Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
848
Views
4
Helpful
5
Replies

ISP router filtering traffic

Raha_1990
Level 1
Level 1

‎11-23-2012 02:27 AM - edited ‎03-04-2019 06:13 PM

Hi!could you explain the correct answer in the question shown?

regards,Abdurahman

Labels:
Preview file
312 KB
0 Helpful
5 Replies 5

Abzal
Level 7
Level 7

‎11-23-2012 03:27 AM

Hi,

I think the correct answer is the last one.

1. First, because ACL applied to subnet /21 not to host 64.100.0.1.

2. Second, ACL effects to with source subnet /21 only not any source.

3. Third, as second.

4. Fourth, ACL 101 as per first statement it is denied.

5. So only fifth option.

Hope it will help.

Best regards,
Abzal
0 Helpful

Raha_1990
Level 1
Level 1
In response to Abzal

‎11-23-2012 06:45 AM

no,it's not correct

0 Helpful

Rahul Kukreja
Level 1
Level 1

‎11-23-2012 06:42 AM

The correct answer should be 4th option.

All traffic from 64.100.0.0/21 network could access internet.

It's because -

When the traffic from RTR goes out to ISP the source address will always be in the range of 64.100.0.0/21 - which is permitted in ACL 1 applied in the inbound on ser0/0/0 of ISP. So as the ACL 1 checks only the source ip it is permitted.

For the return traffic from the Internet the source ip could be ANY and the destination would be always 64.100.0.0/21 which is permitted in the ACL 101 applied in the outbound on ser0/0/0

- HTH

Rahul

0 Helpful

Raha_1990
Level 1
Level 1
In response to Rahul Kukreja

‎11-23-2012 06:52 AM

but in ACL 101 it is denied.how to understand that we must follow ACL 1,not ACL 101?

0 Helpful

Rahul Kukreja
Level 1
Level 1
In response to Raha_1990

‎11-23-2012 07:08 AM

ACL 1 will be checked for the traffic coming in on ser0/0/0

ACL's in IOS are checked from top to bottom, and as in ACL 1 traffic from 64.100.0.0/21 is permitted traffic gets routed to Internet when it comes from RTR Router.

For the return traffic, the ACL 101 is checked when the traffic leaves out from ser0/0/0 and here in the ACL 101 when it is checked from top to bottom -

access-list 101 deny ip 64.100.0.0 0.0.7.255 any

access-list 101 permit ip any 64.100.0.0 0.0.7.255

So the return traffic going out via seril0/0/0 on ISP Router will never match the first deny statement in ACL 101 (because the return traffic will never have the source ip as 64.100.0.0/21) - it matches the second permit statement and traffic is sent out via ser0/0/0

Thus for the traffic to Internet - both the ACLs are checked.

- HTH

Rahul

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card