|
[CCNA] ACL'sHi guys
Does anyone any good study guides mon ACL's ??? I am lacking major knowloage on ACL's.. I have pourchased a few study guides but they dont go that deep into the studies of ACL's. I searched cisco but im looking for more details, cisco shows you how to configure it versus understaning what it doeas and how it works. Does anyone have any suggestions?
Thanks |
|
mikeyb4760 Premium Member join:2004-09-25 El Cajon, CA 1 edit |
Basically, you permit or deny traffic from a specific ip address or a group of addresses to go somewhere or stuff like that. Or you permit HTTP traffic but not telnet or ping traffic. Here's a cisco pdf doc on configuring ACL's |
|
usa2kBlessed MVM join:2003-01-26 Westland, MI |
usa2k
MVM
2010-Jul-31 8:08 pm
Re: [CCNA] ACLsI *believe* CCNA is just the IP 1 to 99 and 1300 to 1999 Extended IP 100 to 199 and 2000 to 2699 part of access lists
Plus know about Named ACLs.
(NOTE: I am still studying.) |
|
|
to krock83
Re: [CCNA] ACL'sThere's also knowing when to use standard and extended ACLs : standard go close to source, and extended go close to destination... I think :/ Been awhile for me since I did NA ACL stuff.
You should also be aware that ACLs are processed in a top-down order, and that the existence of an "implicit deny" at the end of every ACL you write. Another thing to be aware of and confuse you, ACLs use subnet masks (ie. to permit the 192.168.1.0 network, the mask you'd use is 255.255.255.0), in comparison to the wildcard mask.
I'll stop now as I remember ACLs was a heavy topic to absorb in NA -- hell, ALL of it was heavy to absorb, and the link mikeyb4760 is a pretty good start.
Regards |
|
cramer Premium Member join:2007-04-10 Raleigh, NC Westell 6100 Cisco PIX 501
|
cramer
Premium Member
2010-Aug-1 1:29 am
said by HELLFIRE:There's also knowing when to use standard and extended ACLs : standard go close to source, and extended go close to destination... I think :/ Been awhile for me since I did NA ACL stuff. It's not that like that. Standard vs. extended depends on the type of traffic you want to specify. Standard ACLs are dirt simple; each rule specifies only a single host/network. An extended ACL specifies source and destination, plus deeper protocols -- tcp/udp port, icmp types, etc. ACLs define a pattern. That's it. They don't do anything on their own. What they do depends on where they're used. ... the existence of an "implicit deny" at the end of every ACL you write. ... subnet masks [snip] in comparison to the wildcard mask. Implicit permit/deny depends on the ACL. An ACL that contains only permits (or a mix) has an implicit deny at the end. An ACL that contains only deny's has an implicit allow at the end. That's an important thing to remember -- even more so when messing with an ACL that's attached to something. ACLs use wildcards, not netmasks. They are the complete opposite of each other. |
|
2 edits |
to krock83
corrected / clarified, I knew should've consulted my little black book on this one...CCNA factoids to know (according to the good book of Cisco) : - standard ACLs are put close to the source and extended ACLs are put close to the destination. For some reason CCNA WILL drill these two points into you. - ACLs are processed in top-down order - there is an implicit deny at the end of every list, but as cramer pointed out, it depends on the way the ACL is constructed - ACLs use the wildcard mask, ie. "permit 192.168.1.0 0.0.0.255" would permit anything matching pattern 192.168.1.[anything]. The way to think of how this operates is for a 0 means that particular bit will be checked for a match, while a 1 means it will not be checked for a match. Thanks for the correction cramer EDIT : wanted to ask where you came across about an 'implicit permit'. First time I've heard of it. Regards |
|
usa2kBlessed MVM join:2003-01-26 Westland, MI 4 edits |
to cramer
Re: [CCNA] ACL'sdeny needs to be followed by permit or its a deny all. So I was told in class today. LabA#config t
LabA(config)#access-list 10 deny 172.16.40.0 0.0.0.255
