Stupid Question? Second guessing myself. Please assist.

Unanswered Question
Dec 6th, 2007

So I failed my first CCNA 640-801 exam last week with an 847. On the test, there was an ACL router sim. I am retaking my exam tomorrow morning.

I'm going to try and expalin this as best I can.

Before going further, I understand that extended ACL's are to be placed closest to the source.

Bear with me here, and thank you in advance for reading.

I have a LAN network shaped like a capitol "Y".

I am to deny telnet traffic from the 2 networks on the top of the fork of the Y to the bottom of the Y.

My first choice would be to place an ACL on the 2 top interfaces going inbound.

But then I am now second guessing myself, because in this case, would it not make more sense to place the same ACL just on the outbound interface on the bottom of the Y?

You're eliminating extra work, but it's no longer according to "best practice."

I ask this because this question was on my last exam, and was on my friend's this morning. I really could understand the logic both ways.

Which way does Cisco want me to answer this?

Thank you.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
ccbootcamp Thu, 12/06/2007 - 14:36

Yes, place the ACLs on the incoming interface of the router closest to the source(s). That's best practice IMHO.


(please rate the post if this helps!)

LordFlasheart Fri, 12/07/2007 - 00:35

If you've got two interfaces coming in you could create two access-lists and apply them inbound to each interface as that is proper practice. However, I would imagine that you would only need to specify one access-list, or maybe even told to only write one access-list, where the closest you can get to the source is the outbound interface. This one list then kills two birds with one stone.

In essence you need to check if they want only one access-list as I remember that there was a question floating around that asked to create an access-list in only three lines.



limseng80 Fri, 12/07/2007 - 01:26

A common practice expected by Cisco would be to put standard ACLs as close to the destination as possible, while extended ACLs are to be as close to the source as possible.

OmahaGTP1 Fri, 12/07/2007 - 09:17

Thanks for the help guys. I had the same question on my re-take today (passed w/ 961, woo hoo!) and against my better judgement, I applied it to the 2 inbound interfaces. I believe I got the question right.

I used line 1 to permit the host to the server with the www port. Then denied all hosts to the server with the web port, then permited ip any any. Then applied it to the 2 inbound interfaces. Even though I still believe, and if I was configuring it myself, I would apply it to the single outbound interface.

Also, sorry if I'm not supposed to discuss answers in such detail. If so, please delete.

bvsnarayana03 Sat, 12/08/2007 - 04:38

Congratss. Yes thats the speciality of this forum. There are so many benefitted. Special thanks to the experts who are helping us learn.

Coming to your question, the reason for applying the e-acl closest to the source is to avoid the unnecesary traffic from flowing on the infrastructure & thus saving the expensive bandwidth for critical applications. If the traffic ultimately has to be dropped, why not stop it at the point of origin or the closest to origin rather than let it flood the entire path to dest & then drop.

Wishing you all the best & encouraging you to be regular on this forum. Everyday is a great learning here.

pls rate all helpful posts.

rajibchicago Sat, 12/08/2007 - 19:34

congrats. for some reason i thought the 640-801 exam expired nov 6, 2007

OmahaGTP1 Fri, 12/14/2007 - 07:23

Ah ha, thank you bvsnarayana03.

Thanks for the help guys. I understand why extended acls are placed closest to the source, and vice versa. But you explained why in this scenario, it would not make more sense to put this on a single outbound rather than 2 inbound, due to additional routing/router resources.



This Discussion