Re: Access-List Confusion

From: Ahmed Ejaz (aahmedejaz@gmail.com)
Date: Sun Mar 29 2009 - 13:26:59 ART

• Next message: Khurram Noor: "EIGRP-->RIP redistribution"
• Previous message: Bryan Bartik: "Re: Spanning tree question"
• Maybe in reply to: Ahmed Ejaz: "Access-List Confusion"
• Next in thread: rakesh m: "Re: Access-List Confusion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

thank you.

On 3/29/09, Jared Scrivener <jscrivener@ipexpert.com> wrote:
> Based on your description of the question, the proposed answer (and your
> interpretation of it) is correct. Remember, a CCIE lab has little bearing on
> the real world, so ACLs like this one are not uncommon.
>
> Cheers,
>
> Jared Scrivener CCIE3 #16983 (R&S, Security, SP), CISSP
> Sr. Technical Instructor - IPexpert, Inc.
> Telephone: +1.810.326.1444
> Fax: +1.810.454.0130
> Mailto: jscrivener@ipexpert.com
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Ahmed Ejaz
> Sent: Sunday, 29 March 2009 4:09 AM
> To: groupstudy
> Subject: Access-List Confusion
>
> Hi guys,
>
> I was going through one of the labs from IE and I am a bit confuse with the
> solution. The tasks says:
>
> " Vlan 5 users have been excessively surfing the web during work hours.
> Manager has requested to configure Router 5 to block these users and let
> them go to your internal webserver at 148.1.3.100". After work hours they
> can have full access. Work hours are from 9Am to 5PM Mon to Friday. Use
> minimum amount of access-list to accomplish this.
>
> The solution says:
>
> ip access-list extended DENY_INTERNET_SURFING
> permit ip any any time-range NON_WORK_HOURS
> permit tcp any host 148.1.3.100 eq www
>
> time-range NON_WORK_HOURS
> periodic weekend 0:00 to 23:59
> periodic weekdays 00:00 to 8:59
> periodic weekday 17:01 to 23:59
>
> interface e0/1
> ip access-group DENY_INTERNET_SURFING in
>
> My confusion is that with the above solution, wouldn't the router allow only
> ip traffic during non work hours and block all ip traffic during work hours
> as there is a deny all at the end? which means that they will not be able to
> communicate with any device except the webserver during work hours behind
> router 5?
>
> Regards,
>
> Ahmed.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Khurram Noor: "EIGRP-->RIP redistribution"
• Previous message: Bryan Bartik: "Re: Spanning tree question"
• Maybe in reply to: Ahmed Ejaz: "Access-List Confusion"
• Next in thread: rakesh m: "Re: Access-List Confusion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:08 ART