cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
598
Views
0
Helpful
7
Replies

access lists

iamtheone12345
Level 1
Level 1

Hi Guys,

I have a small query.I was going through CCNA cbtnuggets (jeremies ones) and i came across access lists.

Lets says i have a computer (ip address 192.168.1.10) and is connected to my gateway router.The lan port is fa0/1 and the wan port is s0/0.

In His video jeremy explains the difference between applying the access list  to S0/0 (outbound) and  fa0/0 (inbound).

Well ,i didnt understand the explanation that well.

My question is whats the difference say?

Lets say that i want to prevent my computer (ip address 192.168.1.10) to access anything.

What is the difference between applying the DENY ALL filter on Fa0/0 or S0/0 ?

Any help would be appreciated.I am just a new kid on the block .

Arjun

1 Accepted Solution

Accepted Solutions
7 Replies 7

cadet alain
VIP Alumni
VIP Alumni

Hi,

if you apply on f0/0 then it must be inbound and on s0/0 outbound.

You can achieve this with a standard ACL only taking care of the source IP and a standard ACL should be applied as close to the destination as possible but in your case as the destination is any you can apply where you want.

the only difference is that if it is inbound on f0/0 then the router won't event try to route the packet or NAT it and if it is applied outbound on s0/0 then the router will do a routing lookup and before sending the packet down s0/0 it will see it is denied so it will drop it and I think but I'm not sure that the NAT translation will be made.

Regards.

Alain

Don't forget to rate helpful posts.

Hi Alain,

Thank you for the reply.I do understand what you are trying to say.But is there any documentation i can refer to?

regards,

Arjun

Arjun,

Along with what Alain is telling you.

You should always try apply ACLs as close to the source of the traffic possible. This

is to reduce overheads and prevent packets moving up the network when they are

not needed.

I your case to deny your PC 192.168.1.10 access you would want the ACL as an input on f0/0

aceess-list 1 deny host 192.168.1.10 (denies you)

access-list 1 permit any (allows others)

int f0/0

ip access-group 1 in

!

Remember there are probably going to be more that you on the f0/0 like

in an office etc

Hope this makes sense

HTH

Alex

Please rate useful posts

Regards, Alex. Please rate useful posts.

Hi Alain,

Thank you for the link.I guess i will have to read thorugh it.

HI Acambel ,

I do know the syntax of configuring access lists.But my question is mainly:

what is the difference between these to conditions ?

1)applying a deny_all access-list statement on fa0/0

2)and applying a deny_all filter on s0/0.

Alain has shed some light on it but i wanted to know whether NAT translation for the packet originating from 192.168.1.10 will take place if we apply the deny_all filter on s0/0?

Your answer will be greatly appreciated.

Regards,

Arjun Das

Arjun

As I said above

You should always try apply ACLs as close to the source of the traffic possible. This

is to reduce overheads and prevent packets moving up the network when they are

not needed

So in the case you are asking about there is no point in allowing the F0/0 interface to forward the packet to the

S0/0 interface to have it dropped, this is just wasting router CPU time

Block or filter the unwanted traffic as NEAR to source as possible

Therefore apply the deny all at the f0/0 IN

I hope this makes sense.

Regards

Alex

Please rate useful posts.

Regards, Alex. Please rate useful posts.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: