|
Home > Archive > CCNA > September 2002 > ACL's again
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| vschristopher 2002-09-23, 10:35 am |
| one last minute doubt access lists
in extended IP access lists do we have to bind it to the interface , actually i know we have to bind to the interface (ethernet or serial) just had this lingering doubt and i thought u guys will clear it up.
chris | |
| Hippo 2002-09-23, 10:46 am |
| Without assigning the access list to an interface, it won't do anything.
Good Luck & RELAX.
Hippo
 | |
| edmonds_robert 2002-09-23, 1:22 pm |
| If you ever have any doubts, try this little exercise via telnet.
1. On a router (not a production one, this is only for testing), bind a non-existant access-list to an interface, specifically the one that you use to access the router, using the access-group 100 in interface <type> <number> command.
2. Begin creating an access-list permitting a specific host other than your own. (access-list 100 permit ip host 10.10.10.10 any)
3. As soon as you hit ENTER, you will lose connectivity because you just permitted that one IP address and denied all others, including your own (because of the implicit deny any any command).
It only takes one or two times in a production network of doing this and blocking everyone on a network to remember to remove the access-group from an interface BEFORE modifying an access list in a production network. Have fun. |
|
|
|
|