×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Access-list Process - URGENT HELP PLEASE

Unanswered Question
Sep 23rd, 2006
User Badges:

Dear All,


My question here in this forum , in the Process of :-


1- Which Interface should I apply this Access-list ?

2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?


Now, My question is here :-

Was I correct in choosing the Interface that I will apply this Access-list or not ?

Please read my Process of choosing the Interface, and tell me if I am correct or Not ?


I have here My Router, as Internet Router which is 1841 , with 2 Fast Ethernet interfaces as the following :-


1. Fast Ethernet 0 / 0 :-

Description : connected to My Network as MY LAN .

IP Address of this Interface : 192.168.1.10 / 255.255.255.0


2. Fast Ethernet 0 /1 :-

Description : connected to Second Network on second Building.

IP Address of this Interface : 172.16.20.10 / 255.255.0.0


3. Serial Interface ( S 0 ).

Description : connected to My Server Farm which is in another Network

IP Address of this interface : 10.1.8.20 / 255.255.255.0.


> No any serial interface or any serial connection at all on my 1841 Route.

> The Default route on My Router is

> IP ROUTE 0.0.0.0 0.0.0.0 10.1.8.20


Now, I want only to deny user 192.168.1.40 to access the one server on the server FARMS which is OUR POP3 Server with this IP 10.1.8.40 / 24.


As anyone knows, its an Extended Access List.

So I wrote it like that:-


Router(config)# access-list 102 deny tcp 192.168.1.40 0.0.0.0 host 10.1.8.40 eq smtp

Router(config)# access-list 102 deny tcp 192.168.1.40 0.0.0.0 host 10.1.8.40 eq pop3

Router(config)# access-list 102 permit ip any any



Process of choosing the interface :-


1- Which Interface should I apply this Access-list ?

2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?


To answer and to understand the answer, for the 2 questions, here is my Process :-


First Interface f 0 / 0 :-

< this is the originating interface, and no need to apply the ACLs on it weather if inbound or outbound >, so F0/0 is not the correct interface to apply the ACLS on it.


Second Interface f 0 / 1 :-


< this is the second interface, and it have inbound / outbound direction , if I enable the ACL on this Interface, on the inbound direction, it will inter because nothing match on the condition, also, no need to make it on the OUTBOUND direction, because it will not get out from this interface, or there is no match condition on it.


Third Interface S0:-


Also, I have to look to the route on the Router, I will find it, every thing will route to interface serial / 0, and if I enable the ACL on the inbound direction, it will stop the traffic from enter the Interface < only it will disable from enter the interface, if the conditions accrue > so no need on the inbound, but on the outbound it will work.


So, final answer will be as following :-

1- Which Interface should I apply this Access-list ?

( Serial / 0 ) .


2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?

( Outbound ) .


Was I correct or not ? please some one is update me.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
vijayasankar Sat, 09/23/2006 - 08:00
User Badges:
  • Silver, 250 points or more

Hi,


The quick answer to your question.

1) Yes, you can apply this acl on the serial interface on the outbound direction.


You can also apply the same ACL on the Fastethernet0/0 on the inbound direction.

This will also product the same effect.


Im not sure about why you have a /24 subnet on the serial interface

10.1.8.20 / 255.255.255.0


Also you have mentioned that you the default route as follows.

IP ROUTE 0.0.0.0 0.0.0.0 10.1.8.20

How could it be?


You can very well rephrase your acl as follows


access-list 102 deny tcp host 192.168.1.40 host 10.1.8.40 eq smtp

access-list 102 deny tcp host 192.168.1.40 host 10.1.8.40 eq pop3


Hope this helps.



Please feel free to get in touch with us if you need further assitance.

Rate the post if you find it helpful.


-VJ

mmtantawi Sat, 09/23/2006 - 08:51
User Badges:

Thanks for your reply.

But, Here what will happen if i enable it on the Inbound direction on the Interface F0/0,


it will stop completely from let the Traffic enter the Interface F0/0 .



is that correct ?

so i can also take a usefule from it as well.

is that correct ?


Please reply .


amit-singh Sat, 09/23/2006 - 09:12
User Badges:
  • Blue, 1500 points or more

Hi,


When applied the ACL in inbound direction on the FA interface, the traffic will be matched as soon as it hits the interface and prior to be processed by the Control plane.


If applied in outbound direction on the serial interface the traffic first will be processed by the router control plane and then filtered out at the serial interface.


HTH,Please rate if it does.


-amit singh

mmtantawi Sat, 09/23/2006 - 09:30
User Badges:

please explain to me in details, i could not understand you at all.


please explain in clear way, or simple way.


wait for your reply . its urgent .


amit-singh Sat, 09/23/2006 - 10:08
User Badges:
  • Blue, 1500 points or more

Hi,


It is a good practice to apply the ACL on the interface closest to the source of the traffic.In this case the source of the traffic is near to the Fa interface.


ACL in Inbound direction - Traffic that arrives on the interface and then goes through the router. The source is where it has been and the destination is where it goes (on the other side of the router).In this case the acl is matched first and then the filtered traffic is processed by the router.Less CPU overhead.


ACL in Outbound direction - Traffic that has already been through the router and is leaving the interface. The source is where it has been (on the other side of the router) and the destination is where it goes.In this case all the traffic is processed by the router and then filtered by the router in the outbound direction.More CPU overhead.


HTH, Please rate if it does.


-amit singh




Actions

This Discussion