02-25-2009 10:54 AM - edited 02-20-2020 09:41 PM
Ok simple question but I have to ask it anyway:
When applying an inbound ACL to a router - does it matter if you apply it to the inside or outside interface?
I have a couple of routers that seem to be configured differently and I'm trying to clean up some of the configs.
One has:
interface FastEthernet0/0.1 (inside)
encapsulation dot1Q 8 native
ip dhcp relay information trusted
ip address x.x.x.x x.x.x.x
ip access-group 101 in
interface FastEthernet0/1.1 (outside)
encapsulation dot1Q 4
ip address x.x.x.x x.x.x.x
Yet another has:
interface FastEthernet0/0.1 (inside)
encapsulation dot1Q 8 native
ip dhcp relay information trusted
ip address x.x.x.x x.x.x.x
interface FastEthernet0/1.1 (outside)
encapsulation dot1Q 4
ip address x.x.x.x x.x.x.x
ip access-group 101 in
Which is correct?
02-25-2009 11:02 AM
They are both correct depending on how your access lists are written and what you are trying to block and in what direction.
02-25-2009 11:15 AM
In both examples the ACL's are identical, they are permitting inbound traffic from other sites.
So does that make a difference?
02-25-2009 11:49 AM
Yes, look at the source and destination addresses in the acl's. If all of the source addresses are on the outside then the acl would be applied into the outside interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide