| Author |
writing Exam 17 September
|
|
| cleverspy 2003-09-09, 10:07 am |
| Help. This is my second try for passing. The first time I almost puked from a migrane. I was sick. My head is full of the work but if they ask me question from a different angle it confuses me. Is there a way to handle it. Struggling with access lists. Any help please. | |
| NetStroller 2003-09-09, 11:25 am |
| The best way to get better with access list questions is to understand better how they work. Try to read from more sources of information if possible and do more practice questions. I'm using Todd Lammle's CCNA Study Guide by Sybex and it seems to cover this well. Try google.com search to see what is on the Internet. Here's a link to Cisco information:
http://www-search.cisco.com/pcgi-bi...tor=0&sa=Search
If you have a specific access-list question post it here and I'm sure you'll get some help. | |
| cleverspy 2003-09-10, 3:46 am |
| permit udp 194.73.74.0 0.0.0.255 host 194.72.6.205 eq syslog
permit tcp any host 194.72.6.52 eq 113
permit ip any host 1.1.1.1
What is the difference between udp,tcp,ip using access lists. I know that Udp is for the upper layers and tcp brake up segments and ip is the routed protocol.
Help me if i'm wrong but I don't understand the logical side of the three.
I read through that link you gave me Its nice. Can you explaine to me logically please.
Thanks for the help. | |
| Humbug 2003-09-10, 6:26 am |
| Standard access lists only filter by source ip address (or part pf the source address) .
However, sometimes you need more than just source address, like services or destination ip address - those are extended access litst .
services or port number are layer 4 related, namely TCP/UDP elements . So you use tcp for services that are tcp-based like ftp, and udp for services that are udp-based like dns. If you need completely block access to some host/network you use ip . If you choose IP any tcp/udp packet will be filtered. | |
| asteheske 2003-09-10, 2:29 pm |
| Standard access list - [number] 1-99
Extended access list - [number] 100-199
Standard access list command:
#access-list [number(1-99)][permit or deny][source address]
notice that you can only use source address in Standard ACL and not destination address
Extended access-list command:
#access-list [number(100-199)] [permit or deny][protocol][source address][destination address][port]
eg:R1(config)#access-list 120 permit tcp any any eq 80
tcp-protocol
any-any source address frm network
any-any destination address
eq 80 is the port(port 80 is Http)
you can either use port number or name ie: like in the above example you can use eq ftp instead of eq 21
note:when filtering port,you cannot use IP as the protocol,you can only use TCP,UDP,ICMP
Hope this helps~~ | |
| Lamont 2003-09-11, 12:54 am |
| One other thing to remember about access lists is that they always have an "implicit deny" at the end of them. You don't see this in the access list but it's there. What that means is if you create an access list that denies some traffic, and don't put in any allow statements, ALL traffic is blocked.
Cisco very much wants you to know this and there could be questions crafted to trip you up in this area.... | |
| Humbug 2003-09-11, 2:53 am |
| When using access lists What is not explicitly permitted is prohibited . That's the rule . | |
| scooter 2003-09-11, 3:31 am |
| All very helpful to me.....
Thank you. | |
| Demijohn 2003-09-11, 4:06 pm |
| Also remember that the lists are processed in order from the top down. Once a permit or deny criteria is matched it doesn't look any further (until the next packet comes along). |
|
|
|