CCNA Video Training Series

Instant Access, Web or Mobile!

Only $99 for 30 days...
Renew at half price!

Buy/Renew

Includes FREE Practice Exams!

Member Login

Lost your password?

Not a member yet? Sign Up!

Official Lammle User Forum

Results 1 to 8 of 8
  1. #1
    Join Date
    Feb 2012
    Posts
    12

    Default understanding the 7th edition access list page 616 and 617

    In this setup it reads that the users on the Sales Lan should not have access to the Finance Lan, but they should be able to access the Internet and the marketing department files.

    The Sales Lan is on interface f0/0 172.16.40.0/24
    The Finance Lan is on interface 0/1 172.16.50.0 /24
    The Marketing lan is on f1/0 172.16.60.0 /24

    The access List reads

    Lab_A#config t
    Lab_A(config)#a ccess-list 10 deny 172.16.40.0 0.0.0.255
    Lab_A(config)#a ccess-list 10 permit any

    He goes on to applying it to the f0/1 interface out.

    Lab_A(config)#i nt fa0/1
    Lab_A(config-if)# ip access-group out

    What I don't understand is why he is applying it to the out interface on f0/1.

    Wouldn't that block anyone on the f0/1 interface from getting out to the 172.16.40.0 subnet?

    Would it block the 172.16.40.0 subnet from going into the f0/1 interface?

    If you applied it to f0/1 interface in would that not keep anyone from the 172.16.40.0 interface from entering the into the f0/1 interface?

    Thx for your help and commends.

  2. #2
    Join Date
    Feb 2012
    Posts
    12

    Default

    Quote Originally Posted by quaddragon View Post
    In this setup it reads that the users on the Sales Lan should not have access to the Finance Lan, but they should be able to access the Internet and the marketing department files.

    The Sales Lan is on interface f0/0 172.16.40.0/24
    The Finance Lan is on interface 0/1 172.16.50.0 /24
    The Marketing lan is on f1/0 172.16.60.0 /24

    The access List reads

    Lab_A#config t
    Lab_A(config)#a ccess-list 10 deny 172.16.40.0 0.0.0.255
    Lab_A(config)#a ccess-list 10 permit any

    He goes on to applying it to the f0/1 interface out.

    Lab_A(config)#i nt fa0/1
    Lab_A(config-if)# ip access-group out

    What I don't understand is why he is applying it to the out interface on f0/1.

    Wouldn't that block anyone on the f0/1 interface from getting out to the 172.16.40.0 subnet?

    Would it block the 172.16.40.0 subnet from going into the f0/1 interface?

    If you applied it to f0/1 interface in would that not keep anyone from the 172.16.40.0 interface from entering the into the f0/1 interface?

    Thx for your help and commends.
    My alternate theory is that your applying it to the outside of interface f0/1 it keeps the router from having to process the packets and lowering cpu usage. If you applied it in, it would have to allow all the packets into the interface before denying them access?

  3. #3
    Join Date
    Nov 2008
    Location
    Birmingham, UK
    Posts
    1,428

    Default

    By denying 172.16.40.0 0.0.0.255 in the access list, you are matching the Sales LAN. By applying this outbound on fa0/1 (the Finance LAN) you deny the Sales LAN access to the Finance LAN, which was the design goal. Applying it inbound would do nothing because the Finance LAN is not found on this interface.
    CCNP R&S, CCNA DC
    Currently studying: CCIE R&S, CCNP Data Centre
    Follow my CCIE progress with study notes on my blog: http://beyondccna.blogspot.co.uk/

  4. #4
    Join Date
    Feb 2012
    Posts
    12

    Default

    Wow all this is quite mind boggling sometimes.

    However, I think I got it strait. Any traffic coming into the router from outside of the router is IN.

    Once its in the router it has to find the exit interface aka Out.

    So if the traffic is internalized or coming from the router it has to exit an Out interface.

    When you place the ACL on F0/1 out your basically posting a guard on the exit door inside of the router. That guard makes sure all traffic is permitted to leave the router.

    When you place an ACL on F0/1 its placing a guard outside guarding traffic coming into the router.

  5. #5
    Join Date
    Mar 2008
    Posts
    2,888

    Default

    Yes and no mate -
    On the interfaces ACL you can say either in or out.

    For example -

    LAN----in--router--out-----WAN

    Say you wanted to stop people on the LAN accessing the web - you could put an ACL that said deny all 80/443 "in" on the LAN facing port. Or you could say deny all 80/443 "out" in the WAN interface.

    Although this would and do the same thing - the over head of the router looking up the destination then forward this toward the WAN interface only for it to be dropped is something to think about. This works the other way to from traffic coming from the WAN - you would always block the traffic at the WAN "in".

    Cisco best practice says about where to place ACLs.

    HTH.
    Maddox Thomas-Clark 14/10/2008
    Bean Thomas-Clark 18/09/2007
    Big Evils Cisco World
    Linkedin

  6. #6
    Join Date
    Feb 2012
    Posts
    79

    Default

    I did it vebatim in packet tracer and I get a destination unreachable when pinging from the Sales (172.16.40.0) dept to the fianance (172.16.50.0) dept. So that part did correctly but Whats odd is when I ping from the fianance dept to the sales dept it times out but I can ping the marketing dept......any clue?
    Last edited by cableguy3443; 03-12-2012 at 11:06 PM.

  7. #7
    Join Date
    Feb 2012
    Posts
    79

    Default

    Somebody has a answer for this surely right?

  8. #8
    Join Date
    Aug 2011
    Location
    Plano, TX
    Posts
    92

    Default

    Generally speaking a destination unreachable error means the outbound ICMP request message could not be routed to the destination. A timed out error means the request got to the remote end but the remote end was not able to get the ICMP response back to the local node.

    This can happen for a number of reasons including the remote end having no route to the local node or (more likely in this case) there being an ACL in place somewhere that prevents the ICMP response packet from reaching the local node.
    Bob Dempsey
    CCNA

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Page 643 Lab 12.1 Standard Access list
    By jackier in forum Chapter 12: Security
    Replies: 0
    Last Post: 06-26-2013, 12:12 PM
  2. Access List page 616, 617 revisited
    By nleslie1970 in forum Chapter 12: Security
    Replies: 2
    Last Post: 09-22-2012, 09:52 AM
  3. Page 631 Extended Access List Example 2
    By dae26 in forum Chapter 12: Security
    Replies: 3
    Last Post: 02-01-2011, 12:22 PM
  4. Lab 10.1 Access list Page 657 for CCNA
    By gfranco in forum Access Lists
    Replies: 3
    Last Post: 11-11-2010, 12:57 PM
  5. Chapter 10 (Ext Access List Example 2) Page 631
    By scott3415 in forum Access Lists
    Replies: 4
    Last Post: 12-24-2009, 02:39 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •