| Author |
access list question...
|
|
|
| Confused about one part of access-llist...
In the Sybex book it says that Standard Access list should be located closest to the source and Extended Access list should be located closest to the destination
But in the Boson tests, it says that standard is closest to the destination and extended is closest to the source...which is correct?
It bothers me because I took the test and this question was on the test.
Any feedback is greatly appreciated! | |
|
| Money,
In the past two weeks there have been several discussions on this Forum concerning the placement of access lists. If you use the search button you can find them easily.
Good luck
6pack | |
|
| standard access-list do not specify destination address so u have to apply then to the destination and block the specific souce ip. bcos if u apply standard access list close to the source it will block all the trafic of that souce to all other destination addresses too bcos it cannot specific which destination trafic to block and which to allow.
This has 1 disadvantage:-
The packets from the blocked sorce travels the whole network and at the destination the packets are dropped by standard access-list.
This disadvantage is removed by extended access-list where u can block the traffic based on sourse and destination. SO u can apply the extended access close to the source and specify the destination address traffic to be blocked at the very first instance of entering the network.
Final conclusion:-
standard acees-list close to the destination
extended access-list close to source where traffic is generated.
regards
hope it helps.....if this cannot help then there is no other way to explain this concept
if u have any problem lemme know.
| |
|
| johny181
You did a great job with your explanation. I don't think that I've read in any books such a clear explanation.
Thanks | |
|
| kind regards to todd - his viewpoint is nonsens (though I can't believe, that he writes such a mess - after all, his book is one of the best and error-corrected...)
congratulations to johny - I couldn't have explained it better :-)
siegi
[This message has been edited by edlinger (edited 10-27-2000).] | |
|
| Thanks Johnny...thats exactly what I was looking for. | |
|
| Below is the post of 10-18-20
[Where do you place the standard access-list?
1. close to the source
2. close to the destination
Sybex had conflicting answers itself, so any1 can give me an answer with official doc to back it up?
Thanks
This message has been edited by ciscopro (edited 10-18-2000).]
There has not been an definitive answer to the question.
I have spent some time looking at real Cisco online documentation and found many references to access lists but never found Cisco recommending anything relating to the location of standard or extended access lists. Lammle stated on page 476 that "Cisco's rule of thumb states that standard list should be placed closest to the source, and extended list should be placed closest to the destination". However, in Lammle's ccna_studyguide CD he states that standard IP access lists should be closest to the destination.
So if the above question is a real possibility on the CCNA test where can us lowly test-takers find the "Cisco rule of thumb" for the placement of access list?
If we can not fine the "Cisco" answer to the question then it is somewhat ridiculous to have it on a Cisco test.
| |
|
| Johny101 is perfectly right. | |
|
| you wanted the confirmation from cisco?
here it is:
Where to Place IP Access Lists
Recommended:
Place extended access lists close to the source
Place standard access lists close to the destination
list of reference:
Interconnecting Cisco Network Devices
Volume 2 / Version 1.0a / Page 10-34
Copyright 2000, Cisco Systems, Inc.
satisfied now? :-)
siegi | |
|
| Siegi/Edlinger:
Yes I am very satisfied. This is the perfect definitive type of answer; the "Cisco" one as opposed to yours or someone else's opinion. No only that, you supplied the reference; so if I want to read more about it I know where to go.
Hopefully we will see more of these perfect answers to direct questions.
Many thanks. | |
|
| unfortunately not all of these questions can be answered as easy as this one...
(have a look at my error-checking-on-frame-relay-question) - no answer till now :-(
siegi |
|
|
|