?
Solved

Standard access-lists question

Posted on 2006-03-29
5
Medium Priority
?
394 Views
Last Modified: 2010-03-19
Hi experts,

CCNA question!

I have a network containing the subnet 192.168.2.0/24 (LAN 1) on interface f0/1 on Router1 and subnet 192.168.7.0/24 (LAN 8) on Router6.

I'd like to block access to any host on LAN8 accessing LAN1 using a standard access-list on the router.

I was thinking of doing this on the f0/1 interface of Router 1.

2600(conf)#access-list 1 deny 192.168.7.0 0.0.0.255
2600(conf)#access-list 1 permit any
2600(conf)#exit
2600(conf)#interface f0/1
2600(conf-if)#ip access-group 1 in

So basically I am applying an inbound access list to the f0/1 interface blocking the entire subnet of 192.168.7.0/24?
But, it doesn't work!

It works (as most books suggest) by applying the list as an outbound access list on the the f0/0 interface, but I was wondering why? Why not block it from entering in the first place?
Conversely, if I apply the list as an inbound list on the serial interface of Router1 connecting it to Router6 it works, but not as an outbound? Why is this, and why is the s0/0's behaviour opposite to f0/0?

Hope someone can help me!
0
Comment
Question by:Dilan77
  • 2
  • 2
5 Comments
 
LVL 9

Accepted Solution

by:
kfullarton earned 600 total points
ID: 16322935
When you applied it inbound, essentially you're saying "Anything I receive inbound on this interface apply this acl to it".  The only thing that you're going to receive inbound on that interface is traffic from 192.168.2.0/24.  Standard access lists are based on source address so your ACL will permit it because it's denying 192.168.7.0 and permitting everything else.  Same situation on s0/0.  Make sense?
0
 
LVL 11

Assisted Solution

by:grsteed
grsteed earned 400 total points
ID: 16323053
Kfullarton is correct.

The thing to remember with ACL's is that the inbound and outbound are from the perspective of the interface. So inbound is from the attached network into that interface, and outbound is from that out to the attached network from that interface.

A lot of people think that it is from the perspective of the attached network. In to the network (out the interface) or out of the network (in to the interface), which is backwards.

Cheers,

Gary
0
 
LVL 2

Author Comment

by:Dilan77
ID: 16324071
Thanks guys...I think I'm misunderstanding the concept of inbound/outbound.

So, inbound is from the attached network into the interface and outbound is to the attached network from the interface?

This would also explain why it's the opposite for the serial interface, as in that case the traffic is going FROM the attached network TO the interface. Whereas with f0/0, the traffic is going TO the attached network FROM the interface.

As Gary said, I was looking at it from the perspective of the network, not the interface.

Just one final question, where would be it be best to put the ACL? On the f0/0 or s0/0 interfaces? For Router1, there is only one serial and one Ethernet connection so I'm guessing it wouldn't make much difference. However, if there were multiple interfaces I'm assuming the ACL would have to be applied on the f0/0 so that it doesn't block legitimate traffic for elsewhere, as standard ACL's act on source IP address alone. Is this correct?

Thanks,
D
0
 
LVL 9

Expert Comment

by:kfullarton
ID: 16324189
The general rule for Standard ACLs is to apply them closest to the destination.  So you are correct.
0
 
LVL 2

Author Comment

by:Dilan77
ID: 16331106
Brilliant, thanks for the explanations!
0

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
LinkedIn blogging is great for networking, building up an audience, and expanding your influence as well. However, if you want to achieve these results, you need to work really hard to make your post worth liking and sharing. Here are 4 tips that ca…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question