Standard access-lists question

Hi experts,

CCNA question!

I have a network containing the subnet 192.168.2.0/24 (LAN 1) on interface f0/1 on Router1 and subnet 192.168.7.0/24 (LAN 8) on Router6.

I'd like to block access to any host on LAN8 accessing LAN1 using a standard access-list on the router.

I was thinking of doing this on the f0/1 interface of Router 1.

2600(conf)#access-list 1 deny 192.168.7.0 0.0.0.255
2600(conf)#access-list 1 permit any
2600(conf)#exit
2600(conf)#interface f0/1
2600(conf-if)#ip access-group 1 in

So basically I am applying an inbound access list to the f0/1 interface blocking the entire subnet of 192.168.7.0/24?
But, it doesn't work!

It works (as most books suggest) by applying the list as an outbound access list on the the f0/0 interface, but I was wondering why? Why not block it from entering in the first place?
Conversely, if I apply the list as an inbound list on the serial interface of Router1 connecting it to Router6 it works, but not as an outbound? Why is this, and why is the s0/0's behaviour opposite to f0/0?

Hope someone can help me!
LVL 2
Dilan77Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

kfullartonCommented:
When you applied it inbound, essentially you're saying "Anything I receive inbound on this interface apply this acl to it".  The only thing that you're going to receive inbound on that interface is traffic from 192.168.2.0/24.  Standard access lists are based on source address so your ACL will permit it because it's denying 192.168.7.0 and permitting everything else.  Same situation on s0/0.  Make sense?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
grsteedCommented:
Kfullarton is correct.

The thing to remember with ACL's is that the inbound and outbound are from the perspective of the interface. So inbound is from the attached network into that interface, and outbound is from that out to the attached network from that interface.

A lot of people think that it is from the perspective of the attached network. In to the network (out the interface) or out of the network (in to the interface), which is backwards.

Cheers,

Gary
0
Dilan77Author Commented:
Thanks guys...I think I'm misunderstanding the concept of inbound/outbound.

So, inbound is from the attached network into the interface and outbound is to the attached network from the interface?

This would also explain why it's the opposite for the serial interface, as in that case the traffic is going FROM the attached network TO the interface. Whereas with f0/0, the traffic is going TO the attached network FROM the interface.

As Gary said, I was looking at it from the perspective of the network, not the interface.

Just one final question, where would be it be best to put the ACL? On the f0/0 or s0/0 interfaces? For Router1, there is only one serial and one Ethernet connection so I'm guessing it wouldn't make much difference. However, if there were multiple interfaces I'm assuming the ACL would have to be applied on the f0/0 so that it doesn't block legitimate traffic for elsewhere, as standard ACL's act on source IP address alone. Is this correct?

Thanks,
D
0
kfullartonCommented:
The general rule for Standard ACLs is to apply them closest to the destination.  So you are correct.
0
Dilan77Author Commented:
Brilliant, thanks for the explanations!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.