CCNA ACL question

Answered Question
Sep 27th, 2007

I took the CCNA exam recently and unfortunately i failed. I will retake the exam very soon. But I have question regarding the ACL simultar (well basically i just want to verify my answer). The question stated that I need to permit access to a specific http server from a host while denying access to the other host. all the other access is permitted.

My question is on which interface that acl should be applied; the interface connecting to host or the interface connecting to the webserver?

thanks for ur help.

I have this problem too.
0 votes
Correct Answer by icabrera about 9 years 1 month ago

Hi, remember always a rule:

- Place standard acl close to the destination

- Place extended acl close to the source

So, as your acl it's an extended acl you should place it close as possible to the host.


Hope this helps if so pls rate post

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Correct Answer
icabrera Fri, 09/28/2007 - 04:09

Hi, remember always a rule:

- Place standard acl close to the destination

- Place extended acl close to the source

So, as your acl it's an extended acl you should place it close as possible to the host.


Hope this helps if so pls rate post

ascoolasice Fri, 09/28/2007 - 13:37

Also pay close attention to the direction acl is applied on the interface

ie ip access-group 10 in/out

I also got similar simulation question in test. I faced lot of difficulty and failed. I want to understand and practice this topic well for my next test. Please let me know where to get study material, simulation questions, etc on this topic. And last thing how can I check the access list I implemented is correct. Thanks

syedsohailsarwar Sat, 09/29/2007 - 09:13


kindly design access list keeping in mind that u have to allow access for one host only and in that case check the ip address of that host from simlet as i too had attemtped that question when i wrote ccna paper in june 2007

greekgeek Sun, 09/30/2007 - 10:43

Be careful with this. Yes, extended should be near source and standard the destination, but there are exceptions.

For example, let's say you have a Telnet server off of E1. You have a series of hosts on E0 and also an active serial0. You want to block a specific host off of E0 from reaching the Telnet server off of E1. Normally, this would involve putting the extended ACL inbound on E0. However, if you also need to block everyone off of S0 then you'll put the ACL outbound on E1 instead.

Always read the question should be straightforward on the exam.

junshah22 Tue, 10/02/2007 - 00:00

Dear, I tried CCNA three times but unfortunately failed last time with score of 821

I also attempted this question.. in that scenario only one router was available... and hosts 1 2 3 4 5 was behind E0

and servers were behind E1..

The requirement was to allow access only host 5 to internet server while not allowing others.....and there should not more than 3 statements..

I placed the acl like.... IPs not remembered

access-list 101 permit host host eq 80

access-list 101 deny any host eq 80

access-list 101 permit ip any any

ip access-group 101 out on E0 interface connected with servers.......because the requirement was not to access this server from OTHER SIDES....including INTERNET

Now I am feeling that I did ACL rules defined (standard near to destination and extended near to source)But there was only one router......

The scenario was working........I was accessing internet from host 5 and not accessing from other hosts which was required...and jumbed to the next question

Dear Sohail Server ( I want some discussion with you, please send me a blank email on [email protected] )

Need your assistance....



tim.harrison Tue, 10/09/2007 - 07:06

I did the same as junshah22. I passed so I would think that this was correct- I assume that the score for the sim is more heavily weighted than standard questions.

santukumar Wed, 10/10/2007 - 21:06

The access-group command is not correct.means the correct command is ----

go to int e0

and type ip access-group 101 in

This is the right solution and u got full marks.

caacostag Tue, 10/09/2007 - 20:14

That's right!

I did fail the test because I had a SIM using ACL.

I had 1 router, Interfaces S0, Fa0, FA1,

1) they asked to permit the "web Access" from a HOST attached to the FA1 Network to a SERVER Attached to Fa0,

2)while denying "web access" other Hosts in Networks FA1 and SO to the SERVER in Fa0.

3)allowing other type of services

this is what I did (at home reviewing that SIM)

access-list 101 permit tcp host (host Attached to FA1) host (Server Address) eq 80

access-list 101 deny tcp any host (Server Address) eq 80

access-list 101 permit ip any any

(config)#in fa 0

(config-if)#ip access-group 101 OUT

and it works!

johnboyrox Wed, 10/03/2007 - 06:38

I had this question also (or one very similar), i felt like they were trying to play head games with me by putting this question first, then being very verbose with their description, then the network diagram was much more complicated than it needed to be. I got it right, but it took me way to long (15 minutes). I should have just skipped and not been stressed out for the rest of the test. (I passed BTW)

aaronpolk Mon, 10/08/2007 - 14:42

The rule I remember is Standard lists are always closest to the destination (San Diego... i.e. SD for Standard & Destination) and Extended are always closes to the source.

greekgeek Mon, 10/08/2007 - 16:11


That rule isn't always the case. Please see my example a few posts earlier on this thread.

You must read the exam questions carefully to see if the standard rule should be followed.

junshah22 Tue, 10/09/2007 - 23:14


Very long and good discussion..

Now I would like to focus on other simulation question i.e. related to switch operations and how it works like......

One simulation having 5 questions inside and all of them purhaps must be right.

Questions include:

1. What ports on Sw-AC3 are operating as trunks? (Select three.)

2. Which switch is the root bridge for VLAN 1?

3. From which switch did Sw-AC3 receive the VLAN information?

4. Out of which port on Sw-Ac3 would a frame containing an IP packet with a destination address that is not on a local LAN be forwarded

Also anybody if attempted this question,,, what are more possible questions regarding this scenario....



khyrren.gyadin Wed, 10/10/2007 - 03:50

I also took the 640-801 exam this morning and fail (796)..Got the same switch quest.

1. I did a show run and checked the port configs (don't know if was right

2. did not know

3. show mac-add-table, that was ood , I think ?

greekgeek Wed, 10/10/2007 - 09:20

Junaid and others:

As much as I would like to discuss this I know it violates Cisco's non-disclosure. I don't want to jeopardize my certification by discussing actual test questions.



junshah22 Sun, 10/14/2007 - 06:29

Dear Greek,

why Cisco not change its question randomly.. and If we discuss then... who cares.. cisco should maintain its Exam and give tough time to exam taker..

That situation can come in our real environment so we have to discuss..Right



greekgeek Mon, 10/15/2007 - 02:42

The Cisco non-disclosure agreement that I signed clearly indicates we are not to discuss specific exam questions. We can discuss this topic but just not a specific question from the exam.

santukumar Sun, 10/14/2007 - 20:54

The interface connecting to the webserver i.e. int e0 whose ip address is x.x.x.30.


This Discussion