dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2568
share rss forum feed

krock83

join:2010-03-02

[CCNA] ACL's

Hi guys

Does anyone any good study guides mon ACL's ??? I am lacking major knowloage on ACL's.. I have pourchased a few study guides but they dont go that deep into the studies of ACL's. I searched cisco but im looking for more details, cisco shows you how to configure it versus understaning what it doeas and how it works. Does anyone have any suggestions?

Thanks


mikeyb4760
Premium
join:2004-09-25
El Cajon, CA

1 edit
Click for full size
downloadACL overview.pdf 73,816 bytes
Basically, you permit or deny traffic from a specific ip address or a group of addresses to go somewhere or stuff like that. Or you permit HTTP traffic but not telnet or ping traffic.

Here's a cisco pdf doc on configuring ACL's


usa2k
Blessed
Premium,MVM
join:2003-01-26
Redford, MI
kudos:3

Re: [CCNA] ACLs

I *believe* CCNA is just the
 IP 1 to 99 and 1300 to 1999
 Extended IP 100 to 199 and 2000 to 2699

part of access lists

Plus know about Named ACLs.

(NOTE: I am still studying.)

HELLFIRE
Premium
join:2009-11-25
kudos:19
reply to krock83

Re: [CCNA] ACL's

There's also knowing when to use standard and extended ACLs : standard go close to source, and extended
go close to destination... I think :/ Been awhile for me since I did NA ACL stuff.

You should also be aware that ACLs are processed in a top-down order, and that the existence of an
"implicit deny" at the end of every ACL you write. Another thing to be aware of and confuse you, ACLs
use subnet masks (ie. to permit the 192.168.1.0 network, the mask you'd use is 255.255.255.0), in
comparison to the wildcard mask.

I'll stop now as I remember ACLs was a heavy topic to absorb in NA -- hell, ALL of it was heavy
to absorb, and the link mikeyb4760 is a pretty good start.

Regards

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9
said by HELLFIRE:

There's also knowing when to use standard and extended ACLs : standard go close to source, and extended
go close to destination... I think :/ Been awhile for me since I did NA ACL stuff.
It's not that like that. Standard vs. extended depends on the type of traffic you want to specify. Standard ACLs are dirt simple; each rule specifies only a single host/network. An extended ACL specifies source and destination, plus deeper protocols -- tcp/udp port, icmp types, etc.

ACLs define a pattern. That's it. They don't do anything on their own. What they do depends on where they're used.

... the existence of an "implicit deny" at the end of every ACL you write. ... subnet masks [snip] in comparison to the wildcard mask.
Implicit permit/deny depends on the ACL. An ACL that contains only permits (or a mix) has an implicit deny at the end. An ACL that contains only deny's has an implicit allow at the end. That's an important thing to remember -- even more so when messing with an ACL that's attached to something.

ACLs use wildcards, not netmasks. They are the complete opposite of each other.

HELLFIRE
Premium
join:2009-11-25
kudos:19

2 edits
reply to krock83
corrected / clarified, I knew should've consulted my little black book on this one...

CCNA factoids to know (according to the good book of Cisco) :

- standard ACLs are put close to the source and extended ACLs are put close to the destination.
For some reason CCNA WILL drill these two points into you.

- ACLs are processed in top-down order

- there is an implicit deny at the end of every list, but as cramer pointed out, it depends on the
way the ACL is constructed

- ACLs use the wildcard mask, ie. "permit 192.168.1.0 0.0.0.255" would permit anything matching pattern
192.168.1.[anything]. The way to think of how this operates is for a 0 means that particular bit will
be checked for a match, while a 1 means it will not be checked for a match.

Thanks for the correction cramer

EDIT : wanted to ask where you came across about an 'implicit permit'. First time I've heard of it.

Regards


usa2k
Blessed
Premium,MVM
join:2003-01-26
Redford, MI
kudos:3

4 edits
reply to cramer

Re: [CCNA] ACL's

deny needs to be followed by permit or its a deny all.
So I was told in class today.

