dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2702
krock83
join:2010-03-02

krock83

Member

[CCNA] ACL's

Hi guys

Does anyone any good study guides mon ACL's ??? I am lacking major knowloage on ACL's.. I have pourchased a few study guides but they dont go that deep into the studies of ACL's. I searched cisco but im looking for more details, cisco shows you how to configure it versus understaning what it doeas and how it works. Does anyone have any suggestions?

Thanks

mikeyb4760
Premium Member
join:2004-09-25
El Cajon, CA

1 edit

mikeyb4760

Premium Member

Click for full size
ACL overview.pdf
73,816 bytes
Basically, you permit or deny traffic from a specific ip address or a group of addresses to go somewhere or stuff like that. Or you permit HTTP traffic but not telnet or ping traffic.

Here's a cisco pdf doc on configuring ACL's

usa2k
Blessed
MVM
join:2003-01-26
Westland, MI

usa2k

MVM

Re: [CCNA] ACLs

I *believe* CCNA is just the
 IP 1 to 99 and 1300 to 1999
 Extended IP 100 to 199 and 2000 to 2699

part of access lists

Plus know about Named ACLs.

(NOTE: I am still studying.)
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to krock83

MVM

to krock83

Re: [CCNA] ACL's

There's also knowing when to use standard and extended ACLs : standard go close to source, and extended
go close to destination... I think :/ Been awhile for me since I did NA ACL stuff.

You should also be aware that ACLs are processed in a top-down order, and that the existence of an
"implicit deny" at the end of every ACL you write. Another thing to be aware of and confuse you, ACLs
use subnet masks (ie. to permit the 192.168.1.0 network, the mask you'd use is 255.255.255.0), in
comparison to the wildcard mask.

I'll stop now as I remember ACLs was a heavy topic to absorb in NA -- hell, ALL of it was heavy
to absorb, and the link mikeyb4760 is a pretty good start.

Regards
cramer
Premium Member
join:2007-04-10
Raleigh, NC
Westell 6100
Cisco PIX 501

cramer

Premium Member

said by HELLFIRE:

There's also knowing when to use standard and extended ACLs : standard go close to source, and extended
go close to destination... I think :/ Been awhile for me since I did NA ACL stuff.
It's not that like that. Standard vs. extended depends on the type of traffic you want to specify. Standard ACLs are dirt simple; each rule specifies only a single host/network. An extended ACL specifies source and destination, plus deeper protocols -- tcp/udp port, icmp types, etc.

ACLs define a pattern. That's it. They don't do anything on their own. What they do depends on where they're used.
... the existence of an "implicit deny" at the end of every ACL you write. ... subnet masks [snip] in comparison to the wildcard mask.
Implicit permit/deny depends on the ACL. An ACL that contains only permits (or a mix) has an implicit deny at the end. An ACL that contains only deny's has an implicit allow at the end. That's an important thing to remember -- even more so when messing with an ACL that's attached to something.

ACLs use wildcards, not netmasks. They are the complete opposite of each other.
HELLFIRE
MVM
join:2009-11-25

2 edits

HELLFIRE to krock83

MVM

to krock83
corrected / clarified, I knew should've consulted my little black book on this one...

CCNA factoids to know (according to the good book of Cisco) :

- standard ACLs are put close to the source and extended ACLs are put close to the destination.
For some reason CCNA WILL drill these two points into you.

- ACLs are processed in top-down order

- there is an implicit deny at the end of every list, but as cramer pointed out, it depends on the
way the ACL is constructed

- ACLs use the wildcard mask, ie. "permit 192.168.1.0 0.0.0.255" would permit anything matching pattern
192.168.1.[anything]. The way to think of how this operates is for a 0 means that particular bit will
be checked for a match, while a 1 means it will not be checked for a match.

Thanks for the correction cramer

EDIT : wanted to ask where you came across about an 'implicit permit'. First time I've heard of it.

Regards

usa2k
Blessed
MVM
join:2003-01-26
Westland, MI

4 edits

usa2k to cramer

MVM

to cramer

Re: [CCNA] ACL's

deny needs to be followed by permit or its a deny all.
So I was told in class today.

