09-17-2010 09:10 AM - edited 03-06-2019 01:02 PM
Please forgive the diagram i am about to draw:
[ network 1 172.16.60.0 /24 ] --------------- serial 1/0 [ router 1 ] serial 0/1 --------------- [ internet ]
In the very crude diagram above, I was given the following access list to apply:
access-list 75 deny 172.16.60.0 0.0.0.255
access-list 75 permit any
The goal is to keep Network 1 from accessing the internet.
I would apply this access list on serial interface 0/1 in the outbound direction. The practice test I got this from states that it should be placed on the serial 1/0 interface in the outbound direction, which doesnt make any sense, because standard ACLs will filter based upon SOURCE, so traffic would hit the serial 1/0 interface and since its going IN (to the router serial 1/0 interface) wouldnt be filtered, and would still be allowed to go out to the internet.
Please assist cause Im going to lose my mind shortly.
Solved! Go to Solution.
09-17-2010 09:17 AM
Hello,
While applying it on the Serial 0/1 in the outbound direction will also work (as you stated, the router will check the source address irrespective of if the traffic is in the incoming direction or outgoing direction), it is better to apply the same on the Serial 1/0 interface in the incoming direction because you want to drop the traffic closer to the source. It does not make any sense for the router to process the traffic and send it to the outside interface just to be dropped on that interface.
interface serial 1/0
ip access-group 75 in
hope this helps.
Regards,
NT
09-17-2010 09:17 AM
Hello,
While applying it on the Serial 0/1 in the outbound direction will also work (as you stated, the router will check the source address irrespective of if the traffic is in the incoming direction or outgoing direction), it is better to apply the same on the Serial 1/0 interface in the incoming direction because you want to drop the traffic closer to the source. It does not make any sense for the router to process the traffic and send it to the outside interface just to be dropped on that interface.
interface serial 1/0
ip access-group 75 in
hope this helps.
Regards,
NT
09-17-2010 09:39 AM
Actually, that makes perfect sense.
Thank you very much!
09-17-2010 10:01 AM
Hello,
I am glad that we were able to help. Please mark the question as answered.
Regards,
NT
09-17-2010 10:04 AM
Just as a heads up, the practice test also included a bunch of other networks, but i truncated it to make my question easier (to explain and to draw
).
The reason why I didnt want to put it on the s1/0 inbound was because then N1 wouldn't be able to reach N2, N3, etc.
N1------router1----internet
N2---------| |
N3-----------|
09-17-2010 10:07 AM
Hello,
In that case, it is better to use extended access list as you will have better control over the traffic. You can configure it on the Se 1/0 and control what is allowed (should be first line) and then the deny statements and then the default policy.
Regards,
NT
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide