an interface, there must be explicit permit statements for all traffic you want to permit, or everything will be subject to the implicit deny.

Assuming that on the exam a question is given that one host cannot reach another and the cause is determined to be that no route exists to the destination host.

Could this problem be an ACL issue where routing updates have not been permitted? This has not been covered in any CCNA material I've been studying and I was just curious as to whether or not it is beyond the scope of the CCNA. I imagine that it is, but I just wanted to clarify.

hypnotoad

In short, yes. If you inadvertently block your routing protocol's updates via an ACL, your routes will die within a short time (depending on your routing protocol).

here's what cisco says (http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml#permitroutingupdates):


Permit Routing Updates
When you apply an in-bound ACL on to an interface, ensure that routing updates are not filtered out. Use the relevant ACL from this list to permit routing protocol packets:

Issue this command to permit Routing Information Protocol (RIP):

access-list 102 permit udp any any eq rip

Issue this command to permit Interior Gateway Routing Protocol (IGRP):

access-list 102 permit igrp any any

Issue this command to permit Enhanced IGRP (EIGRP):

access-list 102 permit eigrp any any

Issue this command to permit Open Shortest Path First (OSPF):

access-list 102 permit ospf any any

Issue this command to permit Border Gateway Protocol (BGP):

access-list 102 permit tcp any any eq 179
access-list 102 permit tcp any eq 179 any

luke_bibby

If you an ACL which was something like:

r(config)# access-list 101 deny udp any any eq 520
r(config)# access-list 101 permit ip any any

And applied it to an interface where a routing update should arrive (in this case, a RIP routing update) then yeah the routes will go down

I think this would be within the CCNA scope cause its essentially just an ACL question.

/usr

Yes, that's what I've noticed while working on ACLs in my lab.

However, what I'm asking is whether or not creating entries to allow routing protocols is something that is covered on the ICND2/CCNA exam.

Meaning that if Host A can't reach Host B, it could be due to the host itself being denied, or it could be that there is no route to the destination host because the routing update was denied.

I assumed the first scenario was all that was covered on the CCNA, as the latter (allowing routing protocol updates) is a bit more in depth and hasn't been covered in any material I've looked at thus far.

luke_bibby

From the ICND2 exam blue print, i think these are the ones which relate the most to your question:

• Configure and apply access control lists based on network filtering requirements
• Troubleshoot ACL implementation issues

I guess there *could* be a question like that

luke_bibby

Well look at that, rip was a keyword learn something every day!

hypnotoad

/usr wrote: »

Meaning that if Host A can't reach Host B, it could be due to the host itself being denied, or it could be that there is no route to the destination host because the routing update was denied.

Yes, it could be the result of either one. The router (if configured to do so) will send an ICMP packet indicating the reason

See the table:
Internet Control Message Protocol - Wikipedia, the free encyclopedia