Options
Access list help in/out
Chris Knight
Member Posts: 66 ■■□□□□□□□□
in CCNA & CCENT
Guys I need some help in the in/out when applying access list.
I am working on a scenario now ( sorry I dont have a link) however Im confused about which interface to be applying it to the inbound or outbound..
Example... Say you have Network 1 and Network 3. In between those networks say, you have two routers called mutt and jeff. Scenario is for network 3 not to access network 1.
Network 1=172.16.60.0/24 Host machine 172.16.60.100/24 connected to jeff router at int fa 0/0 on the otherside of the router is s0/0 going out to s0/1 on mutt
Network 3=172.16.50.0/24 Server 172.16.50.100/24 connected to mutt router on int fa 0/0 on the otherside is s0/1 which connects back to jeff
Now I understand the standard ACL closest to the destination as possible which in this case would be fa 0/0 on Jeff.
But why on earth would you want that outbound??
Jeff>enable
Jeff#configure terminal
Jeff(config)#access-list 30 deny 172.16.50.0 0.0.0.255
Jeff(config)#access-list 30 permit any
Jeff(config)#interface fastethernet 0/0
Jeff(config-if)#ip access-group 30 out
I would think since the object here is to STOP having network 3 connect to network 1 you want want this ACL INBOUND say on S0/0.... Network 1 can access network 3 but not the other way around...
Please help me on this very confused.
I am working on a scenario now ( sorry I dont have a link) however Im confused about which interface to be applying it to the inbound or outbound..
Example... Say you have Network 1 and Network 3. In between those networks say, you have two routers called mutt and jeff. Scenario is for network 3 not to access network 1.
Network 1=172.16.60.0/24 Host machine 172.16.60.100/24 connected to jeff router at int fa 0/0 on the otherside of the router is s0/0 going out to s0/1 on mutt
Network 3=172.16.50.0/24 Server 172.16.50.100/24 connected to mutt router on int fa 0/0 on the otherside is s0/1 which connects back to jeff
Now I understand the standard ACL closest to the destination as possible which in this case would be fa 0/0 on Jeff.
But why on earth would you want that outbound??
Jeff>enable
Jeff#configure terminal
Jeff(config)#access-list 30 deny 172.16.50.0 0.0.0.255
Jeff(config)#access-list 30 permit any
Jeff(config)#interface fastethernet 0/0
Jeff(config-if)#ip access-group 30 out
I would think since the object here is to STOP having network 3 connect to network 1 you want want this ACL INBOUND say on S0/0.... Network 1 can access network 3 but not the other way around...
Please help me on this very confused.
"Self-realization. I was thinking of the immortal words of Socrates, when he said, "I drank what?"
Chris Knight
Real Genius
Chris Knight
Real Genius
Comments
-
Options
mikearama
Member Posts: 749
Hey Chris,
Ya know, in a lot of cases, you could be right. For example, in your illustration, "jeff" has only two int's... one ethernet and one serial. In this case, the acl can be attached to either int... in on s0, or out on f0.
As a standard rule, it should go on f0. Here's why...
Today your router only uses two int's, but next month, you decide to add internet for your lan, and you add it out of s1 on your "jeff" router. You see where this is going???
If the acl was on s0, then no one in network 3 could access the internet, even though they should be able to... the acl stops them at s0. IF we put it in the right place, on f0, then network 3 could access the "jeff" router, why the routing engine would allow access to the f1 int for internet, while the acl would stop access to network 1.
So, as a rule of thumb, standard acl's closest to destination, to allow for access to other networks, etc.
HTH,
MikeThere are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project. -
OptionsChris Knight
Member Posts: 66 ■■□□□□□□□□
Thanks for the quick reply and that does make sense, however since your really filtering inbound traffic from network 3 why wouldnt be inbound then on fa 0/0?
After all its traffic coming inbound?"Self-realization. I was thinking of the immortal words of Socrates, when he said, "I drank what?"
Chris Knight
Real Genius -
Optionsmikearama
Member Posts: 749
Again, just because the acl will block EVERYTHING. That may not always be desirable.
If your goal is to block EVERYTHING forever from network 3, then inbound is perfect. Perfect, because it will actually save the routing engine from having to make any decisions.
If, however, at some point you decide to allow network 3 access to another subnet that you build off of a different int on jeff, you'll regret putting the acl inbound on f0, since network 3 will still never reach anything, even if it's now supposed to.
One more caveat... put the acl inbound on f0, and you can't even telnet to the jeff router from network 3. It blocks EVERYTHING.
MikeThere are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project. -
OptionsChris Knight
Member Posts: 66 ■■□□□□□□□□
Ok for whatever strange reason now, that makes entire sense
Why it didnt hit me before after reading it a million times I dont know....
But I finally see that it will block everything coming inbound...
Sheesh...
Thanks again !"Self-realization. I was thinking of the immortal words of Socrates, when he said, "I drank what?"
Chris Knight
Real Genius -
Options
SV
Member Posts: 166
This might help:
http://www.techexams.net/forums/viewtopic.php?p=63422#63422Life is a journey...