Compare cert salaries and plan your next career move
Bolton07 wrote: » Why do packet tracer exercises require the 'deny ip any any' command manually entered to the end of an ACL? I thought it was automatically entered to the end. Also in my book it says DNS uses both UDP and TCP. So how would I know which to use in the ACL exercise below or any other time? Create an ACL numbered 110 which permits the HTTP and DNS protocols for any host, but denies all other IP traffic to the Web Server and DNS Server. Web Server IP Address: 10.10.10.254 DNS Server IP Address: 10.10.10.250 Note: Create the ACL to filter traffic using protocols instead of port numbers. Apply the ACL outbound on Fast Ethernet 0/1.
Bolton07 wrote: » I think for DNS it is 'eq domain' in ACLs Not 'eq DNS' Am I right?
onesaint wrote: » Too right. I guess that's what I get for posting at 2am! Still, I like the theory that I can be woken up in the middle of the night and still know what I'm talking about. *Note to self, work on equals in ACLs.
hiddenknight821 wrote: » Another note you should also keep in mind is to practice the well-known ports by it numbers. So that you can always remember the port numbers for other applications that does not have the same convenience as the ACL commands.
hiddenknight821 wrote: » I forgot to add that the "eq" (equal) command is not the only available option. Keep in mind you have neq (not equal to), lt (less than), gt (greater than), and range command to play around with. I should also try practicing using range command since most of the materials I worked with used two lines for FTP. I dunno why.
Ltat42a wrote: » Doesn't statement 2 negate statement 1 in this question??? How many access lists can be applied to an interface on a Cisco router? Only one access list per protocol, per direction, per interface can be applied on a Cisco router. Multiple access lists are permitted per interface, but they must be for a different protocol.
r1(config)#do sh run | b 0/0 interface FastEthernet0/0 ip address 10.0.1.2 255.255.255.252 ip access-group 112 in ip access-group 113 out duplex auto speed auto appletalk address 1.2 appletalk access-group 600 out appletalk access-group 602 in ipx access-group 802 in ipx access-group 800 out ipx network 1 !
hiddenknight821 wrote: » Sounds legit to me. You can have many access-list on a single interface. What the statement meant is that you cannot have more than one access-list that has the same rule for that specific protocol since that could lead to overlapping issue and you can end up becoming more confused and frustrated. Let me give you an example. Access-list applied on S0/0/0 interface blocking incoming traffic from outside: ip access-list extended BlockFromBadGuy1 deny tcp host 22.33.44.55 192.168.1.0 0.0.0.255 eq www permit ip any any Access-list applied on S0/0/0 interface blocking incoming traffic from outside: ip access-list extended BlockFromBadGuy2 deny tcp host 66.77.88.99 192.168.1.0 0.0.0.255 eq www permit ip any any Wouldn't it makes sense to put these rules in the same ACL? I think whatever material you are trying to read is trying to prepare you and they believe this is the standard we should conform to when writing our ACL rules to avoid unnecessary headaches. By the way, if you are concern about the "IP" protocol, don't worry about it since it's encompasses the whole suite of protocols, so it won't be counted against the rule if used properly like using (permit ip any any) on every ACL when using deny statements.
instant000 wrote: » Huh? Please review my explanation above. Thanks!
Only one access list per protocol, per direction, per interface can be applied on a Cisco router. Multiple access lists are permitted per interface, but they must be for a different protocol.
Compare salaries for top cybersecurity certifications. Free download for TechExams community.
