Options

Interface question about ACLs

CrunchyhippoCrunchyhippo Member Posts: 389
in CCNA & CCENT
Could someone clarify an issue with extended ACLs, where you have more than one router, and you need to apply it to an interface - on whichever router closest to the source you apply it to, how do you determine which interface it will be applied to again? It's not really clear to me, and I want to make sure I have it right.
"Computers in the future may weigh no more than 1.5 tons." - Popular Mechanics, 1949
· Share on FacebookShare on Twitter

Comments

  • Options
    larkspurlarkspur Member Posts: 235
    extended ACL's are applied as close to the source address as possible adn standard acl's are applied as close to the destination as possible.
    just trying to keep it all in perspective!
    · Share on FacebookShare on Twitter
  • Options
    networker050184networker050184 Mod Posts: 11,962 Mod
    You would place it on whatever interface the desired blocked traffic would be entering on (or exiting). Say you wanted to block a certain subnet from accessing your web server, you would place that list on the interface the subnet is connected to so you can drop the traffic before it gets routed to the destination. This prevents wasting CPU power routing traffic that is going to be dropped when it reaches the destination anyway.
    An expert is a man who has made all the mistakes which can be made.
    · Share on FacebookShare on Twitter
  • Options
    CrunchyhippoCrunchyhippo Member Posts: 389
    networker050184 wrote:
    You would place it on whatever interface the desired blocked traffic would be entering on (or exiting). Say you wanted to block a certain subnet from accessing your web server, you would place that list on the interface the subnet is connected to so you can drop the traffic before it gets routed to the destination. This prevents wasting CPU power routing traffic that is going to be dropped when it reaches the destination anyway.

    Ok, this helps. So if I'm on router A, which goes to B, and I want to keep people on B out, it would all depend on my access-list statement and whether I put permit or deny as to whether I would apply the list to the fast ethernet or serial interface, wouldn't it? It I had a deny statement here, I would apply it incoming and to the serial interface, right? Would there be a scenario where I would apply it to the fast ethernet interface here instead of the serial going to router B?
    "Computers in the future may weigh no more than 1.5 tons." - Popular Mechanics, 1949
    · Share on FacebookShare on Twitter
  • Options
    networker050184networker050184 Mod Posts: 11,962 Mod
    Cisco says place extended access list close to the source. Going by that you would place the access list on the ethernet port connected to the LAN those particular hosts are on. You could also place an outgoing access list on the serial connected to your other router. There are several ways it can be done, but the Cisco way is extended ACL close as possible to host and standard as close to the destination to prevent unessecary filtering of traffic.
    An expert is a man who has made all the mistakes which can be made.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.