Access list help in/out

Guys I need some help in the in/out when applying access list.

I am working on a scenario now ( sorry I dont have a link) however Im confused about which interface to be applying it to the inbound or outbound..

Example... Say you have Network 1 and Network 3. In between those networks say, you have two routers called mutt and jeff. Scenario is for network 3 not to access network 1.

Network 1=172.16.60.0/24 Host machine 172.16.60.100/24 connected to jeff router at int fa 0/0 on the otherside of the router is s0/0 going out to s0/1 on mutt

Network 3=172.16.50.0/24 Server 172.16.50.100/24 connected to mutt router on int fa 0/0 on the otherside is s0/1 which connects back to jeff

Now I understand the standard ACL closest to the destination as possible which in this case would be fa 0/0 on Jeff.

But why on earth would you want that outbound??

Jeff>enable
Jeff#configure terminal
Jeff(config)#access-list 30 deny 172.16.50.0 0.0.0.255
Jeff(config)#access-list 30 permit any
Jeff(config)#interface fastethernet 0/0
Jeff(config-if)#ip access-group 30 out

I would think since the object here is to STOP having network 3 connect to network 1 you want want this ACL INBOUND say on S0/0.... Network 1 can access network 3 but not the other way around...

Please help me on this very confused.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

mikearama

Hey Chris,

Ya know, in a lot of cases, you could be right. For example, in your illustration, "jeff" has only two int's... one ethernet and one serial. In this case, the acl can be attached to either int... in on s0, or out on f0.

As a standard rule, it should go on f0. Here's why...

Today your router only uses two int's, but next month, you decide to add internet for your lan, and you add it out of s1 on your "jeff" router. You see where this is going???

If the acl was on s0, then no one in network 3 could access the internet, even though they should be able to... the acl stops them at s0. IF we put it in the right place, on f0, then network 3 could access the "jeff" router, why the routing engine would allow access to the f1 int for internet, while the acl would stop access to network 1.

So, as a rule of thumb, standard acl's closest to destination, to allow for access to other networks, etc.

HTH,
Mike

Chris Knight

Thanks for the quick reply and that does make sense, however since your really filtering inbound traffic from network 3 why wouldnt be inbound then on fa 0/0?

After all its traffic coming inbound?

mikearama

Again, just because the acl will block EVERYTHING. That may not always be desirable.

If your goal is to block EVERYTHING forever from network 3, then inbound is perfect. Perfect, because it will actually save the routing engine from having to make any decisions.

If, however, at some point you decide to allow network 3 access to another subnet that you build off of a different int on jeff, you'll regret putting the acl inbound on f0, since network 3 will still never reach anything, even if it's now supposed to.

One more caveat... put the acl inbound on f0, and you can't even telnet to the jeff router from network 3. It blocks EVERYTHING.

Mike

Chris Knight

Ok for whatever strange reason now, that makes entire sense

Why it didnt hit me before after reading it a million times I dont know....

But I finally see that it will block everything coming inbound...

Sheesh...

Thanks again !

This might help:
http://www.techexams.net/forums/viewtopic.php?p=63422#63422