Standard ACL - Fixing a misconfigured ACL

JJBladester

I am working on an end-of-chapter review problem from my "Accessing the WAN" book. I believe they made an error but I need a second pair of eyes as it may be me who is mistaken.

The question:

"Refer to the figure and the following configuration. ACL 10, configured on R1, is designed to deny the host at 192.168.10.10 access to the 192.168.11.0 network, but all other hosts on the 192.168.10.0 network should be permitted access. However, the ACL does not accomplish this. Which changes would correct this problem?"


R1 (config)# access-list 10 deny host 192.168.10.10
R1 (config)# interface Fa0/1
R1 (config)# ip access-group 10 in

My fixed ACL:
R1 (config)# access-list 10 deny host 192.168.10.10
R1 (config)# access-list 10 permit any
R1 (config)# interface Fa0/1
R1 (config)# ip access-group 10 out

The book's fixed ACL:
R1 (config)# access-list 10 deny host 192.168.11.10
R1 (config)# access-list 10 permit any
R1 (config)# interface Fa0/1
R1 (config)# ip access-group 10 out

Why is the first line of the book's ACL using 192.168.11.10? I thought standard ACLs only filtered on *source* IP addresses?

Figure.5-32.jpg

CodeBlox

Standard ACLs do filter only source address. Perhaps that was the mistake they wanted you to fix. But in the first config, the ACL could be applied on that interface but with OUT as the direction, not in. Looks like thats a potential problem as well that I see you've corrected.

[FONT=courier new]R1 (config)# [B]access-list 10 deny host 192.168.[COLOR=#ff0000]10[/COLOR].10
[/B][/FONT][FONT=courier new]R1 (config)# [/FONT][FONT=courier new][B]access-list 10 permit any[/B][/FONT][FONT=courier new]
R1 (config)# [B]interface Fa0/1
[/B]R1 (config)# [B]ip access-group 10 [COLOR=#ff0000]out[/COLOR]
[/B][/FONT]