Q about access-lists

flashsplash · ‎07-06-2007

hi guys i'm a bit confuse about how access-lists works. i don't exactly understand when to use the ip access-group command and when not. Cause what i've learn yet a few days ago from some1 on this forum is that's it seems to have an access-lists activated without having the ip access-group command bound to an interface.

ill explane brief what my issue was if i may. I had conf a cisco 2611 for i-net access bout could not ping the default- gateway. my fault was that i had use the ip access-group out on my lan interface and when i removed it, it solved my problem.

i'm sorry my store seems a bit long but just wanted to give a good idea of the picture. so any help is welcome in explaning or directing me to some good books...or s'thing like access-lists for dummies.

thx in advance

bye flash

Jon Marshall · ‎07-06-2007

Hi Flash

The "ip access-group" command applies the access-list to the relevant interface. You can create as many access-lists as you like but if you don't apply them on an interface they won't take effect.

The other important thing to remember is that access-list are not just used for allowing and restricting traffic into and out of interfaces.

Thye can be used for NAT, PBR (Policy Based Routing), restricting snmp/telnet access to the router etc. and in most of these instances you would not need to use the "ip access-group" command.

Hope this makes sense

Jon

flashsplash · ‎07-06-2007

its a bit clearer but i guess to fully understand it i must play with them, but thx for clearing it a bit up..i've rate this post

bye flash

Jon Marshall · ‎07-06-2007

Hi Flash

It always becomes a lot clearer when you configure it and don't hesitate to come back with any more questions.

Jon