LabA#config t
LabA(config)#access-list 10 deny 172.16.40.0 0.0.0.255
LabA(config)#access-list 10 permit any
LabA(config)#int e1
LabA(config-if)#ip access-group 10 out
 

If the 3rd line is missing ... apparently that is trouble.
said by cramer:

An ACL that contains only deny's has an implicit allow at the end.
OK that makes more sense! An implicit "deny any" I think? Like Hellfire said ... (I need to proofread better!!!)

--

Jim, VoIP 12/2002, VOIPo 2/2007
FAH-Tool~Pets~Join Artist-247


TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:5
reply to HELLFIRE

Re: [CCNA] ACL's

said by HELLFIRE:

There's also knowing when to use standard and extended ACLs : standard go close to source, and extended
go close to destination... I think
Nuts to that, named goes everywhere.

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9
reply to HELLFIRE
said by HELLFIRE:

- standard ACLs are put close to the source and extended ACLs are put close to the destination.
What does that even mean? Std acls only have one address -- I'll assume they mean "source address". Extd acls specify both src and dst addresses. (I don't use std acls (where possible) because of this ambiguity.)

EDIT : wanted to ask where you came across about an 'implicit permit'. First time I've heard of it.
IOS 10.0 documentation from decades past (and maybe pix docs.) It's not like Cisco engineers don't wake up one morning and decide to change the way stuff has worked for 10 years. *cough*asa 8.3*cough*


phantasm11b
Premium
join:2007-11-02
Reviews:
·Comcast
reply to TomS_
said by TomS_:

said by HELLFIRE:

There's also knowing when to use standard and extended ACLs : standard go close to source, and extended
go close to destination... I think
Nuts to that, named goes everywhere.
We think alike on this one! lol. I used named ACL's all the time, for me it makes it easier to remember what I'm doing with the traffic.
--
"There are two American flags flying on the property I reside on. Anyone who tries to take them down will be rendered inoperative." -Lindy

krock83

join:2010-03-02
reply to krock83
Hi guys

thanks a lot, this makes more sence now, now that i have seen what you guys know and put that into practice it dosent seem hard at all. Yes there will be complications but as long as i know how it works and what the diffrence between extended and standard ACL's is it makes the world kf diffrence. Im not sure why cant cisco come out with a book that dosent involve 3 chapters on one topic (such as this one)

Thanks a bunch one more time


phantasm11b
Premium
join:2007-11-02
Reviews:
·Comcast
said by krock83:

Im not sure why cant cisco come out with a book that dosent involve 3 chapters on one topic (such as this one)

Thanks a bunch one more time
If you decide to go onto CCNP, you'll see 3 chapters on EIGRP and about 6 chapters of BGP. lol.
--
"There are two American flags flying on the property I reside on. Anyone who tries to take them down will be rendered inoperative." -Lindy

HELLFIRE
Premium
join:2009-11-25
kudos:19
reply to krock83
said by cramer:

What does that even mean? Std acls only have one address -- I'll assume they mean "source address". Extd acls specify both src and dst addresses. (I don't use std acls (where possible) because of this ambiguity.)
Std ACLs ONLY specify source address, while Ext ACLs specify source,
desintation and protocol...and now that I've been in the field for
awhile, I agree it's a very BS comment where you should put your ACLs.
The correct answer : wherever the hell they'll do whatever they're
designed to do is my view, but for some reason my CCNA instructor was
VERY insistent on getting this point across, and I think I also had a
question or two on the cert exam that asked where to put the ACLs.

I mentioned this point strictly from a CCNA learning perspective. The
real world doesn't do "what might have been," it does "what actually
works"

said by cramer:

IOS 10.0 documentation from decades past (and maybe pix docs.) It's not like Cisco engineers don't wake up one morning and decide to change the way stuff has worked for 10 years. *cough*asa 8.3*cough*
Got a link for it? I was hunting around cisco.com for "implicit permit"
but didn't find anything.

Regards


usa2k
Blessed
Premium,MVM
join:2003-01-26
Redford, MI
kudos:3

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9
reply to HELLFIRE
Do I have a link? Heh, No. Because it was from one of the IOS reference books. From way back when Cisco gave you printed documentation.

Current (2007) [web] documentation states: acls are processed in order until the first match is made; if no rules match, the packet is dropped.