Is the access list implemented in interface or IOS?
johnifanx98
Member Posts: 329
in CCNA & CCENT
"sh ip interface" shows
"outgoing access list is not set
inbound access list is not set"
It hints the access list functionality is implemented in the IP interface. It makes sense for the standard access list since the IP interface does process the src IP in the IP header. However, is it the same case for the extended access list? Does the IP interface also process the transport headers?
"outgoing access list is not set
inbound access list is not set"
It hints the access list functionality is implemented in the IP interface. It makes sense for the standard access list since the IP interface does process the src IP in the IP header. However, is it the same case for the extended access list? Does the IP interface also process the transport headers?
Comments
-
_Gonzalo_
Member Posts: 113
Yes, access lists are applied to interfaces and it does not depend on the type of list. It would not make sense to apply them globally, as you will always want to restrict depending on the interface.
Source and destination addresses would be checked for extended lists, and more parameters could be checked, like port number or type of traffic. But it is not related to any process that the interface may do. Access lists check and permit or drop with their own processes. -
mikeybinec
Member Posts: 484 ■■■□□□□□□□
I guess the one example where an ACL is NOT applied to an interface is for a NAT configCisco NetAcad Cuyamaca College
A.S. LAN Management 2010 Grossmont College
B.S. I.T. Management 2013 National University -
_Gonzalo_
Member Posts: 113
Well, there are lots of examples. ACLs are used in combination with many things. But when used by themselves, they are applied to interfaces.
-
OfWolfAndMan
Member Posts: 923 ■■■■□□□□□□
ACLs are used for more than just interface level configuration. They can also be used on SVIs, they can be used for policy routing, identifying traffic when configuring a route map, and if you really want to, you can also use it to identify your QoS traffic in the event your voice or video devices are running on a dedicated subnet if you're using the DiffServ model. There are more uses, but these are just a few. You can also run a debug with an ACL applied in the event you only want to monitor traffic associated with a particular IP/port:study:Reading: Lab Books, Ansible Documentation, Python Cookbook 2018 Goals: More Ansible/Python work for Automation, IPSpace Automation Course [X], Build Jenkins Framework for Network Automation [] -
bharvey92
Member Posts: 420 ■■■□□□□□□□
OfWolfAndMan wrote: »ACLs are used for more than just interface level configuration. They can also be used on SVIs, they can be used for policy routing, identifying traffic when configuring a route map, and if you really want to, you can also use it to identify your QoS traffic in the event your voice or video devices are running on a dedicated subnet if you're using the DiffServ model. There are more uses, but these are just a few. You can also run a debug with an ACL applied in the event you only want to monitor traffic associated with a particular IP/port
Wolf is spot on, I've found from my studies that ACL's are used for so much more than basic (CCNA) permit/block. Especially when completing the NP you find that you use them more for changing BGP attributes, I find Prefix-List's more granular than ACL's
2018 Goal: CCIE Written [ ] -
theodoxa
Member Posts: 1,340 ■■■■□□□□□□
mikeybinec wrote: »I guess the one example where an ACL is NOT applied to an interface is for a NAT config
NAT
QoS (CCIE, CCNP: Voice ?)
Route Filtering (CCNP)
Route Maps (CCNP)
VTY Lines and HTTP Server
Zone-Based Firewall (CCNA: Security)
And Probably Many More That I Forgot
ACLs are frequently used to identify traffic for things like NAT, QoS, Route Maps, and Zone-Based Firewall.R&S: CCENT → CCNA → CCNP → CCIE [ ]
Security: CCNA [ ]
Virtualization: VCA-DCV [ ]
