Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
495
Views
0
Helpful
5
Replies

Standard ACL question

Go to solution
jiyamoo22
Level 1
Level 1

‎09-17-2010 09:10 AM - edited ‎03-06-2019 01:02 PM

Please forgive the diagram i am about to draw:

[ network 1 172.16.60.0 /24 ] --------------- serial 1/0 [ router 1 ] serial 0/1 --------------- [ internet ]

In the very crude diagram above, I was given the following access list to apply:

access-list 75 deny 172.16.60.0 0.0.0.255

access-list 75 permit any

The goal is to keep Network 1 from accessing the internet.

I would apply this access list on serial interface 0/1 in the outbound direction. The practice test I got this from states that it should be placed on the serial 1/0 interface in the outbound direction, which doesnt make any sense, because standard ACLs will filter based upon SOURCE, so traffic would hit the serial 1/0 interface and since its going IN (to the router serial 1/0 interface) wouldnt be filtered, and would still be allowed to go out to the internet.

Please assist cause Im going to lose my mind shortly.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎09-17-2010 09:17 AM

Hello,

While applying it on the Serial 0/1 in the outbound direction will also work (as you stated, the router will check the source address irrespective of if the traffic is in the incoming direction or outgoing direction), it is better to apply the same on the Serial 1/0 interface in the incoming direction because you want to drop the traffic closer to the source. It does not make any sense for the router to process the traffic and send it to the outside interface just to be dropped on that interface.

interface serial 1/0

ip access-group 75 in

hope this helps.

Regards,

NT

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎09-17-2010 09:17 AM

Hello,

While applying it on the Serial 0/1 in the outbound direction will also work (as you stated, the router will check the source address irrespective of if the traffic is in the incoming direction or outgoing direction), it is better to apply the same on the Serial 1/0 interface in the incoming direction because you want to drop the traffic closer to the source. It does not make any sense for the router to process the traffic and send it to the outside interface just to be dropped on that interface.

interface serial 1/0

ip access-group 75 in

hope this helps.

Regards,

NT

0 Helpful

Go to solution
jiyamoo22
Level 1
Level 1
In response to Nagaraja Thanthry

‎09-17-2010 09:39 AM

Actually, that makes perfect sense.

Thank you very much!

0 Helpful

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to jiyamoo22

‎09-17-2010 10:01 AM

Hello,

I am glad that we were able to help. Please mark the question as answered.

Regards,

NT

0 Helpful

Go to solution
jiyamoo22
Level 1
Level 1
In response to Nagaraja Thanthry

‎09-17-2010 10:04 AM

Just as a heads up, the practice test also included a bunch of other networks, but i truncated it to make my question easier (to explain and to draw

).

The reason why I didnt want to put it on the s1/0 inbound was because then N1 wouldn't be able to reach N2, N3, etc.

N1------router1----internet

N2---------| |

N3-----------|

0 Helpful

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to jiyamoo22

‎09-17-2010 10:07 AM

Hello,

In that case, it is better to use extended access list as you will have better control over the traffic. You can configure it on the Se 1/0 and control what is allowed (should be first line) and then the deny statements and then the default policy.

Regards,

NT

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card