|
Home > Archive > CCNA > May 2004 > Access List question
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Access List question
|
|
| wizzybeff 2004-05-21, 4:53 pm |
| Is this a correct summary?
Standard access lists are applied on the closest router to the destination, outbound on the interface.
Extended access lists are applied on the closest router to the source, inbound on the interface.
Also, can someone show me an example access list that denies telnet? Would it be something like this?
access-list 100 deny tcp host 172.22.5.2 host 172.22.2.2 eq telnet (or 23)
If I didn't want to use "host" as a wilcard, could I still use the typical 0.0.0.255, etc? Would I still put it in front of the ip address or after it (like with standard acl)?
Thanks!!!!!!! | |
| Sexy Lexy 2004-05-21, 5:26 pm |
| It is easier with a standard access list.
Try this:
Router1(config)# access-list 1 permit 172.22.5.2
Router1(config)#line vty 0 4
Router1(config-line)#access-class 1 in
Router1(config-line)#^z
Router1#write memory
This will deny access to all the telnet lines besides those from the host 172.22.5.2
The keyword host is implied as default and the default deny all at the end will restrict access to everyone besides the address(es) in the access list.
 | |
| timhowell1985 2004-05-21, 5:28 pm |
| Standard access-list block only on the source IP address, so you would want to get it as close to the source as possible. Becase you would not want packets traversing accross your entire network just to be blocked. But usualy the closest you can get without causing problems is the outbound interface of the router that the network is on which you want to deny the traffic to.
That is the correct for for an access-list to deny telnet. You could also use the any wildcard to specify any address, or specify a specific network
access-list 100 deny tcp 172.22.2.0 0.0.0.255 172.22.2.0 0.0.0.255 eq 23
host 172.22.5.2 is the same thing as typing 172.22.5.2 0.0.0.0 | |
| smrkdown 2004-05-21, 8:32 pm |
| Tim, you're a little confused. Standard access lists are applied as close to the destination as possible and extended are to be applied as close to the source as possible.
Lexy, if I'm not mistaken, he wants to deny 172.22.5.2 and not necessarily everyone else. | |
| Sexy Lexy 2004-05-22, 5:54 am |
| So he does, sorry!
That's what you get for speed reading posts!
|
|
|
|
|