Standard access-lists question
Posted on 2006-03-29
I have a network containing the subnet 192.168.2.0/24 (LAN 1) on interface f0/1 on Router1 and subnet 192.168.7.0/24 (LAN 8) on Router6.
I'd like to block access to any host on LAN8 accessing LAN1 using a standard access-list on the router.
I was thinking of doing this on the f0/1 interface of Router 1.
2600(conf)#access-list 1 deny 192.168.7.0 0.0.0.255
2600(conf)#access-list 1 permit any
2600(conf-if)#ip access-group 1 in
So basically I am applying an inbound access list to the f0/1 interface blocking the entire subnet of 192.168.7.0/24?
But, it doesn't work!
It works (as most books suggest) by applying the list as an outbound access list on the the f0/0 interface, but I was wondering why? Why not block it from entering in the first place?
Conversely, if I apply the list as an inbound list on the serial interface of Router1 connecting it to Router6 it works, but not as an outbound? Why is this, and why is the s0/0's behaviour opposite to f0/0?
Hope someone can help me!