Hi all ,
Please i need exaplnation on multiple access list.I have 2 interfaces on my router and I want to create access list.
Bearing in mind the access list :per interface per protocol per direction.
How do i implement multiple access list
ip access- list 121 ..........
ip access list 142
ip access list 169
Pls i understand the command ,but it is the interface inbound and outbound isssue that i want clarification .
I will be expecting your reply .
I hope the below helps clear up the confusion.
Out-Traffic that has already been through the router and leaves the interface. The source is where it has been, on the other side of the router, and the destination is where it goes.
In-Traffic that arrives on the interface and then goes through the router. The source is where it has been and the destination is where it goes, on the other side of the router.
Your post suggests that you are trying to apply access lists 121, 142, and 169 to int fa0/0 inbound.
Is this true?
When you state - "Bearing in mind the access list :per interface per protocol per direction."
What protocols are being implemented with the three different ACLs?
"access list per interface per protocol per direction" goes back to the days when Cisco routers were multipotocol routers and might be processing IP, and IPX, and perhaps Appletalk. So you could have an IP access list in and out, and an IPX access list in and out, and perhaps an Appletalk filter. As Istvan points out, in todays environment we deal almost exclusively with IP and in effect the rule is now one access list in and one access list out per interface.
You mis-understood my post.
I was probing to find out whether the original poster was using IP, IPX, and AppleTalk, or whether he was separating TCP/IP application protocols into different ACLs.
You can apply only ONE access-list inbound and ONE access-list outbound to each interface.
You have to construct the ip access-lists so that they contain all the necessary protocol filtering in ONE access-list inbound and ONE access-list outbound.
Then you have to apply the access-lists to the interfaces similarly to this:
ip access-group 121 in
ip access-group xxx out
Does this answer your question?
Hi Illusion Rox,
When you construct access-lists, there may be several issues you can run into. The most important rules that are recommended to follow are:
1. Every standard access-list has an implicit "deny any" and every extended access-list has an implicit "deny ip any any" at the end.
Therefore, if you want to deny a specific traffic and allow the rest of the traffic, then you need to apply "permit any" or "permit ip any any" respectively at the end to override this behavior.
2. Access-lists are evaluated in sequence. This is why you have to configure the more specific acl entries first, then the more general statements.
3. Generally speaking, standard acls need to be applied as close to the destination as possible.
Extended acls are recommended to apply as close to the source as possible.
But every specific application is different, so these are not very strict rules.
You may apply acls in a cute way to limit the unnecessary traffic burden on the network.
hi Istvan, i knew that :-), what i am trying to say that instead of applying 3 different acls why dont merge them into 1 ? what kind of payoff can we expect ? if you guys are getting what i mean then instead of applying different acls its better to apply 1 by merging them all, i think there is no need to apply different acls at all, so what you guys think ?