Options
In and Out interface assignment
Edmondo83
Registered Users Posts: 7 ■□□□□□□□□□
in CCNA & CCENT
Hello there,
I am slightly confused with the "in" and "out" assignment to different interfaces as I have read several conflicting statements and these seem to conflict with how Packet tracer behaves.
If I had for example 2 routers with one serial interface each (se 0/0) and one ethernet interface (fa 0/0) on each and two different networks (192.168.15.0 and 172.15.0.0) and I want to allow only one PC from the 172 network to be able to HTTP to a server on the 192 network, to get this to work correctly I have to apply the access-list to the 172 range's router on the fa 0/0 interface as inbound.
Can someone clarify how the in and out assignment on router interfaces works as I am fairly confused by this.
Many thanks
I am slightly confused with the "in" and "out" assignment to different interfaces as I have read several conflicting statements and these seem to conflict with how Packet tracer behaves.
If I had for example 2 routers with one serial interface each (se 0/0) and one ethernet interface (fa 0/0) on each and two different networks (192.168.15.0 and 172.15.0.0) and I want to allow only one PC from the 172 network to be able to HTTP to a server on the 192 network, to get this to work correctly I have to apply the access-list to the 172 range's router on the fa 0/0 interface as inbound.
Can someone clarify how the in and out assignment on router interfaces works as I am fairly confused by this.
Many thanks
Comments
-
OptionsSteveO86 Member Posts: 1,423If you apply an ACL inbound let's say
int fa0/0
ip access-group 1 in
The access list will look at traffic entering the interface and permit/deny traffic accordingly.
On the flip side..
in s0/0
ip access-group 2 out
Only traffic specified in ACL will be permitted/denied out the s0/0 interface.
But you are correct for your type of situation only allowing 1 host on the network http access to a server, you want that applied inbound on the first interface it hits. Remember their is explicit deny any any statement at the end of every ACL.
It's typically best practice to have Standard ACL as close to the destination as possible and extended ACL as close to the source as possible.
(Now if that network has redundant links that can possibly lead to the 192 subnet you will want to apply that ACL inbound on every interface leaving the 172 subnet)My Networking blog
Latest blog post: Let's review EIGRP Named Mode
Currently Studying: CCNP: Wireless - IUWMS -
OptionsEdmondo83 Registered Users Posts: 7 ■□□□□□□□□□Hello there!
Thank you for your reply, this has defiantly shed some light onto the situation for me.
Many thanks.