IP Standard ACL question (where put the ACL)

rjbarlowrjbarlow Member Posts: 411
Hi all,
a very basic IP ACL question i guess:

scenario:

aclbasicoridimmv2.jpg

The goal is to filter traffic from PC1 to reach PC3.

I seen that guidelines say that the IP Standard ACL is to put preferably on the closer interface to the device we want to filter and in the inbound side.
With regard to these guidelines then the configuration on router1 could look like follows:

router1(config)#access-list 18 deny <ip address of PC1> 0.0.0.0
router1(config)#access-list 18 permit 0.0.0.0 255.255.255.255
router1(config)#int e0/0
router1(config)#ip access-group 18 in

I read always that the other possible option is to put the Standard IP ACL into another interface on to the outbound side (for example outbound of s1/0 of router1), but this can carry to an unwanted consequence that the packet can be routed over another interface if that fails and the packet would go anyway (for example through s1/1 of router1). This brings to write the same IP ACL on all the interfaces where the packet can be routed!

But they don't consider to put the Standard IP ACL under the same, closer to device, interface but onto the outbound side.

In fact the foutrh line seems to me freely interchangeable with this:

router1(config)#ip access-group 18 out

Because the packet ask to exit from e0/0 (for example direct toward PC3), but it's not yet exit from e0/0, then the packet don't would be routed and a routing action would not have to happen.
However it depends from how CISCO router consider outbound and inbound regard to routing.

I also read in somewhere that IP ACLs placed on to the inbound side of an interface are always not routed, while packet taken from an IP ACLs in an outbound side of an interface are always routed.

I wanted ask which are issues to filter traffic in the outbound side of the closer interface, if they are.

Thank You.
Pork 3
Maindrian's music

WIP: 70-236, 70-293 and MCSE.

Comments

  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    The general guideline on standard ACLs is to place them as close to the destination as possible. In you example you have stopped PC from communicating with PC#, but you have also blocked it from the rest of you network. A better place would be on Router 2's interface that connects to Switch 3 in the outbound direction. Of course an extended ACL would probably be the best in most cases where you want to filter one host to another host
    The only easy day was yesterday!
  • rjbarlowrjbarlow Member Posts: 411
    OK dtlokee, thanks for reply. :)
    But... Consider the case that is not a problem if PC1 does not reach anyone over his network.

    If I put the Standard IP ACL on to e0/0 of router1, outbound side, with this line:

    router1(config)#ip access-group 18 out

    I run the risk that the packets from PC1 are routed over s1/0 or s1/1?

    I think not and that bring also to the consequence that is the same to put an IP ACL on to a side rather than another, the important is that the packet to filter does not happen to be routed to an unwanted interface.

    I think so, but something I read has confused myself...

    It serves to me also to match exactly the sense of inbound and outbound sides of an interface.

    TY.
    Pork 3
    Maindrian's music

    WIP: 70-236, 70-293 and MCSE.
  • NeonNoodleNeonNoodle Member Posts: 92 ■■□□□□□□□□
    To avoid the risk of denying the source access to other destinations, you should place standard access lists as close to the destination as possible. The obvious reason for this is that you can't specify which destination you want the source to be denied access to. Of course allowing a packet to travel through a network only to have it be denied at the last stop is a waste of resources, so it's better to use extended access lists since they can be applied at the source's interface.
    I recognize the lion by his paw.
    --Jacob Bernoulli
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    You need to consider the routing topology in the placement of an access-list. There is a benefit to using inbound filtering in that the packets aren't routed then dropped, saving processing time, a very little bit but it saves CPU time.
    The only easy day was yesterday!
  • NeonNoodleNeonNoodle Member Posts: 92 ■■□□□□□□□□
    rjbarlow wrote:
    OK dtlokee, thanks for reply. :)
    But... Consider the case that is not a problem if PC1 does not reach anyone over his network.

    If I put the Standard IP ACL on to e0/0 of router1, outbound side, with this line:

    router1(config)#ip access-group 18 out

    I run the risk that the packets from PC1 are routed over s1/0 or s1/1?

    I think not and that bring also to the consequence that is the same to put an IP ACL on to a side rather than another, the important is that the packet to filter does not happen to be routed to an unwanted interface.

    I think so, but something I read has confused myself...

    It serves to me also to match exactly the sense of inbound and outbound sides of an interface.

    TY.

    Applying the access list to e0/0 outbound is ineffective because traffic from PC1 is going into that interface rather going out of it. Assuming that traffic from PC1 to PC3 is being routed through router 1's s1/0 port, you could apply the access list to that interface outbound; however then you would have to apply the accces list to s1/1 outbound, too, just in case s1/0 goes down and traffic to PC3 starts getting routed out int s1/1. But then applying the access list to int 1/1 and s1/0 guarantees that you are denying access to anything that is connected of off switch 4 which is not what you are probably intending. So to make life simpler, apply the access list outbound on the interface connected to switch 3.
    I recognize the lion by his paw.
    --Jacob Bernoulli
  • rjbarlowrjbarlow Member Posts: 411
    OK guys, thanks for replies, it don't rest tome to make some other test.

    T.Y.
    Pork 3
    Maindrian's music

    WIP: 70-236, 70-293 and MCSE.
  • wait2dominatewait2dominate Member Posts: 74 ■■□□□□□□□□
    Late reply, but still

    If your goal is only to filter traffic to PC3, you would want to put it on router 2 outbound. One on the first reasons that came to mind to me on why you would not want to place it on the inbound interface is the question of "What if you wanted to telent into router 2?" If it was placed inbound, everything would be denied past that point, including telnet/ping into router 2.

    And as others said, extended is the way to go in the real world:)
    Brake lights are a sign your car doesn't handle well enough.

    CCNP or MCSE is next to come.
Sign In or Register to comment.