ACL Help

cschaaf

Hi all

I took my ICND1 class two weeks ago and passed on my first attempt!

I was not very confident going in, but once I got started, I was surprised how easy it seemed.

I went in expecting a low score, as I was taking it, I expected a high score. I ended up somewhere in the middle with a 874 lol

Anyway, I am reading through the ICND2 info and am confused on where and why to apply ACLs.

I get the concept of them. I understand the syntax of building the list. I understand that the In and Out are from the routers perspective. And I get that Extended should be put near the source and Basic should be put near the destination.

Where I get lost is why they are in or out.

Does anyone have any tips of know of a good place to read up on them?

For the ICND1, I studied:
Cisco Networking Academy texts
CBTNuggets videos
and Lammle

I've tried all of them for the In and Out, but seem to get more confused.

Thanks!

nevolved

Using them as In or Out is purely a design/engineering choice, don't get too hung up on it until you see some examples. Most of the ACLs I see used on interfaces are all In, (In from the Internet, In from a VLAN, etc). They are functionally identical, it just applies to the traffic at a different time.

For instance if you wanted to control traffic going between VLANs you might filter some traffic out as it exits that VLAN (In the interface). Or you could control what traffic goes out of an interface into the VLAN.

elegua

Hi,

Check this post, i explained there what you are asking.

http://www.techexams.net/forums/ccna-ccent/29082-access-lists-out-dilemma.html


Hope this help.

dynamik

Get a shoe box and label one side WAN and one side LAN. Get a knife, this is your traffic. Simulate traffic coming in from the WAN and leaving the LAN. It should be obvious when you're cutting into or out of the shoe box. That's how ACLs work as well.

(You can substitute a gun for the knife if you live out in the country.)

mikedisd2

OH, by the way congrats on the pass. Glad to hear it wasn't so difficult. You must have good time managing skills.

billscott92787

If I remember this correctly a standard ACL is going to be places as close to the "destination" as possible. Meaning where ever the traffic is going "to." This is because standard ACLs can block traffic unnecessarily if they are placed close to the originating node. An Extended ACL should be placed as close to the "source" as possible. Think of it this way. If you are using an extended ACL to block traffic from LAN 2 -> 192.168.1.0 /24 subnet, you would determine "what" traffic you are blocking (telnet, HTTP, etc...), and place that on the Ethernet interface of the router, on which that LAN resides. This would be placing the extended ACL as close to the source of the traffic as possible. I hope this helps. It will make more sense if you lab it out. That's what I had to do in order to really get a firm grip on it. Congrats on the pass! When do you plan on taking the ICND2?

cschaaf

Thanks, everyone. All of that helped.

This is one of those topics for me that I think I understand, then I get a simulation type question and I stare at it like I've never seen anything like it. lol

I'll keep working on it. If I find an example that I am stuck on tonight, I will post it to see if someone can hit me over the head with it.

Thanks, mikedisd2. I was worried about time, so I was rushing through things. I got to the next to last question and looked a the time and I had 45 minutes left. I must have got the easiest group of questions or something lol

billscott92787 - I signed up to take the test next Tuesday. It's a quick turn around, but I'm trying to get it done to help me post for a job. The posting ends next Friday. It's not in the IT field directly (and I'm currently not in the IT field), but the CCNA knowledge is definitely a plus for the position.

(The posting wasn't the original reason I started reading the CCNA stuff, but the rush on the tests has a lot to do with it now lol)

billscott92787

I see what you mean, well good luck and let us know how it turns out. Just remember to FULLY read the question, read the answers, then go back and re-read the question. Don't spend too much time on a SIM. 10 minutes MAX, if nothing comes to your brain on how to make things work, move on. FORGET about it, don't think about it the rest of the test or you may affect your thoughts and make yourself nervous. Pull out your text and go over anything and EVERYTHING that you may be "skeptical" on. I know the feeling that you have done something, read it, understand it, then you get a simulator question, and your like, "A DUH?" I don't remember that. Then once you see the answer you slap yourself on the head and say, "IDIOT." Why can't you remember that? LOL. I had an issue remembering something on my CCNA exam, of course I Can't say what that was because I would violate NDA and we don't want to do that I could have beat myself up once I figured out what I did wrong and how easy it is for pressure to make you forget things.

mattau

hi guys. I just wanted to post a question without starting up a brand new thread so hopefully someone can talk me through this..

now implicit deny...

been trying to get this through my head the last few days. (example)

acc-list 10 deny 172.16.1.1
permit any
implicit deny

does this mean when packet containing source 172.16.1.1 enters router it scans access list and will drop the packet due to the ACL matching.

I get that bit so far.

so what if i am packet 172.16.1.2. This is how i see it. Do i skip the first line and the next sequence line is permit any so i am allowed through on my merry way ?

basically my question is this. If i didnt put the permit any would ANY packet get dropped that isnt 172.16.1.1 because it scans the access list and nothing matches the first line but the next in line is the implicit deny which drops everything.

Is this why we need the permit or deny any command?

Thanks heaps!

tomaifauchai

the "permit any" command overhide the implicit deny because ACLs always goes TOP to Bottom and at the moment you encounter a match, the packet "leave" the acl.
So basicly, you're denying 172.16.1.1 ONLY.

If you remove permit any, then your ACL is worthless because you denying everything.

chmorin

mattau wrote: »

acc-list 10 deny 172.16.1.1
permit any
implicit deny

does this mean when packet containing source 172.16.1.1 enters router it scans access list and will drop the packet due to the ACL matching.

Yes.

mattau wrote: »

so what if i am packet 172.16.1.2. This is how i see it. Do i skip the first line and the next sequence line is permit any so i am allowed through on my merry way ?

Yes.

mattau wrote: »

If i didnt put the permit any would ANY packet get dropped that isnt 172.16.1.1 because it scans the access list and nothing matches the first line but the next in line is the implicit deny which drops everything.

I never dealt much with ACL's but to my knowledge there is an implicit deny at the end of every ACL you make. If you want it to allow anything, you must 'permit any'. It will block all other IP's by default, so you don't need to specify every single IP address in the IPv4 address range. If you are trying to do the other way around, and block one but not all the others, then that is what that 'permit any' is for.

I hope that made sense... my ACL was not my strong point. When in doubt, lab. That is what I just did.

mattau

thanks for the quick Re: that helped thanks, i think i am on the right track. Definitely labbing is the way to go i will play around