cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
116
Views
0
Helpful
5
Replies
Highlighted
Beginner

ACL extended doubt

Hi guys, I have a doubt: what is the difference between an ACL inbound or outbound (in this specific case)?

 

Example: I want that the subnet 172.16.20.0/24 can't reach the web server 172.16.10.2

 

ip access-list extended 101

deny tcp 172.16.20.0 0.0.0.255 host 172.16.10.2 eq 80

 

So what is the difference if I configure this ACL inbound fa0/1 or outbound fa0/1?

 

Desktop Screenshot 2020.05.23 - 14.50.49.39 (2).png

5 REPLIES 5
Highlighted
VIP Mentor

Re: ACL extended doubt

You need to understand here Ingress and Egress traffic flow, when you deploying ACL 

 

Server ---Router----network

 

ingress traffic flows from the network into the interface and egress flows from the interface to the network.

 

Depends on who intiating the connection -based on that you need to apply the ACL IN or OUT.

 

BB
*** Rate All Helpful Responses ***
Highlighted
Beginner

Re: ACL extended doubt

Yes but in this situation... The outbound traffic should be the fa0/2. Right?

 

Whats the difference between ibound fa0/1 and outbound fa0/1 considered that ACL extended 101?

Highlighted
Participant

Re: ACL extended doubt

Hi,

 

The HTTP Request from 172.16.20.0/24 will first reach Fa0/1 <----- This will evaluated by Fa0/1's inbound ACL.

 

then the HTTP Request will forward out Fa0/2 <----- This will evaluated by Fa0/2's outbound ACL.

 

Server received request, and it start to reply.


The HTTP Reply from 172.16.10.2 (with source port 80) will first reach Fa0/2 <------- This will evaluated by Fa0/2's inbound ACL.


then the HTTP Reply will forward out Fa0/1 <------- This will evaluated by Fa0/1's outbound ACL.

 

So, in your case:

 

ip access-list extended 101
 deny tcp 172.16.20.0 0.0.0.255 host 172.16.10.2 eq 80
 permit ip any any

If it applied to Fa0/1's outbound:

 

the HTTP Reply will forward out Fa0/1 <------- This will evaluated by Fa0/1's outbound ACL.

HTTP Reply =      tcp 172.16.10.2 eq 80  172.16.20.0 0.0.0.255
your ACL = deny tcp 172.16.20.0 0.0.0.255   host 172.16.10.2 eq 80

 

which does not match, so it will not drop the traffic if you apply to Fa0/1's outbound.

 

Highlighted
VIP Mentor

Re: ACL extended doubt

coming back to your ACL

 

ip access-list extended 101

deny tcp 172.16.20.0 0.0.0.255 host 172.16.10.2 eq 80

 

So what is the difference if I configure this ACL inbound fa0/1 or outbound fa0/1?

 

you should apply the ACL in - since the traffic of source entering in to FA0/1

 

Network (IN) fa0/1 - router - fa0/2 (OUT) - Web Server

you can also do same thing in FA0/2 as out - since it leaving out from router.

 

But always advise for security reason, implment at edge interface.

 

 

BB
*** Rate All Helpful Responses ***
Highlighted
Hall of Fame Community Legend

Please post this homework/schoolwork in the Cisco Learning Network

Please post this homework/schoolwork in the Cisco Learning Network.

CreatePlease to create content
Content for Community-Ad
Cisco Community April 2020 Spotlight Award Winners