LabA#config t
LabA(config)#access-list 10 deny 172.16.40.0 0.0.0.255
LabA(config)#access-list 10 permit any
LabA(config)#int e1
LabA(config-if)#ip access-group 10 out
 

If the 3rd line is missing ... apparently that is trouble.
said by cramer:

An ACL that contains only deny's has an implicit allow at the end.
OK that makes more sense! An implicit "deny any" I think? Like Hellfire said ... (I need to proofread better!!!)

TomS_
Git-r-done
MVM
join:2002-07-19
London, UK

TomS_ to HELLFIRE

MVM

to HELLFIRE

Re: [CCNA] ACL's

said by HELLFIRE:

There's also knowing when to use standard and extended ACLs : standard go close to source, and extended
go close to destination... I think
Nuts to that, named goes everywhere.
cramer
Premium Member
join:2007-04-10
Raleigh, NC
Westell 6100
Cisco PIX 501

cramer to HELLFIRE

Premium Member

to HELLFIRE
said by HELLFIRE:

- standard ACLs are put close to the source and extended ACLs are put close to the destination.
What does that even mean? Std acls only have one address -- I'll assume they mean "source address". Extd acls specify both src and dst addresses. (I don't use std acls (where possible) because of this ambiguity.)
EDIT : wanted to ask where you came across about an 'implicit permit'. First time I've heard of it.
IOS 10.0 documentation from decades past (and maybe pix docs.) It's not like Cisco engineers don't wake up one morning and decide to change the way stuff has worked for 10 years. *cough*asa 8.3*cough*

phantasm11b
Premium Member
join:2007-11-02

phantasm11b to TomS_

Premium Member

to TomS_
said by TomS_:

said by HELLFIRE:

There's also knowing when to use standard and extended ACLs : standard go close to source, and extended
go close to destination... I think
Nuts to that, named goes everywhere.
We think alike on this one! lol. I used named ACL's all the time, for me it makes it easier to remember what I'm doing with the traffic.
krock83
join:2010-03-02

krock83

Member

Hi guys

thanks a lot, this makes more sence now, now that i have seen what you guys know and put that into practice it dosent seem hard at all. Yes there will be complications but as long as i know how it works and what the diffrence between extended and standard ACL's is it makes the world kf diffrence. Im not sure why cant cisco come out with a book that dosent involve 3 chapters on one topic (such as this one)

Thanks a bunch one more time

phantasm11b
Premium Member
join:2007-11-02

phantasm11b

Premium Member

said by krock83:

Im not sure why cant cisco come out with a book that dosent involve 3 chapters on one topic (such as this one)

Thanks a bunch one more time
If you decide to go onto CCNP, you'll see 3 chapters on EIGRP and about 6 chapters of BGP. lol.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to krock83

MVM

to krock83
said by cramer:

What does that even mean? Std acls only have one address -- I'll assume they mean "source address". Extd acls specify both src and dst addresses. (I don't use std acls (where possible) because of this ambiguity.)
Std ACLs ONLY specify source address, while Ext ACLs specify source,
desintation and protocol...and now that I've been in the field for
awhile, I agree it's a very BS comment where you should put your ACLs.
The correct answer : wherever the hell they'll do whatever they're
designed to do is my view, but for some reason my CCNA instructor was
VERY insistent on getting this point across, and I think I also had a
question or two on the cert exam that asked where to put the ACLs.

I mentioned this point strictly from a CCNA learning perspective. The
real world doesn't do "what might have been," it does "what actually
works"
said by cramer:

IOS 10.0 documentation from decades past (and maybe pix docs.) It's not like Cisco engineers don't wake up one morning and decide to change the way stuff has worked for 10 years. *cough*asa 8.3*cough*
Got a link for it? I was hunting around cisco.com for "implicit permit"
but didn't find anything.

Regards

usa2k
Blessed
MVM
join:2003-01-26
Westland, MI

usa2k

MVM

By default, there is an implicit deny all clause at the end of every ACL. Anything that is not explicitly permitted is denied.

A good link
»articles.techrepublic.co ··· 134.html
cramer
Premium Member
join:2007-04-10
Raleigh, NC
Westell 6100
Cisco PIX 501

cramer to HELLFIRE

Premium Member

to HELLFIRE
Do I have a link? Heh, No. Because it was from one of the IOS reference books. From way back when Cisco gave you printed documentation.

Current (2007) [web] documentation states: acls are processed in order until the first match is made; if no rules match, the packet is dropped.