Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5430
Views
0
Helpful
5
Replies

Extended ACL applying on interface inbound or outbound direction

Go to solution
mahesh18
Level 6
Level 6

‎05-07-2012 08:16 PM - edited ‎03-07-2019 06:34 AM

Hi all,

I have question regarding applying extended ACL to inbound or outbound direction.

R1 is connected to R2 and R2 has connection to internet.

PC is connected to R1.

I was blocking PC to ping the IP address 4.x.x.x

When i apply the ACL to R1

access-list 100 deny   ip host 192.168.20.25 host 4.x.x.x  log

Now when i apply this to interface Fa0/11 of R1  this interface connects to R2.

I can see that ping is still working but when i apply this on interface fa0/11 

outbound direction ----------ping is not working.

IF someone can explain me this please why it is not working when i apply inbound?

Thanks

Mahesh

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
nikolasgeyer
Level 1
Level 1

‎05-07-2012 11:27 PM

Inbound refers to packets coming in to the interface.

Outbound refers to packets going out from the interface.

So if PC is connected to R1 (we will assume interface Fa0/0) and R1's connection to R2 is using interface Fa0/11 the traffic flow for your ping packet would be;

Packet comes in to interface Fa0/0 on R1 from PC. Packet goes out from R1 to R2 on interface Fa0/11.

So as you can (hopefully) see now, where you have applied the ACL the packet is going in an outbound direction, which is why applying the ACL as inbound wont work.

Hope that makes sense and helps.

View solution in original post

0 Helpful

Go to solution
Sergey Fer
Level 1
Level 1

‎05-07-2012 11:31 PM

If I've correctly understood your topology, f0/11 is connected to R2. You are using ACL that denies IP packets with 192.168.20.25 as a SOURCE and 4.x.x.x as a DESTINATION addresses. But your R1 does not see such packet inbound on F0/11 - they are all outbound. Inbound packets have the same addresses but in different places - 192.168.20.25 is a DESTINATION, 4.x.x.x is a SOURCE. Hope your ACL has more than one string because of implicit deny ip any any in the bottom.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
nikolasgeyer
Level 1
Level 1

‎05-07-2012 11:27 PM

Inbound refers to packets coming in to the interface.

Outbound refers to packets going out from the interface.

So if PC is connected to R1 (we will assume interface Fa0/0) and R1's connection to R2 is using interface Fa0/11 the traffic flow for your ping packet would be;

Packet comes in to interface Fa0/0 on R1 from PC. Packet goes out from R1 to R2 on interface Fa0/11.

So as you can (hopefully) see now, where you have applied the ACL the packet is going in an outbound direction, which is why applying the ACL as inbound wont work.

Hope that makes sense and helps.

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to nikolasgeyer

‎05-08-2012 07:16 AM

Hi,

Thanks for reply.

As ACL is applied on interface fa0/11 outbound-- connection between R1 and R2

So when PC traffic enters the interface on R1 say fa0/1 and when it goes out of R1 then ACL is applied on it right?

Before this when i apply inbound on fa0/11 then say packet enters the interface fa0/0 where pc is connected and that

has no ACL there then it  goes to int fa0/11  out.


When we say inbound on R1 interface fa0/11 does it mean traffic coming from R2?

Thanks

MAhesh

0 Helpful

Go to solution
Sergey Fer
Level 1
Level 1

‎05-07-2012 11:31 PM

If I've correctly understood your topology, f0/11 is connected to R2. You are using ACL that denies IP packets with 192.168.20.25 as a SOURCE and 4.x.x.x as a DESTINATION addresses. But your R1 does not see such packet inbound on F0/11 - they are all outbound. Inbound packets have the same addresses but in different places - 192.168.20.25 is a DESTINATION, 4.x.x.x is a SOURCE. Hope your ACL has more than one string because of implicit deny ip any any in the bottom.

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Sergey Fer

‎05-08-2012 07:06 AM

Hi Sergey,

Thanks for reply.

Yes i am using ACL to deny packets with 192.168.x.x as source and 4..x.x.x.x as destination.

When youu say ---

But your R1 does not see such packet inbound on F0/11 - they are all outbound.

Can you please explain me more on this?

Thanks

MAhesh

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Sergey Fer

‎05-09-2012 11:43 AM

Hi all,

Many thanks i read your reply now i understood what you mean.

Thanks agin to both of you.

Regards

MAhesh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card