ACL confusion

Humper · April 2006

Ok so I have an example in my Sybex 5 book, and I am getting confused with inbound/outbound ACL's.

Here is the example:

In this lab you will allow only packets from HostB (on network 172.16.30.0) to enter 172.16.10.0.

Go to Lab_A router and enter global configuration mode...etc..Choose to permit host 172.16.30.2.

Lab_A(config)#access-list 1 permit 172.16.30.2 0.0.0.0

Now that the access-list is created,you must apply it to an interface to make it work:

LabA(config)#int fa0/0
LabA(config-if)#access-group 1 out

Test your ACL by pinging from HostB 172.16.30.2 to Host A 172.16.10.2. Everywhere else should fail.

My question is, why must it be "out" ? I see "out" aka outbound as traffic leaving the router, and inbound coming into the router. Now if I am right then why not put the ACL as "in" ? Because HostB is coming inbound (172.16.30.2) to HostA (172.16.10.2)...?

ciscos · April 2006

when you assign acl in a router you have to always keep in mind that your are "inside" the router you are working for.

in your example imagine that a packet with a SOURCE ip (host b) arrives in routerA and now it is inside router A.The router is checking that such an ip can be forwarded (OUT) from fast interface because is permitted by the acl and so ti does.

Another option would be to assign this ACL as inbound to the serial interface of router A.Thinking as above an incoming packet arrives at serial 0/0 and is permitted to go inside the router (inbound) and forward it.

I hope you understand

Humper · April 2006

ciscos wrote:

when you assign acl in a router you have to always keep in mind that your are "inside" the router you are working for.

in your example imagine that a packet with a SOURCE ip (host b) arrives in routerA and now it is inside router A.The router is checking that such an ip can be forwarded (OUT) from fast interface because is permitted by the acl and so ti does.

Another option would be to assign this ACL as inbound to the serial interface of router A.Thinking as above an incoming packet arrives at serial 0/0 and is permitted to go inside the router (inbound) and forward it.

I hope you understand

That helps clarify things

Humper · April 2006

My question is though, is there a CORRECT way of implementing ACL's when in the example you gave me, it can be done TWO different ways. Inbound on s0/0 or outbound of f0/0....Is there any specific reason I should chose one over another? I am worried about this when it comes to writing my exam.

Judd · April 2006

ciscos wrote:

when you assign acl in a router you have to always keep in mind that your are "inside" the router you are working for.

in your example imagine that a packet with a SOURCE ip (host b) arrives in routerA and now it is inside router A.The router is checking that such an ip can be forwarded (OUT) from fast interface because is permitted by the acl and so ti does.

Another option would be to assign this ACL as inbound to the serial interface of router A.Thinking as above an incoming packet arrives at serial 0/0 and is permitted to go inside the router (inbound) and forward it.

I hope you understand

Excellent, excellent description of applying ACL's to interfaces.

ModemHumper wrote:

My question is though, is there a CORRECT way of implementing ACL's when in the example you gave me, it can be done TWO different ways. Inbound on s0/0 or outbound of f0/0....Is there any specific reason I should chose one over another? I am worried about this when it comes to writing my exam.

For the real world, the rule is to place standard access lists closest to the destination, and extended access lists closest to the source. Your Sybex example is that of a standard ACL, therefore following the rule places this ACL closest to the destination 172.16.10.0, that being fa0/0.

lwwarner · April 2006

ModemHumper wrote:

My question is though, is there a CORRECT way of implementing ACL's when in the example you gave me, it can be done TWO different ways. Inbound on s0/0 or outbound of f0/0....Is there any specific reason I should chose one over another? I am worried about this when it comes to writing my exam.

In this case, applying the given ACL inbound on s0/0 is probably not a good solution. Putting it there will block more than you were asked to block. The Lab_A router will no longer be able to receive routing updates, for example. Or lets say you are SSHed into Lab_A from Host_C when you apply this ACL inbound on s0/0. Oops! You just locked yourself out of the router. Now you have to drive (or fly) over to Lab_A City to fix your mistake.

Remember, the problem asked you to filter traffic entering the 172.16.10.0 network, it did not ask you to filter traffic to the router as well. If this lab excercise is done correctly you should still be able to reach the router from elsewhere in the network. Only traffic with a destination in 172.16.10.0/24 should be filtered. Because standard ACLs only filter on source address the only way to target a specific destination is by where you apply it. That's why the rule of thumb is "as close to the destination as possible." If you don't follow that guideline you may be filtering to much, so beware of unintended consequences.

--Bill

ciscos · April 2006

i agree with lwwaner but most of all you have to know that in the exams
the correct answer is the cisco answer...
and cisco "demands" std acl closer to destination no matter what.

gravyjoe · April 2006

I see "out" aka outbound as traffic leaving the router, and inbound coming into the router. Now if I am right then why not put the ACL as "in" ? Because HostB is coming inbound (172.16.30.2) to HostA (172.16.10.2)...?

This confused me at first, but this is the way you have to look at it.
Cisco considers the LAN side of the router as in, and the WAN side as out. Since the 172.16.10.2 traffic would have to travel on the WAN to get to the 172.16.10.0 network, it is considered as out.

If the router on the 172.16.10.0 network wanted to prevent host 172.16.10.2 from leaving the LAN, since the 172.16.10.2 is on the LAN side, that would be considered as in

lwwarner · April 2006

gravyjoe wrote:

This confused me at first, but this is the way you have to look at it. Cisco considers the LAN side of the router as in, and the WAN side as out.

Sorry, but that is wrong. ciscos has it correct above. From the perspective of someone sitting inside the router packets either come in to the router, or they go out of the router. The type of interface involved, or the type of network connected to the interface, is irrelevant.

When working with ACLs remember: Be the Router(TM)

--Bill

Humper · April 2006

Ok here is an example I have been trying. I want to implement a extended access list that will not allow a device to telnet into a router.

There are two routers, connected via back to back cable. Router A is 192.168.70.1 and RouterB is 192.168.70.2 . Now for an extended ACL I realize Cisco says it must be as close to the source as possible. Now I do not want RouterA to be able to telnet to RouterB. So my ACL should be implement on RouterA's Serial0 interface correct?

Here is my extended ACL:

access-list 100 deny tcp host 192.168.70.1 host 192.168.70.2 eq telnet
access-list 100 permit ip any any

Now to apply this to an interface:

conf t
int s0
ip access-group 100 out

Is the 'out' correct? If I am in the router, I do not want traffic destined to 192.168.70.2 leaving my S0 interface on RouterA....

Or do I have this entire thing screwed up?

lwwarner · April 2006

ModemHumper wrote:

Is the 'out' correct? If I am in the router, I do not want traffic destined to 192.168.70.2 leaving my S0 interface on RouterA....

Or do I have this entire thing screwed up?

You're getting close. It sounds like you have the basic concept down, but there is another rule you need to remember. ACLs do not apply to traffic originated by the router. So in your example, the ACL would need to be applied inbound on the RouterB serial interface.

--Bill

Humper · April 2006

Aha! Thats what I thought, but I was confused by the "closest to the destination" rule. I now realize my mistake, but thank you for the clarification....Now time to go home and implement some more ACL's on my routers

Humper · April 2006

OK another question. What if you now have a Serial interface (70.1) and FastEthernet interface (40.1) on RouterA with a switch connected and the one serial interface on RouterB (70.2).

We want to block to block a host connected via a switch connected to F0(40.1) from telneting to RouterB's serial interface (70.2). Do we block it at f0/0 since it's not originating from the router correct?

Thank's for your help so far..I will figure this out eventually!

lwwarner · April 2006

Yep, inbound on the RouterA fa0/0 should do the trick in that case.

--Bill

forbesl · April 2006

ModemHumper wrote:

OK another question. What if you now have a Serial interface (70.1) and FastEthernet interface (40.1) on RouterA with a switch connected and the one serial interface on RouterB (70.2).

We want to block to block a host connected via a switch connected to F0(40.1) from telneting to RouterB's serial interface (70.2). Do we block it at f0/0 since it's not originating from the router correct?

Thank's for your help so far..I will figure this out eventually!

access-list 100 deny tcp host 192.168.40.x host 192.168.70.2 eq telnet
access-list 100 permit ip any any

int f0/0
ip access-group 100 in

ACL confusion

Comments