|
Home > Archive > CCNA > February 2001 > Access List- Help
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| WOODMAN 2001-02-19, 12:38 pm |
| Guys, I need your help!! I can't understand "access-list". I am having trouble mainly on the terminology, ie in/out/permit/deny.
If anyone can help me out, please do. I am using Sybex and also Cisco Press and for some reason I am still having a mental bloc on this topic. Mainly I'm looking for a better reference if there is one. Once I complete this, I'll be ready for the exam.
Thanx Guys,
WoodMan
Thanx | |
|
|
|
| First, I'd like to thank you, dmaftei, for your quick reply to this matter.
I'm still alittle vague as to the terms "in/out" as applied to interfaces.
Any clarification on that will be greatly appreciated.
Thanx Much,
WoodMan | |
|
| If you check out Lammel's book on pg. 447 (fig. 9.1 on pg. 446) it gives you a pretty straight forward explanation of a simple standard access-list and why to place it on a given port. Follow the commands and the explanation, referring to fig. 9.1
Much easier to follow this than for me to explain it. | |
|
| "in" and "out" are relative to the router. Something like:
interface eth0
access-group 11 in
access-group 12 out
means:
- all packets that "enter" the router through interface eth0 are checked against access list 11. If a packet matches a "permit" rule, it is allowed to "enter"; if a packet matches a "deny" rule, or if it does not match any rule (remember the implicit "deny any" at the end of the list), it is dropped.
- all packets that are about to leave the router through interface eth0 are checked against access list 12. The same reasoning as above applies.
Another point to remember is that if you apply an access list that does not exist, all packets will pass (it's like you didn't apply a list at all).
Makes sense? | |
|
| Draw the typical circle icon for a router with an ethernet interface coming off of it. Now draw an arrow from the ethernet interface "in" to the router. That arrow indicates the direction of the packets that would be effected by the "IN" access list.
An arrow drawn "OUT" from the router to the ethernet would demonstrate the direction of the packets effected by "OUT" access list.
I realize others have stated the same correct info, but sometimes a picture helps visulize the process.
Yankee | |
|
| Thanx Much Guys!! You've all been very, very helpful!!!!
Good Luck to you all in your careers!!!
WoodMan! |
|
|
|
|