Standard ACLs

Monkerz

For anyone who has Odom's ICND2 book, can you give me your opinion on this example.

Page 241: Standard IP ACL: Example 2

Wouldn't the following work more efficiently than his proposed solution on page 243 (Ex 6-5)?

-Albuquerque-

access-list 1 deny host 10.1.2.1
access-list 1 permit any

int E0
ip access-group 1 out

-Yosemite-

access-list 2 deny 10.1.3.0 0.0.0.255
access-list 2 permit any

int E0
ip access-group 2 out

chmorin

Monkerz wrote: »

For anyone who has Odom's ICND2 book, can you give me your opinion on this example.

Page 241: Standard IP ACL: Example 2

Wouldn't the following work more efficiently than his proposed solution on page 243 (Ex 6-5)?

I guess it depends on how you want to accomplish the goal. His solution keeps the configurations on one router which all the connections have in common.

So I guess it depends on how you want to accomplish the goal. Personally, I would do it your way. I think it organizes and implements it better. But his way consolidates and localizes the security configurations on the most common source.

So yes. And no. I'm not sure to be honest, I'm not the best security person.

bermovick

Completely agree with chmorin here. I even remember being confused when reading it because he made it much more complicated (notice list 3 needs applied TWICE) just to keep it on a single router.

You'll read later on that your way meets the rule for standard ACL's of putting them as close to the destination as possible too.

Monkerz

bermovick wrote: »

You'll read later on that your way meets the rule for standard ACL's of putting them as close to the destination as possible too.

Yeah, I was also thinking along the lines of criteria. He stated criteria as:

1. Sam is not allowed to access Bugs to Daffy
2. Hosts on Seville Ethernet are not allowed to access hosts on the Yosemite Ethernet.
3. All other combinations are allowed.

With his setup, Sam wouldn't be allowed to contact Albuquerque or Seville's router if a vty session was needed for some reason. Just seems like more collateral damage than need be.

gregorio323

Monkerz wrote: »

For anyone who has Odom's ICND2 book, can you give me your opinion on this example.

Page 241: Standard IP ACL: Example 2

Wouldn't the following work more efficiently than his proposed solution on page 243 (Ex 6-5)?

I'm a bit late or a month late for this but i'll still give my opinion. Odom's is teaching you an efficient and practical way to implement ACL's for example. That would be a good solution but one problem If you implement it deny 10.1.3.0 0.0.0.255 on e0 going out. you might as well disconnect them from the router because they wont be able to do anything because Seville needs to access Albuquerque there were no restrictions on them.

Monkerz

gregorio323 wrote: »

I'm a bit late or a month late for this but i'll still give my opinion. Odom's is teaching you an efficient and practical way to implement ACL's for example. That would be a good solution but one problem If you implement it deny 10.1.3.0 0.0.0.255 on e0 going out. you might as well disconnect them from the router because they wont be able to do anything because Seville needs to access Albuquerque there were no restrictions on them.

You lost me. How would using access-list 2 on Yosemite's E0 out, negate Seville's connectivity to Albuquerque?

gregorio323

Monkerz wrote: »

You lost me. How would using access-list 2 on Yosemite's E0 out, negate Seville's connectivity to Albuquerque?

Because you would lose the connectivity. an access list is like a check list it goes down the list as soon as it makes a match it will take the action of the command and since your using standard access list it goes by the source ip address and it matches the first entry before it gets into the second entry so the packet will get drop. They will never be able to access Albuquerque. implementing it on the e0 you will be denying to much.

Monkerz

gregorio323 wrote: »

Because you would lose the connectivity. an access list is like a check list it goes down the list as soon as it makes a match it will take the action of the command and since your using standard access list it goes by the source ip address and it matches the first entry before it gets into the second entry so the packet will get drop. They will never be able to access Albuquerque. implementing it on the e0 you will be denying to much.

Gregorio, I believe you are mistaken. If you read my very first post again, it states that I would be activating access list 2 on Yosemite's E0 interface headed out. Unless I am just not seeing it, I have a very hard time believing that this access list will hinder the network traffic between Seville and Albuquerque.

gregorio323

Monkerz wrote: »

Gregorio, I believe you are mistaken. If you read my very first post again, it states that I would be activating access list 2 on Yosemite's E0 interface headed out. Unless I am just not seeing it, I have a very hard time believing that this access list will hinder the network traffic between Seville and Albuquerque.

Yeah, im sorry i got a bit confused i miss understood for a second with the in and outbound. Yeah, standard access list should be placed near the destination you wish to deny to prevent unintentional of discarding packets that are not to be discarded. And you are right yours will work. In his example he was talking about WAN Links going down and he created an alternative solution thats why he used those configs. But yours will be more optimal.

Monkerz

I thought I was going crazy for a second. I was running through the diagram in my head over and over again. Thanks for the pop quiz man.

gregorio323

Monkerz wrote: »

I thought I was going crazy for a second. I was running through the diagram in my head over and over again. Thanks for the pop quiz man.

Yeah, your welcome sorry for the confusion. but you got it good so dont stress yourself over it.