?
Solved

ACLs

Posted on 2004-10-08
7
Medium Priority
?
259 Views
Last Modified: 2010-04-17
How do you decide if you apply an access list IN or OUT?  
Take this diagram for example:  http://mvpbaseball.cc/acl.jpg

If I wanted to deny the SALES lan from accessing FINANCE.  
It would be

                 access-list deny 172.16.40.0  0.0.0.255
                 access-list permit any

I would then apply it to the e0 interface. But would I apply it inbound or outbound?  How can you tell?
thanks
0
Comment
Question by:dissolved
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 600 total points
ID: 12263427
In your access-list, 172.16.40.0 is the source subnet so you would deny it outbound if applying it to E0.  If you were to apply it to E2, you would apply it inbound.

You can tell by looking at how the source and destination looks to the router interface.  If you send data to Finance, from Sales, the source address received on E2 is 172.16.40.x and the destination is Finance.  If you applied it inbound on E2, sales wouldn't be able to communicate with anything, all packets would be dropped.  When you apply it outbound on E0, only traffic with a source of 172.16.40.0 will be dropped.  If you applied it inbound on E0, it would have no effect because the source address would be a Finance subnet address.
0
 

Author Comment

by:dissolved
ID: 12263472
Thanks JFrederick.  I understand that the ACL is applied outbound to e0 because traffic is going "out" e0, destined for FINANCE. Makes sense now thanks.

When would I use an IN statement ?  Could you possibly given an example with my diagram?
Thanks!
0
 
LVL 13

Expert Comment

by:Dr-IP
ID: 12264109
If you changed it to deny 172.16.10.0 0.0.0.255 you could apply it to E2 with the in statement and get the same effect. One thing I should note if sales has access to any of the computers in marketing your security plan goes down the drain. You should really lock down the servers, and workstations in finance, and limit what workstations sales people can long into. So that the access list is another layer of security, instead of your only layer of security.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 13

Expert Comment

by:Dr-IP
ID: 12264132
That should have been

access-list 101 deny ip any 172.16.10.0 0.0.0.255

As you will need to use an extented access list in this case.
0
 

Author Comment

by:dissolved
ID: 12264610
Thanks DR IP.  What happens if I use both ACLs ?

They both essentially do the same thing.  Is this normally done?

Last question: Why do they say (when using extended ACLs) to always apply it closest to the source?

Thanks!
0
 
LVL 13

Accepted Solution

by:
Dr-IP earned 1400 total points
ID: 12264743
If you use both, you are effectively duplicating the same thing. As for using extended access list closest to the source, it’s to hopefully limit the amount of packets that need to be filtered thought the access list. Just look at it this way, if you put it on E0, every packet going to finance needs to be inspected, but if you use it on the sales interface, it only needs to check the packets coming from sales. In the diagram you provided the impact of not placing it on the source probably wouldn’t be that great, but think of how much more work the router would have to do if it had to inspect the packets from a dozen interfaces at one time sending traffic to finance.  
0
 

Author Comment

by:dissolved
ID: 12264836
Thanks a lot. Very helpful
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question