Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Access List

We have a situation with a serial link and an Ethernet link to a router. The Ethernet link goes to the network while the serial link goes to the ISP.

On the Serial link

access-list 111 deny ip 198.212.14.48 0.0.0.15 any

ip access-group 166 in

On the Ethernet Link

access-list 167 permit ip 198.212.14.48 0.0.0.15 any

ip access-group 167 in

From my knowledge of Access list, does this not look as if we are denying source 198.212.14.48 0.0.0.15 from coming in into the serial link whereby no traffic from 198.212.14.48 0.0.0.15 will ever get to the router and then we are permitting them in again on the Ethernet link from where they can enter into the router?

Although I must say we have not been refused access, but can someone explain how the above works.

Thanks

4 REPLIES

Re: Access List

On the serial interface, everything is permitted. You are referring to list 166, which does not exist and thus everything is permitted. Activating list 111 would block ALL traffic. It only denies somthing and the default behaviour is to deny all that is not in the list. List 111 is therefore equal to:

access-list 111 deny ip any any

On the ethernet-interface it works as you might expect, only source-adresses in the specified range are permitted i.e. forwarded.

Note the crucial function of the keyword in. It specifies the direction in which filtering is to be applied, directions as seen from the router.

New Member

Re: Access List

Sorry.

That should read 166 and not 111.

On the Serial link

access-list 166 deny ip 198.212.14.48 0.0.0.15 any

ip access-group 166 in

On the Ethernet Link

access-list 167 permit ip 198.212.14.48 0.0.0.15 any

ip access-group 167 in

New Member

Re: Access List

When you say as seen from the router and you have the statement

On the Serial link

access-list 166 deny ip 198.212.14.48 0.0.0.15 any

ip access-group 166 in

On the Ethernet Link

access-list 167 permit ip 198.212.14.48 0.0.0.15 any

ip access-group 167 in

On the ethernet link

SOurce = 198.212.14.48 0.0.0.15

dest = any

does this mean coming into the interface from within the router and going out into the network i.e. all addresses within 198.212.14.48 0.0.0.15 is allowed to go out INto the network via the ethernet interface?

Thanks for your help.

New Member

Re: Access List

Both ACL's filter traffic that are coming into the Interface they are assigned to. ACL 167 will permit any traffic from 198.212.48.0/28 to any destination, and block all other traffic. ACL 166 should block any traffic because there is no permit statements. There is an implicit deny at the end of all ACL's, so ACL 166 should be blocking all incoming traffic.

114
Views
0
Helpful
4
Replies