Standard ACL question

Answered Question
Sep 17th, 2010

Please forgive the diagram i am about to draw:


[ network 1 172.16.60.0 /24 ] --------------- serial 1/0 [ router 1 ] serial 0/1 --------------- [ internet ]


In the very crude diagram above, I was given the following access list to apply:


access-list 75 deny 172.16.60.0 0.0.0.255

access-list 75 permit any


The goal is to keep Network 1 from accessing the internet.


I would apply this access list on serial interface 0/1 in the outbound direction. The practice test I got this from states that it should be placed on the serial 1/0 interface in the outbound direction, which doesnt make any sense, because standard ACLs will filter based upon SOURCE, so traffic would hit the serial 1/0 interface and since its going IN (to the router serial 1/0 interface) wouldnt be filtered, and would still be allowed to go out to the internet.


Please assist cause Im going to lose my mind shortly.

Correct Answer by Nagaraja Thanthry about 6 years 5 months ago

Hello,


While applying it on the Serial 0/1 in the outbound direction will also work (as you stated, the router will check the source address irrespective of if the traffic is in the incoming direction or outgoing direction), it is better to apply the same on the Serial 1/0 interface in the incoming direction because you want to drop the traffic closer to the source. It does not make any sense for the router to process the traffic and send it to the outside interface just to be dropped on that interface.


interface serial 1/0

ip access-group 75 in


hope this helps.


Regards,


NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Nagaraja Thanthry Fri, 09/17/2010 - 09:17

Hello,


While applying it on the Serial 0/1 in the outbound direction will also work (as you stated, the router will check the source address irrespective of if the traffic is in the incoming direction or outgoing direction), it is better to apply the same on the Serial 1/0 interface in the incoming direction because you want to drop the traffic closer to the source. It does not make any sense for the router to process the traffic and send it to the outside interface just to be dropped on that interface.


interface serial 1/0

ip access-group 75 in


hope this helps.


Regards,


NT

jiyamoo22 Fri, 09/17/2010 - 10:04

Just as a heads up, the practice test also included a bunch of other networks, but i truncated it to make my question easier (to explain and to draw

).


The reason why I didnt want to put it on the s1/0 inbound was because then N1 wouldn't be able to reach N2, N3, etc.


N1------router1----internet

N2---------| |

N3-----------|

Nagaraja Thanthry Fri, 09/17/2010 - 10:07

Hello,


In that case, it is better to use extended access list as you will have better control over the traffic. You can configure it on the Se 1/0 and control what is allowed (should be first line) and then the deny statements and then the default policy.


Regards,


NT

Actions

This Discussion