LabA(config)#access-list 10 permit any
LabA(config)#int e1
LabA(config-if)#ip access-group 10 out
If the 3rd line is missing ... apparently that is trouble. said by cramer:An ACL that contains only deny's has an implicit allow at the end. OK that makes more sense! An implicit "deny any" I think? Like Hellfire said ... (I need to proofread better!!!) |
|
TomS_Git-r-done MVM join:2002-07-19 London, UK |
to HELLFIRE
Re: [CCNA] ACL'ssaid by HELLFIRE:There's also knowing when to use standard and extended ACLs : standard go close to source, and extended go close to destination... I think Nuts to that, named goes everywhere. |
|
cramer Premium Member join:2007-04-10 Raleigh, NC Westell 6100 Cisco PIX 501
|
to HELLFIRE
said by HELLFIRE:- standard ACLs are put close to the source and extended ACLs are put close to the destination. What does that even mean? Std acls only have one address -- I'll assume they mean "source address". Extd acls specify both src and dst addresses. (I don't use std acls (where possible) because of this ambiguity.) EDIT : wanted to ask where you came across about an 'implicit permit'. First time I've heard of it. IOS 10.0 documentation from decades past (and maybe pix docs.) It's not like Cisco engineers don't wake up one morning and decide to change the way stuff has worked for 10 years. *cough*asa 8.3*cough* |
|
|
to TomS_
said by TomS_:said by HELLFIRE:There's also knowing when to use standard and extended ACLs : standard go close to source, and extended go close to destination... I think Nuts to that, named goes everywhere. We think alike on this one! lol. I used named ACL's all the time, for me it makes it easier to remember what I'm doing with the traffic. |
|
|
Hi guys thanks a lot, this makes more sence now, now that i have seen what you guys know and put that into practice it dosent seem hard at all. Yes there will be complications but as long as i know how it works and what the diffrence between extended and standard ACL's is it makes the world kf diffrence. Im not sure why cant cisco come out with a book that dosent involve 3 chapters on one topic (such as this one) Thanks a bunch one more time |
|
|
said by krock83:Im not sure why cant cisco come out with a book that dosent involve 3 chapters on one topic (such as this one) Thanks a bunch one more time If you decide to go onto CCNP, you'll see 3 chapters on EIGRP and about 6 chapters of BGP. lol. |
|
|
to krock83
said by cramer:What does that even mean? Std acls only have one address -- I'll assume they mean "source address". Extd acls specify both src and dst addresses. (I don't use std acls (where possible) because of this ambiguity.) Std ACLs ONLY specify source address, while Ext ACLs specify source, desintation and protocol...and now that I've been in the field for awhile, I agree it's a very BS comment where you should put your ACLs. The correct answer : wherever the hell they'll do whatever they're designed to do is my view, but for some reason my CCNA instructor was VERY insistent on getting this point across, and I think I also had a question or two on the cert exam that asked where to put the ACLs. I mentioned this point strictly from a CCNA learning perspective. The real world doesn't do "what might have been," it does "what actually works" said by cramer:IOS 10.0 documentation from decades past (and maybe pix docs.) It's not like Cisco engineers don't wake up one morning and decide to change the way stuff has worked for 10 years. *cough*asa 8.3*cough* Got a link for it? I was hunting around cisco.com for "implicit permit" but didn't find anything. Regards |
|
usa2kBlessed MVM join:2003-01-26 Westland, MI |
usa2k
MVM
2010-Aug-1 1:39 pm
|
|
cramer Premium Member join:2007-04-10 Raleigh, NC Westell 6100 Cisco PIX 501
|
to HELLFIRE
Do I have a link? Heh, No. Because it was from one of the IOS reference books. From way back when Cisco gave you printed documentation. Current (2007) [web] documentation states: acls are processed in order until the first match is made; if no rules match, the packet is dropped. |
|
|