Which direction to setup access-lists??

homerj742

I always get confused.

I thought "out" meant outbound traffic, meaning traffice leaving the network.


I thought "in" meant inbound traffic, meaning traffic entering the network.

If I wanted to prevent host 192.168.2.4 from accessing network 192.168.1.0/24, which direction would I place the access-list. Heck, which router?!?!

BubbaJ

homerj742 wrote:

I thought "out" meant outbound traffic, meaning traffice leaving the network.

I thought "in" meant inbound traffic, meaning traffic entering the network.

No. You have to think like the router. In and out are from the routers perspective. In is into the router, and out is leaving the router.

homerj742

BubbaJ wrote:

homerj742 wrote:

I thought "out" meant outbound traffic, meaning traffice leaving the network.

I thought "in" meant inbound traffic, meaning traffic entering the network.

No. You have to think like the router. In and out are from the routers perspective. In is into the router, and out is leaving the router.

Ok, this is a step in the right direction from me.

So I want to prevent traffic from 192.168.2.4, I would have to apply the ACL as "out"?

BubbaJ

homerj742 wrote:

So I want to prevent traffic from 192.168.2.4, I would have to apply the ACL as "out"?

That depends. Are you trying to prevent the traffic from reaching the router, or are you trying to prevent it from leaving the router? For the former, you would use access-group X in, for the latter access-group X out.

For example:

Router1 has 3 interfaces. E0/0 is 192.168.0.1/24. E0/1 is 192.168.1.1/24. E1/0 is 192.168.2.1/24.

If I didn't want traffic from 192.168.2.4 to reach either of the other two networks, I would put an inbound access list on E1/0. If, on the other hand, I didn't want the traffic to go to one of the other network, but still to the other, I would put an outbound access list on the forbidden network.

homerj742

makes alot more sense now. Thank you so much for your help

mwgood

homerj742 wrote:

makes alot more sense now. Thank you so much for your help

Also, think about it from the perspective of the interface you are applying the ACL to...

For example, if you were blocking an IP from the LAN - assuming a basic LAN on ethernet and WAN on serial, then if you place the access list on the ethernet interface - you would place it "inbound," whereas if you are blocking the same IP on the Seral interface - it would be "outbound."

Basically, consider which direction the traffic is flowing through that specific interface in relation to the router.

BubbaJ

mwgood wrote:

Also, think about it from the perspective of the interface you are applying the ACL to...

Always, always, think like the router.

Webmaster

BubbaJ wrote:

mwgood wrote:

Also, think about it from the perspective of the interface you are applying the ACL to...

Always, always, think like the router.

mwgood is correct, especially considering he said "also". Access lists are usually bound to an interface, and the in/out refers to what goes in or out the interface you bind the access list to, not the entire router.

BubbaJ

Webmaster wrote:

mwgood is correct, especially considering he said "also". Access lists are usually bound to an interface, and the in/out refers to what goes in or out the interface you bind the access list to, not the entire router.

Ah, but you have to think like the router in order to decide on which interface to place the access list, and then you will know if it needs to be inbound or outbound. Deciding on the interface first is putting the cart before the horse.

If you think like the router, you will know what the router will do.

Webmaster

Sure, hence "especially considering he said "also"." Nobody set 'first', just 'also'.

BubbaJ

Webmaster wrote:

Sure, hence "especially considering he said "also"." Nobody set 'first', just 'also'.

I'm not sure what you are trying to say. Did I ever disagree with him? I think you are trying to start a controversy where none exists. He said to consider it from the interface's perspective. The interface is part of the router. I never said that was wrong, but you have to look at it as if you were in the router, not as if you were on the outside of the interface. That is where the original poster was making his mistake.

Webmaster

BubbaJ wrote:

I think you are trying to start a controversy where none exists. He said to consider it from the interface's perspective.

Funny, I don't think I've ever been accused of doing that on my own forums... actually it seems to me that is exactly what you are doing. I never disagreed with you, I merely stated that mwgood is correct in saying that you ALSO have to look at interface. Not instead of the router, not 'first', just also.

Ah, but you have to think like the router in order to decide on which interface to place the access list, and then you will know if it needs to be inbound or outbound. Deciding on the interface first is putting the cart before the horse.

If you think like the router, you will know what the router will do.

