Is the access list implemented in interface or IOS?

"sh ip interface" shows

"outgoing access list is not set
inbound access list is not set"

It hints the access list functionality is implemented in the IP interface. It makes sense for the standard access list since the IP interface does process the src IP in the IP header. However, is it the same case for the extended access list? Does the IP interface also process the transport headers?

Find more posts tagged with

Comments

_Gonzalo_

Yes, access lists are applied to interfaces and it does not depend on the type of list. It would not make sense to apply them globally, as you will always want to restrict depending on the interface.

Source and destination addresses would be checked for extended lists, and more parameters could be checked, like port number or type of traffic. But it is not related to any process that the interface may do. Access lists check and permit or drop with their own processes.

mikeybinec

I guess the one example where an ACL is NOT applied to an interface is for a NAT config

_Gonzalo_

Well, there are lots of examples. ACLs are used in combination with many things. But when used by themselves, they are applied to interfaces.

OfWolfAndMan

ACLs are used for more than just interface level configuration. They can also be used on SVIs, they can be used for policy routing, identifying traffic when configuring a route map, and if you really want to, you can also use it to identify your QoS traffic in the event your voice or video devices are running on a dedicated subnet if you're using the DiffServ model. There are more uses, but these are just a few. You can also run a debug with an ACL applied in the event you only want to monitor traffic associated with a particular IP/port

bharvey92

OfWolfAndMan wrote: »

ACLs are used for more than just interface level configuration. They can also be used on SVIs, they can be used for policy routing, identifying traffic when configuring a route map, and if you really want to, you can also use it to identify your QoS traffic in the event your voice or video devices are running on a dedicated subnet if you're using the DiffServ model. There are more uses, but these are just a few. You can also run a debug with an ACL applied in the event you only want to monitor traffic associated with a particular IP/port

Wolf is spot on, I've found from my studies that ACL's are used for so much more than basic (CCNA) permit/block. Especially when completing the NP you find that you use them more for changing BGP attributes, I find Prefix-List's more granular than ACL's

theodoxa

mikeybinec wrote: »

I guess the one example where an ACL is NOT applied to an interface is for a NAT config

NAT
QoS (CCIE, CCNP: Voice ?)
Route Filtering (CCNP)
Route Maps (CCNP)
VTY Lines and HTTP Server
Zone-Based Firewall (CCNA: Security)
And Probably Many More That I Forgot

ACLs are frequently used to identify traffic for things like NAT, QoS, Route Maps, and Zone-Based Firewall.