Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
292
Views
0
Helpful
6
Replies

Access-List Question

kjanakiraman
Level 1
Level 1

‎09-13-2002 10:05 AM - edited ‎03-02-2019 01:21 AM

I am confused with the in and out command in access-group

access-group 100 in/out

I read in an aritcle that IN means the data comming to our network and in that case the source will be from the internet and the destination will be system behind my network behind my router

OUT means the data that has already left my interface and in this case source wil be my network and destination is on the internet.

Is this correct? If so let us take the example of a web sitewhich has an ip address as x.x.x.x. I need to block this ip address for my systems and imagine my network is 192.168.10.0.

access-list 103 deny ip host x.x.x.x 192.168.10.0 255.255.255.0

access-list 103 permit ip any any

int s0

access-group 103 in

Is this command correct. My s0 is the interface that is facing the internet. Will this effectively block x.x.x.x for my network and allow rest all ip traffic.

Can some advice in this regard

Thanks in Advance

Labels:
0 Helpful
6 Replies 6

steve.barlow
Level 7
Level 7

‎09-13-2002 11:32 AM

IN/OUT is in respect to the router's interface. So if you are refering to the interface of the router facing the internet, then you are correct in terms of source and destination. But remember it is reference to the interface.

In your example you are correct. That will block that host IP x.x.x.x from entering your network of 192.168.10.0. But what you can also do instead is "deny ip host x.x.x.x any log". If x.x.x.x is your host IP, why should it enter your network at all (with a source IP that is, not as a destination)? In this case someone must be spoofing your IP, so block it and log it.

Access-lists inbound save the router from having to process the packet, hence saves the router resources.

Hope that helps.

Steve

0 Helpful

kjanakiraman
Level 1
Level 1
In response to steve.barlow

‎09-13-2002 11:53 AM

Thanks a lot. x.x.x.x is not my host ip it is a web site present in the internet. For blocking my own ip address to act as anti-spoofing the command is

access-list 103 deny ip x.x.x.x(my entire network) any log

int s0

access-group 103 in.

IS this configuration correct for anti-spoofing.

Thanks in Advance.

0 Helpful

steve.barlow
Level 7
Level 7
In response to kjanakiraman

‎09-13-2002 12:02 PM

Yes you are correct, and I advise you to do it.

Steve

0 Helpful

kjanakiraman
Level 1
Level 1
In response to steve.barlow

‎09-13-2002 12:03 PM

Thanks a lot for your time. I will implement in our network

0 Helpful

ali_khan
Level 1
Level 1

‎09-13-2002 12:00 PM

Yes , Its true In means Filter inbound traffic .

You will start dicarding packets received for host x.x.x.x and anthing else will not match will hit 192.168.10.0

Regards,

0 Helpful

kjanakiraman
Level 1
Level 1
In response to ali_khan

‎09-13-2002 12:04 PM

Thank you so much

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents