Standard ACL - Fixing a misconfigured ACL
JJBladester
Member Posts: 38 ■■□□□□□□□□
in CCNA & CCENT
I am working on an end-of-chapter review problem from my "Accessing the WAN" book. I believe they made an error but I need a second pair of eyes as it may be me who is mistaken.
The question:
"Refer to the figure and the following configuration. ACL 10, configured on R1, is designed to deny the host at 192.168.10.10 access to the 192.168.11.0 network, but all other hosts on the 192.168.10.0 network should be permitted access. However, the ACL does not accomplish this. Which changes would correct this problem?"
R1 (config)# access-list 10 deny host 192.168.10.10
R1 (config)# interface Fa0/1
R1 (config)# ip access-group 10 in
My fixed ACL:
R1 (config)# access-list 10 deny host 192.168.10.10
R1 (config)# access-list 10 permit any
R1 (config)# interface Fa0/1
R1 (config)# ip access-group 10 out
The book's fixed ACL:
R1 (config)# access-list 10 deny host 192.168.11.10
R1 (config)# access-list 10 permit any
R1 (config)# interface Fa0/1
R1 (config)# ip access-group 10 out
Why is the first line of the book's ACL using 192.168.11.10? I thought standard ACLs only filtered on *source* IP addresses?
The question:
"Refer to the figure and the following configuration. ACL 10, configured on R1, is designed to deny the host at 192.168.10.10 access to the 192.168.11.0 network, but all other hosts on the 192.168.10.0 network should be permitted access. However, the ACL does not accomplish this. Which changes would correct this problem?"
R1 (config)# access-list 10 deny host 192.168.10.10
R1 (config)# interface Fa0/1
R1 (config)# ip access-group 10 in
My fixed ACL:
R1 (config)# access-list 10 deny host 192.168.10.10
R1 (config)# access-list 10 permit any
R1 (config)# interface Fa0/1
R1 (config)# ip access-group 10 out
The book's fixed ACL:
R1 (config)# access-list 10 deny host 192.168.11.10
R1 (config)# access-list 10 permit any
R1 (config)# interface Fa0/1
R1 (config)# ip access-group 10 out
Why is the first line of the book's ACL using 192.168.11.10? I thought standard ACLs only filtered on *source* IP addresses?
Comments
-
CodeBlox
Member Posts: 1,363 ■■■■□□□□□□
Standard ACLs do filter only source address. Perhaps that was the mistake they wanted you to fix. But in the first config, the ACL could be applied on that interface but with OUT as the direction, not in. Looks like thats a potential problem as well that I see you've corrected.[FONT=courier new]R1 (config)# [B]access-list 10 deny host 192.168.[COLOR=#ff0000]10[/COLOR].10 [/B][/FONT][FONT=courier new]R1 (config)# [/FONT][FONT=courier new][B]access-list 10 permit any[/B][/FONT][FONT=courier new] R1 (config)# [B]interface Fa0/1 [/B]R1 (config)# [B]ip access-group 10 [COLOR=#ff0000]out[/COLOR] [/B][/FONT]
Currently reading: Network Warrior, Unix Network Programming by Richard Stevens -
JJBladester
Member Posts: 38 ■■□□□□□□□□
Thanks @CodeBlox. I just wanted to be sure I wasn't losing my mind. ACLs really aren't that tricky; just a lot of syntax to remember.
Happy Easter.
-
alliasneo
Member Posts: 186
I just had a look at this as well and I think that must be a typo. I think the only thing to fix here was the ip access-group 10 out.