From: Jared Scrivener (jscrivener@ipexpert.com)
Date: Sun Mar 29 2009 - 13:04:38 ART
Based on your description of the question, the proposed answer (and your
interpretation of it) is correct. Remember, a CCIE lab has little bearing on
the real world, so ACLs like this one are not uncommon.
Cheers,
Jared Scrivener CCIE3 #16983 (R&S, Security, SP), CISSP
Sr. Technical Instructor - IPexpert, Inc.
Telephone: +1.810.326.1444
Fax: +1.810.454.0130
Mailto: jscrivener@ipexpert.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Ahmed Ejaz
Sent: Sunday, 29 March 2009 4:09 AM
To: groupstudy
Subject: Access-List Confusion
Hi guys,
I was going through one of the labs from IE and I am a bit confuse with the
solution. The tasks says:
" Vlan 5 users have been excessively surfing the web during work hours.
Manager has requested to configure Router 5 to block these users and let
them go to your internal webserver at 148.1.3.100". After work hours they
can have full access. Work hours are from 9Am to 5PM Mon to Friday. Use
minimum amount of access-list to accomplish this.
The solution says:
ip access-list extended DENY_INTERNET_SURFING
permit ip any any time-range NON_WORK_HOURS
permit tcp any host 148.1.3.100 eq www
time-range NON_WORK_HOURS
periodic weekend 0:00 to 23:59
periodic weekdays 00:00 to 8:59
periodic weekday 17:01 to 23:59
interface e0/1
ip access-group DENY_INTERNET_SURFING in
My confusion is that with the above solution, wouldn't the router allow only
ip traffic during non work hours and block all ip traffic during work hours
as there is a deny all at the end? which means that they will not be able to
communicate with any device except the webserver during work hours behind
router 5?
Regards,
Ahmed.
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:08 ART