Another ACL Question.. inbound\outbound

tuscanituscani Member Posts: 121
Yes I am still struggling with this! :)



RouterA\S0<
>RouterB\S0
......|.......................................|
......|.......................................|
ServerA.............................ServerB
192.168.1.18\28...............192.168.2.18\28

** Ignore the dots** That is my miserable attempt at spacing. :)


In order to control access, the following access list is created:

access-list 101 permit tcp 192.168.1.16 0.0.0.15 192.168.2 16
0.0.0.15 eq 23

What would happen if you applied the following ACL to any one of the
routers in the above exhibit? On what interface and what direction should you apply it? Once applied, what will this access list accomplish? (Select all valid answer
choices)

A. Telnet traffic from 192.168.1.16 0.0.0.15 to 168.2.16 0.0.0.15 is allowed.
B. SMTP traffic from 192.168.1.16 0.0.0.15 to 168.2.16 0.0.0.15 is allowed.
C. The ACL is configured to allow traffic from one specific host to another.
D. The ACL should be applied inbound to the e0 interface of RouterA.
E. The ACL should be applied outbound to the e0 interface of RouterA.
Answer: A, D

I chose A and E

The book says E is wrong because:

"This would not be useful if applied to the outbound, as no traffic would match then. Note that if this answer had stated that the access list be placed on the outbound serial (WAN) interface, then this would have been an acceptable choice."

How would no traffic match? Is this because a routing decision has not been made so outbound does not yet apply?

Comments

  • david_rdavid_r Member Posts: 112
    You sure those routers are connected via their E0 ports and not via serial ports with your networks hanging off the ethernet ports? Because the author thinks that server A is hanging off E0.
  • tuscanituscani Member Posts: 121
    Sorry... typo.. they are serial ports!
  • david_rdavid_r Member Posts: 112
    All packets from 192.168.1.16/28 must come IN(to) router A port e0 and not OUT(through) that port. If you were in the router, performing access control, where would you see packets with a source address of 1.16/28? Would they be trying to come IN interface S0 and trying to get OUT E0 or would they be trying to come IN E0 and trying to get OUT S0?

    Diagram2.jpeg
    Is this correct?

    If server A is attempting to telnet to server B, Server A is going to create a packet with the following info in it. The source port will be random. The source IP will be 1.18, the destination port will be 23 and the destination IP will be 2.18. I'll call it packet 1.18:random to 2.18:23

    This packet MUST follow the black arrow to get to server B. Let's think of the network segments as roads, the router ports as checkpoints and the routers as crossroads. At each of these checkpoints there are gestapo guards checking papers. Mister packet has been issued papers 1.18:random to 2.18:23. One of the guards at one of the checkpoints has been given instructions to only allow through packets with papers matching 1.17-30:random to 2.18:23.

    In order for mister packet to get to server B, he is going to have to pass through 4 checkpoints. He has to go IN A E0, OUT A S0, IN B S0 and out B E0. There is no other choice! So we now have 4 ports and the direction where we can apply the ACL.

    Any clearer?
  • pr3d4t0rpr3d4t0r Member Posts: 173
    Well m8, now i have a clear understand for acl icon_lol.gificon_wink.gif

    Good job.
  • ITdudeITdude Member Posts: 1,181 ■■■□□□□□□□
    Yavol herr david! good one..... :)
    I usually hang out on 224.0.0.10 (FF02::A) and 224.0.0.5 (FF02::5) when I'm in a non-proprietary mood.

    __________________________________________
    Simplicity is the ultimate sophistication.
    (Leonardo da Vinci)
  • tuscanituscani Member Posts: 121
    david_r wrote:
    All packets from 192.168.1.16/28 must come IN(to) router A port e0 and not OUT(through) that port. If you were in the router, performing access control, where would you see packets with a source address of 1.16/28? Would they be trying to come IN interface S0 and trying to get OUT E0 or would they be trying to come IN E0 and trying to get OUT S0?

    Diagram2.jpeg
    Is this correct?

    If server A is attempting to telnet to server B, Server A is going to create a packet with the following info in it. The source port will be random. The source IP will be 1.18, the destination port will be 23 and the destination IP will be 2.18. I'll call it packet 1.18:random to 2.18:23

    This packet MUST follow the black arrow to get to server B. Let's think of the network segments as roads, the router ports as checkpoints and the routers as crossroads. At each of these checkpoints there are gestapo guards checking papers. Mister packet has been issued papers 1.18:random to 2.18:23. One of the guards at one of the checkpoints has been given instructions to only allow through packets with papers matching 1.17-30:random to 2.18:23.

    In order for mister packet to get to server B, he is going to have to pass through 4 checkpoints. He has to go IN A E0, OUT A S0, IN B S0 and out B E0. There is no other choice! So we now have 4 ports and the direction where we can apply the ACL.

    Any clearer?

    OMG you rule! Thanks!
Sign In or Register to comment.