Access-List- Why is like this..?

Unanswered Question

Please refer to the figure

This example is taken from Sybex CCNA Certification Guide page 491 (5th Edition Todd Lammle)Example of Standard Access-List although it can be implemented using Extended Access List

You want to stop the Accounting users from accessing the Human Resources Server attached to the Lab_B router, but allow all other users access to that LAN.

Anwer from the book:

Lab_B#config t

Lab_B(config)#access-list 10 deny

Lab_B(config)#access-list 10 permit any

Lab_B(config)#interface Ethernet 0

Lab_B(config-if)#ip access-group 10 out

My question is why you need to use IP address in deny statement when actual IP address is

why we cannot write Lab_B(config)#access-list 10 deny ? Is it right or wrong from exams point of view?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kevin Dorrell Fri, 10/26/2007 - 01:48

I think it would probably be wrong in the exam. In real life, the router would accept 129, but would record it as access-list 10 deny and it would work.

I think it would be best to put 128, then you know it would be correct, and it would show that you know how the wildcard match works.

Kevin Dorrell


Hi There

The reason that you are using the IP address and not is because you are asked to stop Accounting users accessing the HR server attached to Router B.

The accounting users are on the subnet ( and is the default gateway for that subnet. The range of the accounting subnet is --> Subnet Number - --> Valid Host Addresses ( assigned to router) --> Broadcast Address

If you only denied the gateway address, then only traffic which originated on the router would be blocked. The traffic from the accounting host machines ( to would all pass through the ACL to the HR server.

Hope that helps,


arifmscelectronics Mon, 10/29/2007 - 21:26

hey I have visited the site its good.

do u have some more labs ..on access list.

The answer given is right, as the whole subnet is denied.

fightermig29 Mon, 10/29/2007 - 22:58

Keeley's answer here is correct compared to other answers.

Whenever u see an address with a CIDR block prefix, always quickly mentally find out the subnet, broadcast, gateway, host range. Write it down and then work the problem. Then you will easily see the solution.

(Btw, I am taking the CCNA on Tue next week.)

keller.oliver Tue, 10/30/2007 - 01:59

By the wildcardmask you tell the router that in the last octett, you want 00011111, which means the last 5 bits are ignored by the ACL.

Therefore, an IP 128 (10000000) is as good as an IP 129 (10000001). Any IP between 128 and 159 (10011111) would be ok, since only the first three bits will be matched.


This Discussion