There was a great question on Access-Lists on the CCNA test I took recently. There is a switch on one side with 4 hosts, and router in the middle and on the other end of the router is a web server. You had to configure the router with an access-list that would only allow one of the 4 hosts could pass traffic on port 80 to the web server and the other hosts could not. All other traffic is allowed. It was a great question! Not a give away but not ridiculously hard either. Just a heads up! Oh yeah, 3 lines or less - and you had to apply the access list in the right direction on the right interface.

I'm guessing that the best way to do this would be to set up an extended access list and apply it to the inbound interface that connected the switch to the router. Something like this:

(config)#access-list 100 permit tcp 192.168.0.2 0.0.0.0 192.168.1.1 eq 80
(config)#access-list 100 deny tcp any 192.168.1.1 eq 80
(config)#access-list 100 permit any any
(config)#int fa0/0
(config-if)#ip access-group 100 in

I know you said it had to be done in 3 lines, but I assume you meant that the access-list could only be 3 lines. I think this should work, any comments?

Normally extended acls should be placed as close to the source as possible but I think in this case the only way to meet the 3 line rule would be to place it on the outbound interface of the router and simply permit only the host IP address of the relevant host and use the implicit deny rule to prevent the other 3 hosts gaining access. Something like this:

access-list 100 permit tcp 'host IP' 'dest IP' eq 80
int fa0/0
ip access-group 100 out

What do you think?

The problem that I see with that sort of access list is that it will now only allow traffic from 1 host IP with a destination port of 80 and a certain destination IP to pass through it. That seems to be against everything that is taught in the book. Extended access lists should only be applied on ports closest to the source and should be applied on the inbound, standard access lists should be applied on the closest to the destination ports on the outbound. Without the specifics of the question, such as the IP range, it's hard to say. If the question is saying to block only traffic on a specific port, everything I have read tells me that this should be an extended access list that is placed on the port that is closest to the source, otherwise you will inadvertently be blocking all traffic except that which you explicitly allow.

Todd,
Any input on this one?

Good point, hadn't realised that, guess that could explain why I failed my exam yesterday!! Was 24 points shy of the pass mark which is a little hard to take.

My only advice would be to make sure you read Todd's updates on this web-site with regard to course content. I didn't and got 2 questions on WLANs that I couldn't answer which was the difference between a pass and a fail.

Also, if you can, get some practice with scenario-based questions and also questions with illustrations/topologies. I was faced with 2 or 3 in the exam that I spent far too long on which lead to a bit of a rushed finish.

Hi friends,

What I gathered from the posts, it seems the access-list should be somewhat like this:

Access-li 100 permit host "source/FROM" host "destination/TO" eq 80
access-li 100 deny any host "destination/TO" eq 80 (all other www traffic has to be denied)
access-li 100 permit ip any any (all other traffic should be permitted)
Interface f0/0 (the interface that connects to web server)
ip access-group 100 out

Cheers

A.