Multiple Access List

Unanswered Question
May 5th, 2008

Hi all ,

Please i need exaplnation on multiple access list.I have 2 interfaces on my router and I want to create access list.

Bearing in mind the access list :per interface per protocol per direction.

How do i implement multiple access list

ie

ip access- list 121 ..........

int fa0/0

in

ip access list 142

int fa0/0

in

ip access list 169

int fa0/0

in

Pls i understand the command ,but it is the interface inbound and outbound isssue that i want clarification .

I will be expecting your reply .

Regards

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Mark Yeates Mon, 05/05/2008 - 15:11

I hope the below helps clear up the confusion.

Out-Traffic that has already been through the router and leaves the interface. The source is where it has been, on the other side of the router, and the destination is where it goes.

In-Traffic that arrives on the interface and then goes through the router. The source is where it has been and the destination is where it goes, on the other side of the router.

Mark

michael.leblanc Thu, 05/08/2008 - 16:27

Your post suggests that you are trying to apply access lists 121, 142, and 169 to int fa0/0 inbound.

Is this true?

When you state - "Bearing in mind the access list :per interface per protocol per direction."

What protocols are being implemented with the three different ACLs?

Richard Burts Fri, 05/09/2008 - 08:53

Michael

"access list per interface per protocol per direction" goes back to the days when Cisco routers were multipotocol routers and might be processing IP, and IPX, and perhaps Appletalk. So you could have an IP access list in and out, and an IPX access list in and out, and perhaps an Appletalk filter. As Istvan points out, in todays environment we deal almost exclusively with IP and in effect the rule is now one access list in and one access list out per interface.

HTH

Rick

michael.leblanc Fri, 05/09/2008 - 09:10

You mis-understood my post.

I was probing to find out whether the original poster was using IP, IPX, and AppleTalk, or whether he was separating TCP/IP application protocols into different ACLs.

Best Regards,

Istvan_Rabai Fri, 05/09/2008 - 08:18

Hi Taiwo,

You can apply only ONE access-list inbound and ONE access-list outbound to each interface.

You have to construct the ip access-lists so that they contain all the necessary protocol filtering in ONE access-list inbound and ONE access-list outbound.

Then you have to apply the access-lists to the interfaces similarly to this:

interface fa0/0

ip access-group 121 in

ip access-group xxx out

Does this answer your question?

Cheers:

Istvan

illusion_rox Fri, 05/09/2008 - 08:51

Can you tell us, what issue you will run into if you merge these access lists into 1 access list ?

Istvan_Rabai Fri, 05/09/2008 - 10:53

Hi Illusion Rox,

When you construct access-lists, there may be several issues you can run into. The most important rules that are recommended to follow are:

1. Every standard access-list has an implicit "deny any" and every extended access-list has an implicit "deny ip any any" at the end.

Therefore, if you want to deny a specific traffic and allow the rest of the traffic, then you need to apply "permit any" or "permit ip any any" respectively at the end to override this behavior.

2. Access-lists are evaluated in sequence. This is why you have to configure the more specific acl entries first, then the more general statements.

3. Generally speaking, standard acls need to be applied as close to the destination as possible.

Extended acls are recommended to apply as close to the source as possible.

But every specific application is different, so these are not very strict rules.

You may apply acls in a cute way to limit the unnecessary traffic burden on the network.

Cheers:

Istvan

illusion_rox Fri, 05/09/2008 - 11:19

hi Istvan, i knew that :-), what i am trying to say that instead of applying 3 different acls why dont merge them into 1 ? what kind of payoff can we expect ? if you guys are getting what i mean then instead of applying different acls its better to apply 1 by merging them all, i think there is no need to apply different acls at all, so what you guys think ?

Actions

This Discussion