Inbound or Outbound?
mwill
Member Posts: 51 ■■□□□□□□□□
in CCNA & CCENT
Hi all,
I'm currently studying for my CCNA and would like some help if one could give.
I'm confused with access-list's. The part i'm confused on is: When to apply an ACL on an inbound interface or outbound interface. I always want to put it on an inbound inteface to restirct traffic from comming into the router to begin with so it would stop the waste of CPU cycles.
However from reading and studying they put most on outbound interfaces and not inbound or vice versa. I cant seem to find anywhere that gives me enough information on when or why to place an ACL on outbound or inbound!
Can somone help me clear this up before the big day?
Thanks in advance,
mwill
I'm currently studying for my CCNA and would like some help if one could give.
I'm confused with access-list's. The part i'm confused on is: When to apply an ACL on an inbound interface or outbound interface. I always want to put it on an inbound inteface to restirct traffic from comming into the router to begin with so it would stop the waste of CPU cycles.
However from reading and studying they put most on outbound interfaces and not inbound or vice versa. I cant seem to find anywhere that gives me enough information on when or why to place an ACL on outbound or inbound!
Can somone help me clear this up before the big day?
Thanks in advance,
mwill
Marcus Williamson
Comments
-
Gogousa Member Posts: 68 ■■□□□□□□□□Everything depends on what ACL are you using and what do you want to achieve. Standard ACL can only filter on source IP, but on Extended ACL you can filter by many parameters, like source or destination IP, PORT, etc.
If you understand this, imagine you are a packet traveling through the cable and you bring with you information like source IP and destination IP, you are getting into the router and you find the interface (if someone applies and outbound ACL your are not going to be checked by this ACL), but if someone puts and Inbound interface you are going to be checked by this. The key to understand where to apply the ACL is to understand what information is bringing the packet that you are trying to block.
By general rule you apply Standard ACL as close to the destination as possible, because can only filter on source address, so if you apply a Standard ACL close to the source every packet that is trying to go out is going to match the ACL and be dropped.
Extended ACL are applied close to the source (not to waste CPU like you said), you can do this because extended ACL is more flexible on the rules and you can filter by source or destination for example.
I hope this can help you a little bit. -
mwill Member Posts: 51 ■■□□□□□□□□Thanks for the reply Gogousa.
I do understand where to place the standard or extended access list entry. However when to place it on the "in" or "out" interface is my problem.
I think i comperhend it some by following the packet and thinking where it should placed. But i'm not always 100% correct.
Is there an easier way to know where to place the entry on either "in" or "out"?Marcus Williamson -
kplab Member Posts: 101Use the following configuration as an example:
LAN1
Router A
LAN2
LAN3
LAN1, LAN2, and LAN3 are connected through Router A.
If you want to block traffic from a range of IP addresses in LAN1 to all other networks, you need to apply the standard access list on the LAN1 interface inbound.
If you want to block traffic from a range of IP addresses in any LAN to LAN2 only, you need to apply the standard access list on the LAN2 interface outbound.KPLAB
www.kp-lab.com - Free CCNA, CCNP, and Network+ Study Guides -
SV Member Posts: 166Try going through this link:
http://www.techexams.net/forums/viewtopic.php?p=63422#63422
This is taken from the post.
Lets say you have a router (THE_ROUTER) connected to LAN1 using s0 interface. LAN2 using e0 interface and LAN3 using s1 interface.
I visualize IN and OUT in the following manner:
* Traffic from lan2 gets IN to the router through e0
* Traffic from lan2 can get OUT of the router through either s0 or s1
* Traffic from lan1 can get IN to the router through s0
* Traffic from lan1 can get OUT of the through e0 or s1
Doesn't it make sense to say “block lan2 traffic coming IN to the router through e0” rather than saying “block lan2 traffic going OUT from router through e0.” Other correct statement would be “block lan2 traffic going OUT from router through s0.”Life is a journey... -
mwill Member Posts: 51 ■■□□□□□□□□Thanks for the help guys. I understand it better now.Marcus Williamson
-
darkuser Member Posts: 620 ■■■□□□□□□□