Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Standard ACL question

Please forgive the diagram i am about to draw:

[ network 1 172.16.60.0 /24 ] --------------- serial 1/0 [ router 1 ] serial 0/1 --------------- [ internet ]

In the very crude diagram above, I was given the following access list to apply:

access-list 75 deny 172.16.60.0 0.0.0.255

access-list 75 permit any

The goal is to keep Network 1 from accessing the internet.

I would apply this access list on serial interface 0/1 in the outbound direction. The practice test I got this from states that it should be placed on the serial 1/0 interface in the outbound direction, which doesnt make any sense, because standard ACLs will filter based upon SOURCE, so traffic would hit the serial 1/0 interface and since its going IN (to the router serial 1/0 interface) wouldnt be filtered, and would still be allowed to go out to the internet.

Please assist cause Im going to lose my mind shortly.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Standard ACL question

Hello,

While applying it on the Serial 0/1 in the outbound direction will also work (as you stated, the router will check the source address irrespective of if the traffic is in the incoming direction or outgoing direction), it is better to apply the same on the Serial 1/0 interface in the incoming direction because you want to drop the traffic closer to the source. It does not make any sense for the router to process the traffic and send it to the outside interface just to be dropped on that interface.

interface serial 1/0

ip access-group 75 in

hope this helps.

Regards,

NT

5 REPLIES
Cisco Employee

Re: Standard ACL question

Hello,

While applying it on the Serial 0/1 in the outbound direction will also work (as you stated, the router will check the source address irrespective of if the traffic is in the incoming direction or outgoing direction), it is better to apply the same on the Serial 1/0 interface in the incoming direction because you want to drop the traffic closer to the source. It does not make any sense for the router to process the traffic and send it to the outside interface just to be dropped on that interface.

interface serial 1/0

ip access-group 75 in

hope this helps.

Regards,

NT

New Member

Re: Standard ACL question

Actually, that makes perfect sense.

Thank you very much!

Cisco Employee

Re: Standard ACL question

Hello,

I am glad that we were able to help. Please mark the question as answered.

Regards,

NT

New Member

Re: Standard ACL question

Just as a heads up, the practice test also included a bunch of other networks, but i truncated it to make my question easier (to explain and to draw

).

The reason why I didnt want to put it on the s1/0 inbound was because then N1 wouldn't be able to reach N2, N3, etc.

N1------router1----internet

N2---------| |

N3-----------|

Cisco Employee

Re: Standard ACL question

Hello,

In that case, it is better to use extended access list as you will have better control over the traffic. You can configure it on the Se 1/0 and control what is allowed (should be first line) and then the deny statements and then the default policy.

Regards,

NT

188
Views
0
Helpful
5
Replies
CreatePlease login to create content