To which I replied "Sure, hence "especially considering he said "also"." Nobody set 'first', just 'also'."
Meaning: "Sure, you are right, I agree you have to look at the router first, that is why I mentioned the mwgood is correct especially considering he said "also"." I never disagreed with you, I was just underlining that mwgood is correct in saying "also look at the interfaces".

BubbaJ

Webmaster wrote:

To which I replied "Sure, hence "especially considering he said "also"." Nobody set 'first', just 'also'."
Meaning: "Sure, you are right, I agree you have to look at the router first, that is why I mentioned the mwgood is correct especially considering he said "also"." I never disagreed with you, I was just underlining that mwgood is correct in saying "also look at the interfaces".

I think you are misunderstanding me. The interface is part of the router so it is not also or second. My point is that the interface perspective is no different than the router perspective.

When I commented on his interface perspective by writing

Always, always, think like the router.

, I was merely reinforcing what he said. I may be wrong, but I think that you think I was contradicting him. It may be that I disagree with his use of the word "also" since I think he and I were saying the same thing, but I did not comment on that.


I do think that what you wrote here is misleading:

mwgood is correct, especially considering he said "also". Access lists are usually bound to an interface, and the in/out refers to what goes in or out the interface you bind the access list to, not the entire router.

For example:

A packet forbidden by an inbound access list will still come through the interface into the router. Even though the access list is bound to the interface, as soon as the packet hits the input queue, it comes in. Once it is in (on the mat where you wipe your feet), the router will evaluate it against the inbound access list and drop it there.

mwgood

BubbaJ wrote:

I think you are misunderstanding me. The interface is part of the router so it is not also or second. My point is that the interface perspective is no different than the router perspective..

This gets back to the reason I posted what I said in the first place...

The "interface perspective" IS different than the "router perspective." Which means it is an "also..."

The reason is that if you take a particular access list - when deciding which direction to apply the access group - you need to consider which interface it is being applied to. If you only considered the router, that would not give you any information about whether to apply the access list inbound or outbound. You must also consider which interface you will be binding to.

Webmaster

No, no misunderstanding from my side. And it still seems that 'you' are the one "trying to start a controversy where none exists". I'll give it one more shot.

This is oversimplifying it: "The interface is part of the router so it is not also or second. ". Of course it applies to the router if it applies to an interface of the router. Anything that applies to an interface does NOT necessarily apply to the 'entire' router. Which I clearly wrote: 'entire'.
I wasn't disagreeing with you, you seem to be disagreeing with me while I'm not contradicting you.

By claiming the following is misleading you are doing it again:
"Access lists are usually bound to an interface, and the in/out refers to what goes in or out the interface you bind the access list to, not the entire router."
As you mentioned, "the interface is part of the router", which also means the other interfaces are part of the router. If you bind an access list to a particular interface, it doesn't not apply to the 'entire' router, as in not to the other interfaces. So there's nothing misleading about that, it's a fact. You don't bind an access list to a router in global config but to an interface in int config mode. The fact that the packet ends up thru the interface in the router doesn't make it apply to the 'entire' router.

I already mentioned I did not disagree with what you say, and since I also said I agree with mwgood, and you say you agreed, I obviously don't think you are contradicting him... however, looking back at my first reply, I see I did quote your reply in addition to mwgood, and since you said "Always, always, think like the router" I can see how 'not the entire router' can be interpreted as contradicting you.

I suggest assuming that after doing this underpaid for four years I'm still trying to help people pass their exams and not 'start' anything.

BubbaJ

mwgood wrote:

If you only considered the router, that would not give you any information about whether to apply the access list inbound or outbound. You must also consider which interface you will be binding to.

Well, I respectfully disagree with that. If I am evaluating where to apply it, I have to do it from the router's perspective. The inbound packet will come into the router to be evaluated against an inbound access list, and an outbound packet will be evaluated against an outbound access list before it actually reaches the outbound interface. How far it actually gets before it is dropped depends on which OSI layer the access list is evaluating. A MAC access list drops a frame sooner on inbound, and later on outbound (closer to the interface) than an IP access list will drop a packet.

Webmaster

mwgood wrote:

The "interface perspective" IS different than the "router perspective." Which means it is an "also..."

Imagine a router with three interfaces. You can want traffic to come 'in' the router (i.e. thru int e0) so it can go out through int e3, while at the same time put the access list 'out' on int e1, and not bind it to e2. So you want to prevent traffic from going out the router through a particular interface, not the 'entire' router.

