Options
ACL Question for you guys
billscott92787
Member Posts: 933
in CCNA & CCENT
Hey, I have a question for anyone willing to explain. This is not a homework assignment or anything. I am checking out a lab activity for extended access lists. Here is what is says:
Step 1: Create an ACL
Please start by creating an extended IP access-list that will deny telnet packets from host 192.5.5.2 to any host on network 210.93.105.0
So I applied the following:
access-list 107 deny tcp 192.5.5.2 0.0.0.0 210.93.105.0 0.0.0.255 eq telnet
access-list 107 permit ip any any
It then has me apply it on the Ethernet 0 interface (ip access-group 107 in) command. This interface is the interface on the router which connects to the 192.5.5.2 network. The other network (210.93.105.0) is a remote network. I'm not understanding why you would use the "in" ip access-group 107 in. Because the question is worded to deny telnet packets from host 192.5.5.2 which is the network connected to this interface.
Wouldn't this mean that when a packet exists the network, it would reach the 210.93.105.0 network, but when that (210.93.105.0) network tries to send a packet back (using the TCP hand-shake) to establish the connection, it would be blocked at that point by the router? Not sure if my question makes sense let me know if you need me to clarify anything.
Step 1: Create an ACL
Please start by creating an extended IP access-list that will deny telnet packets from host 192.5.5.2 to any host on network 210.93.105.0
So I applied the following:
access-list 107 deny tcp 192.5.5.2 0.0.0.0 210.93.105.0 0.0.0.255 eq telnet
access-list 107 permit ip any any
It then has me apply it on the Ethernet 0 interface (ip access-group 107 in) command. This interface is the interface on the router which connects to the 192.5.5.2 network. The other network (210.93.105.0) is a remote network. I'm not understanding why you would use the "in" ip access-group 107 in. Because the question is worded to deny telnet packets from host 192.5.5.2 which is the network connected to this interface.
Wouldn't this mean that when a packet exists the network, it would reach the 210.93.105.0 network, but when that (210.93.105.0) network tries to send a packet back (using the TCP hand-shake) to establish the connection, it would be blocked at that point by the router? Not sure if my question makes sense let me know if you need me to clarify anything.
Comments
-
Options
hypnotoad
Banned Posts: 915
When the packet comes IN to the router on eth 0, the router will apply the ACL right away, and see that it matches the criteria of source, destination, and protocol (in this case), so it will drop. Therefore, it will never get forwarded to the target network, so no handshake will start -- those particular packets will never exit the router...it gets shot down by the ACL before any more processing can occur. -
Optionsbillscott92787
Member Posts: 933
Ok, I see what you mean now. That makes sense. I appreciate your answer
Thank you very much! -
Options
Xenz
Member Posts: 140
Just to toss it in there, you can save some typing by using
ip access-list 107 deny tcp host 192.5.5.2 210.93.105.0 0.0.0.255 eq telnet
saves you from typing out the 0.0.0.0 and makes it a little more readableCurrently working on:
CCNP, 70-620 Vista 70-290 Server 2003
Packet Tracer activities and ramblings on my blog:
http://www.sbntech.info