Jump to content

CCNA Access List Question

CCNA Access List Question help

  • Please log in to reply
1 reply to this topic

#1 deskha



  • Members
  • Pip
  • 2 posts

Posted 28 August 2013 - 11:13 PM

I'm preparing my ccna and i have a serious confusion about applying Access-List, especially on which interface and inbound/outbound rule 


For example


In 9tut:

CCNA Access List Sim 2









The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.

All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of
The computers in the Hosts LAN have been assigned addresses of –
Host A
Host B
Host C
Host D
The servers in the Server LAN have been assigned addresses of –
The Finance Web Server is assigned an IP address of
The Public Web Server is assigned an IP address of

Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out

it says that i should apply it on interface fa0/1 and out



why is that?


i thought it was on f0/0 and in

or is it because it's extended access list and should be put nearest to source (the LAN side) 

and why is it out?, not inbound, is it because that this ACL applied to the interface that face out (facing the out of the destination)?


Can someone kindly enough tell me the rule about where to apply and the in/out ?

I've read some articles and books and watch some videos (CBT Nuggets, Lammle) and tried to browse some explanation but still very confuse 


thank you in advace

  • 0

#2 micmis



  • Members
  • Pip
  • 1 posts
  • Gender:Male

Posted 03 September 2013 - 05:16 AM

"The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server."

Well, you only want to restrict access to the specific server. You don't want to encumber traffic between hosts and core. If you apply ACLs on inbound interfaces like .254 and facing Core, router will need to process ACLs everytime (even for hosts<>core communication) and since you want to "protect" only server it would be wiser to apply it to interface facing server.

Quoting Cisco: "Rather than creating multiple inbound access lists to restrict access, you can create a single outbound access list that allows only the specified hosts."

I highly recommend to you: http://www.cisco.com...cess_rules.html

  • 0

Also tagged with one or more of these keywords: CCNA, Access List, Question, help

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users