Standard ACL - todd Lammle Style!?!?!

mp3spy · November 2006

Started ACL's today, little confused on Lammle's concept on ACL interface placement.....

So you have a one router consisting of 3 LANS

(Internet)
s0/0|
SALES - E0

*

E2 Marketing
|
E1
Finance

So you want the SALES LAN to have NO access to the Finance LAN, but the SALES LAN should have access to internet and Marketing. The Marketing LAN needs access to the Finance LAN

#config t
#(config)access-list 10 deny 172.16.40.0 0.0.0.255 (points to nodes on 172.16.40 network and last octet as wildcard.
#(config) access-list 10 permit any
Now...

"This access list is configured to deny source address from SALES LAN access to the Finance LAN and allow everyone else"

Lammle says this ACL should be applied to int e1 (finance) as an outbound list..WHY?!?!?
Shouldnt this be an inbound list??

Maybe I'm confused between an inbound and outbound list??

loboernesto · November 2006

standard acl...as close to destination as posible..
cheers.

bmauro · November 2006

I'm a little confused on the diagram - but I think I have an idea from your description. (I actually had this problem earlier this week).

First - remember Cisco's rule for ACL placement.

Standard ACL's are to be placed as close to the destination as possible to avoid filtering too much.

Extended ACL's are to be placed as close to the source to avoid wasting bandwith.

Since this is a Standard ACL we need to place this as close to the destination, which is E1. Now to determin if the ACL should be blocking IN or OUT, you should visualize yourself inside the router. the traffic is coming IN one interface, and EXITING OUT your E1 interface.

Since the traffic we want to block would be leaving you (traveling away from you if you picture yourself in the router) you want to block OUT.

mp3spy · November 2006

Ahhh Thats a good description...The Diagram got F'ed up...Just picture one router with four interfaces...One s0/0 - internet and the other ethernet int's are the LAN's...

So i'm INSIDE THE ROUTER as the traffic police.....I see some packet destined for the Finance LAN, that packet is part of 172.16.40.x LAN, I alert my people and tell them they can't let that packet go OUT of the Finance Interface and attack my people on the Finance LAN so I must block the outbound tunnel to the Finance LAN.....Makes Sense..

Thanks

Paul Boz · November 2006

This thread is very helpful, +1

bmauro · November 2006

Np - I had a very rough time with this too. What got me was this(try to use your diagram)

If you have a Router:

S0/0: Internet
E0/0: Sales
E0/1: Finance
E1/0: Marketing

And lets say you wanted to block Sales from having access to Finance

E0/0 <

>E0/1

I had a problem with "You can block INBOUND on E0/0, or OUTBOUND on E0/1" I thought that they were the same, and didn't understand why you would ever need to block outbound.... but after some reading and searching on this forum I saw some great examples, one which clearly pointed out that if you place a standard ACL to close - you WILL block packets that you don't want to block, and secondly, even if you didn't, it wasn't the CISCO way

loboernesto · November 2006

One thing that is important when considering whether to apply an ACL Inbound or Outbound is that a router can have more than just 2 interfaces, probably 3 o 4. So by applying a standard ACL to block Inbound, packets matching the ACL will not just be stopped from accessing Finance's network but also from accessing any other interface in the router, remember that Standard ACL only cares about source addresses so it doesn't matter whether its destination is Finance or the Internet I will be discarded since the source address is the one that matters. Applying the same ACL Outbound will only take effect on packets exiting that specific interface, in this case only packets going out to Sales' network will be checked against the ACL.
Well, nothing that hadn't been said before but may help somebody....
Cheers

Standard ACL - todd Lammle Style!?!?!

Comments