Solved

ACLs

Posted on 2004-10-08
7
254 Views
Last Modified: 2010-04-17
How do you decide if you apply an access list IN or OUT?  
Take this diagram for example:  http://mvpbaseball.cc/acl.jpg

If I wanted to deny the SALES lan from accessing FINANCE.  
It would be

                 access-list deny 172.16.40.0  0.0.0.255
                 access-list permit any

I would then apply it to the e0 interface. But would I apply it inbound or outbound?  How can you tell?
thanks
0
Comment
Question by:dissolved
  • 3
  • 3
7 Comments
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 150 total points
Comment Utility
In your access-list, 172.16.40.0 is the source subnet so you would deny it outbound if applying it to E0.  If you were to apply it to E2, you would apply it inbound.

You can tell by looking at how the source and destination looks to the router interface.  If you send data to Finance, from Sales, the source address received on E2 is 172.16.40.x and the destination is Finance.  If you applied it inbound on E2, sales wouldn't be able to communicate with anything, all packets would be dropped.  When you apply it outbound on E0, only traffic with a source of 172.16.40.0 will be dropped.  If you applied it inbound on E0, it would have no effect because the source address would be a Finance subnet address.
0
 

Author Comment

by:dissolved
Comment Utility
Thanks JFrederick.  I understand that the ACL is applied outbound to e0 because traffic is going "out" e0, destined for FINANCE. Makes sense now thanks.

When would I use an IN statement ?  Could you possibly given an example with my diagram?
Thanks!
0
 
LVL 13

Expert Comment

by:Dr-IP
Comment Utility
If you changed it to deny 172.16.10.0 0.0.0.255 you could apply it to E2 with the in statement and get the same effect. One thing I should note if sales has access to any of the computers in marketing your security plan goes down the drain. You should really lock down the servers, and workstations in finance, and limit what workstations sales people can long into. So that the access list is another layer of security, instead of your only layer of security.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 13

Expert Comment

by:Dr-IP
Comment Utility
That should have been

access-list 101 deny ip any 172.16.10.0 0.0.0.255

As you will need to use an extented access list in this case.
0
 

Author Comment

by:dissolved
Comment Utility
Thanks DR IP.  What happens if I use both ACLs ?

They both essentially do the same thing.  Is this normally done?

Last question: Why do they say (when using extended ACLs) to always apply it closest to the source?

Thanks!
0
 
LVL 13

Accepted Solution

by:
Dr-IP earned 350 total points
Comment Utility
If you use both, you are effectively duplicating the same thing. As for using extended access list closest to the source, it’s to hopefully limit the amount of packets that need to be filtered thought the access list. Just look at it this way, if you put it on E0, every packet going to finance needs to be inspected, but if you use it on the sales interface, it only needs to check the packets coming from sales. In the diagram you provided the impact of not placing it on the source probably wouldn’t be that great, but think of how much more work the router would have to do if it had to inspect the packets from a dozen interfaces at one time sending traffic to finance.  
0
 

Author Comment

by:dissolved
Comment Utility
Thanks a lot. Very helpful
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now