02-12-2003 03:21 AM - edited 03-02-2019 05:00 AM
We have a situation with a serial link and an Ethernet link to a router. The Ethernet link goes to the network while the serial link goes to the ISP.
On the Serial link
access-list 111 deny ip 198.212.14.48 0.0.0.15 any
ip access-group 166 in
On the Ethernet Link
access-list 167 permit ip 198.212.14.48 0.0.0.15 any
ip access-group 167 in
From my knowledge of Access list, does this not look as if we are denying source 198.212.14.48 0.0.0.15 from coming in into the serial link whereby no traffic from 198.212.14.48 0.0.0.15 will ever get to the router and then we are permitting them in again on the Ethernet link from where they can enter into the router?
Although I must say we have not been refused access, but can someone explain how the above works.
Thanks
02-12-2003 03:58 AM
On the serial interface, everything is permitted. You are referring to list 166, which does not exist and thus everything is permitted. Activating list 111 would block ALL traffic. It only denies somthing and the default behaviour is to deny all that is not in the list. List 111 is therefore equal to:
access-list 111 deny ip any any
On the ethernet-interface it works as you might expect, only source-adresses in the specified range are permitted i.e. forwarded.
Note the crucial function of the keyword in. It specifies the direction in which filtering is to be applied, directions as seen from the router.
02-12-2003 05:25 AM
Sorry.
That should read 166 and not 111.
On the Serial link
access-list 166 deny ip 198.212.14.48 0.0.0.15 any
ip access-group 166 in
On the Ethernet Link
access-list 167 permit ip 198.212.14.48 0.0.0.15 any
ip access-group 167 in
02-12-2003 05:33 AM
When you say as seen from the router and you have the statement
On the Serial link
access-list 166 deny ip 198.212.14.48 0.0.0.15 any
ip access-group 166 in
On the Ethernet Link
access-list 167 permit ip 198.212.14.48 0.0.0.15 any
ip access-group 167 in
On the ethernet link
SOurce = 198.212.14.48 0.0.0.15
dest = any
does this mean coming into the interface from within the router and going out into the network i.e. all addresses within 198.212.14.48 0.0.0.15 is allowed to go out INto the network via the ethernet interface?
Thanks for your help.
02-12-2003 05:42 AM
Both ACL's filter traffic that are coming into the Interface they are assigned to. ACL 167 will permit any traffic from 198.212.48.0/28 to any destination, and block all other traffic. ACL 166 should block any traffic because there is no permit statements. There is an implicit deny at the end of all ACL's, so ACL 166 should be blocking all incoming traffic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide