Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
232
Views
0
Helpful
2
Replies

Do Both Routers need an Access List on them in this situation?

JoshGarmonCiscoCCNA
Level 1
Level 1

‎10-17-2015 05:04 PM - edited ‎03-08-2019 02:15 AM

check out my Packet Tracer File

 

I saw this exercise online.

 

R3 - blue network

 

R5 - red network

 

Only R3 had one Access List on it to achieve all objectives.

 

I'm confused as to why.

 

 

 

Labels:
Preview file
43 KB
0 Helpful
2 Replies 2

Masoud Pourshabanian
VIP Alumni
VIP Alumni

‎10-17-2015 09:29 PM

Your picture does not show the location of HTTP server and SMTP server, but I supposed HTTP server located in R3 and SMTP server located in R5.

Cisco says Extended ACL should apply on closest router to the destination, so I am not sure why your picture says to the source.

If we want to apply extended ACL based on Cisco, we should block SMTP traffic on R3  and HTTP traffic on R5.( it is not always the best way but it is the rule of thump). However, you can block both traffic on just one router with one access-list.

The configuration looks like this.

access-list 101 deny   tcp host 192.168.50.10 eq smtp any
access-list 101 deny   tcp host 14.0.0.6 eq www 192.168.50.0 0.0.0.255
access-list 101 permit ip any any

R3 >>>int G0/1

Ip access-group 101 out ( controls traffic from SMTP server to come to R3)

Ip access-group 101 in  ( controls traffic from HTTP  to go to 192.168.50.0 R5 )

 

Hope it helps,

Masoud

 

 

 

 

0 Helpful

dineshkhandal5
Level 1
Level 1

‎10-27-2015 07:16 AM

Hi Josh,

I read your query and below is the best config to achieve the goal.

Objective:

Deny HTTP traffic into R5's Network
Deny SMTP Traffic into R3's Network

Condition: We need to create ACL only on router 3

We need to use extended ACL as mentioned. As it is is Extended ACL, we need to make sure we need to apply it close to the source

To Deny HTTP traffic into R5's Network:

access-list 101 deny tcp any 14.0.0.0 0.0.0.7 eq 80
access-list 101 permit any any

To Deny SMTP Traffic into R3's Network

access-list 102 deny tcp any 192.168.50.0 0.0.0.255 eq 25
access-list 102 permit any any

Since we need to apply ACL only on Router 3, below is the best way to apply the ACL (close to source)


configR3# int g0/0
(config-if)R3#ip access-group 101 in


config R3# int g0/1
(config-if)R3#ip access-group 102 in


Regards,
Dinesh Khandal


Spooster IT Services

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card