However, when you created an access list you will already know which interface you will bind it to, as you likely created it for that particular interface. So once you are in interface config mode, to determine whether it should be 'in' or 'out': "Always, always, think like the router."

Now that I read the post of the OP I see how it got started, with a specific scenario. Regardless, when you design access lists for a router, you will, 'also', have to consider the interfaces before you decided on ins and outs.

mwgood wrote:

The reason is that if you take a particular access list - when deciding which direction to apply the access group - you need to consider which interface it is being applied to. If you only considered the router, that would not give you any information about whether to apply the access list inbound or outbound. You must also consider which interface you will be binding to.

Indeed, but once you know the networks, created the access list, and decided on the interface, and all is left is to determine 'out' or 'in' then only the router itself matters. Which I think is what Bubba has been saying all along and in regards to the original poster.

forbesl

Wow...such controversy over something so simple:

Applying the access-group as "in" applies to traffic going into the router interface. Applying the access-group as "out" applies to traffic going out of the router interface.

BubbaJ

forbesl wrote:

Wow...such controversy over something so simple:

Applying the access-group as "in" applies to traffic going into the router interface. Applying the access-group as "out" applies to traffic going out of the router interface.

I really didn't realize there was a controversy at first. I wanted to make sure that the original poster wasn't confused after he thought he got it.

The simple in and out may be able to used when there are only two router interfaces, but multi-interface routers require you to "grok" the entire router. Blindly doing it on an interface-only level can result in unexpected, unintended consequences. For example, an outbound list may really need to be inbound if there is another router on the outbound side because it may cause your routing protocol to break. Things like this are why I feel you always need to do it from the router's perspective.

wildfire

I really didn't realize there was a controversy at first. I wanted to make sure that the original poster wasn't confused after he thought he got it.

The simple in and out may be able to used when there are only two router interfaces, but multi-interface routers require you to "grok" the entire router. Blindly doing it on an interface-only level can result in unexpected, unintended consequences. For example, an outbound list may really need to be inbound if there is another router on the outbound side because it may cause your routing protocol to break. Things like this are why I feel you always need to do it from the router's perspective.

mate, Im obviously misundersatanding you to, it makes no difference if its 2 or 200 interfaces, The rule of thumb I use is place it as close to the source as possbile, so the first decision I make is which interface it will be applied to. You seem to be overcomplicating the matter, the "simple in and out" can be used in any situation. I dont think from a router persepctive but zoom out and look at the overall picture then decide where and which direction to apply the interface, thats not blindly doing it, thats carefull planning and design!

BubbaJ

wildfire wrote:

The rule of thumb I use is place it as close to the source as possbile, so the first decision I make is which interface it will be applied to. You seem to be overcomplicating the matter, the "simple in and out" can be used in any situation.

Good luck with that on the CCIE Lab Exam.

wildfire wrote:

I dont think from a router persepctive but zoom out and look at the overall picture then decide where and which direction to apply the interface, thats not blindly doing it, thats carefull planning and design!

That's what I call looking at it from the router's perspective, and that was my example to the original poster. His problem was that he was looking at it from outside the router's perspective so that in and out were reversed. When it comes to access lists, in is always, always into the router, and out is always, always out of the router. If you don't look at it that way, it will be wrong.

mikej412

forbesl wrote:

Wow...such controversy over something so simple:

Applying the access-group as "in" applies to traffic going into the router interface. Applying the access-group as "out" applies to traffic going out of the router interface.

I like to use this approach, but while pretending I'm the router.

Danman32

You have to look at the interface, yes, but from the router's perspective. This is opposed to looking at the interface from the network's perspective.

There's a cute commercial for a garden equipment manufacturer where you see a closeup of a door and a doormat that says 'welcome' and you see the door open...to the outside. It at first has you feel that the guy is going Inside. From the perspective of the yard, he is going IN the yard, which is what the commercial intends to have you end up. From the perspective of the house, he is going OUT of the house, which is what the commercial initially has you feel.
Same direction of travel (packet flow), same door (interface), different point of view (router versus network).

So boys, both of you are correct. Please stop arguing.

Webmaster

Danman32 wrote:

So boys, both of you are correct. Please stop arguing.

We know, for the most of it we actually weren't disagreeing and BubbaJ and I exchanged a couple of PMs about this and cleared up the misunderstanding before others made more out of this topic than it is. If you don't like the 'argument' you don't have to join the 'discussion'. And while you're at it, leave such condescending comments out of it.