Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
261
Views
0
Helpful
4
Replies

Access List

londint
Level 1
Level 1

‎02-12-2003 03:21 AM - edited ‎03-02-2019 05:00 AM

We have a situation with a serial link and an Ethernet link to a router. The Ethernet link goes to the network while the serial link goes to the ISP.

On the Serial link

access-list 111 deny ip 198.212.14.48 0.0.0.15 any

ip access-group 166 in

On the Ethernet Link

access-list 167 permit ip 198.212.14.48 0.0.0.15 any

ip access-group 167 in

From my knowledge of Access list, does this not look as if we are denying source 198.212.14.48 0.0.0.15 from coming in into the serial link whereby no traffic from 198.212.14.48 0.0.0.15 will ever get to the router and then we are permitting them in again on the Ethernet link from where they can enter into the router?

Although I must say we have not been refused access, but can someone explain how the above works.

Thanks

Labels:
0 Helpful
4 Replies 4

lgijssel
Level 9
Level 9

‎02-12-2003 03:58 AM

On the serial interface, everything is permitted. You are referring to list 166, which does not exist and thus everything is permitted. Activating list 111 would block ALL traffic. It only denies somthing and the default behaviour is to deny all that is not in the list. List 111 is therefore equal to:

access-list 111 deny ip any any

On the ethernet-interface it works as you might expect, only source-adresses in the specified range are permitted i.e. forwarded.

Note the crucial function of the keyword in. It specifies the direction in which filtering is to be applied, directions as seen from the router.

0 Helpful

londint
Level 1
Level 1
In response to lgijssel

‎02-12-2003 05:25 AM

Sorry.

That should read 166 and not 111.

On the Serial link

access-list 166 deny ip 198.212.14.48 0.0.0.15 any

ip access-group 166 in

On the Ethernet Link

access-list 167 permit ip 198.212.14.48 0.0.0.15 any

ip access-group 167 in

0 Helpful

londint
Level 1
Level 1
In response to lgijssel

‎02-12-2003 05:33 AM

When you say as seen from the router and you have the statement

On the Serial link

access-list 166 deny ip 198.212.14.48 0.0.0.15 any

ip access-group 166 in

On the Ethernet Link

access-list 167 permit ip 198.212.14.48 0.0.0.15 any

ip access-group 167 in

On the ethernet link

SOurce = 198.212.14.48 0.0.0.15

dest = any

does this mean coming into the interface from within the router and going out into the network i.e. all addresses within 198.212.14.48 0.0.0.15 is allowed to go out INto the network via the ethernet interface?

Thanks for your help.

0 Helpful

wolfrikk
Level 3
Level 3
In response to londint

‎02-12-2003 05:42 AM

Both ACL's filter traffic that are coming into the Interface they are assigned to. ACL 167 will permit any traffic from 198.212.48.0/28 to any destination, and block all other traffic. ACL 166 should block any traffic because there is no permit statements. There is an implicit deny at the end of all ACL's, so ACL 166 should be blocking all incoming traffic.

0 Helpful
Customers Also Viewed These Support Documents