09-13-2002 10:05 AM - edited 03-02-2019 01:21 AM
I am confused with the in and out command in access-group
access-group 100 in/out
I read in an aritcle that IN means the data comming to our network and in that case the source will be from the internet and the destination will be system behind my network behind my router
OUT means the data that has already left my interface and in this case source wil be my network and destination is on the internet.
Is this correct? If so let us take the example of a web sitewhich has an ip address as x.x.x.x. I need to block this ip address for my systems and imagine my network is 192.168.10.0.
access-list 103 deny ip host x.x.x.x 192.168.10.0 255.255.255.0
access-list 103 permit ip any any
int s0
access-group 103 in
Is this command correct. My s0 is the interface that is facing the internet. Will this effectively block x.x.x.x for my network and allow rest all ip traffic.
Can some advice in this regard
Thanks in Advance
09-13-2002 11:32 AM
IN/OUT is in respect to the router's interface. So if you are refering to the interface of the router facing the internet, then you are correct in terms of source and destination. But remember it is reference to the interface.
In your example you are correct. That will block that host IP x.x.x.x from entering your network of 192.168.10.0. But what you can also do instead is "deny ip host x.x.x.x any log". If x.x.x.x is your host IP, why should it enter your network at all (with a source IP that is, not as a destination)? In this case someone must be spoofing your IP, so block it and log it.
Access-lists inbound save the router from having to process the packet, hence saves the router resources.
Hope that helps.
Steve
09-13-2002 11:53 AM
Thanks a lot. x.x.x.x is not my host ip it is a web site present in the internet. For blocking my own ip address to act as anti-spoofing the command is
access-list 103 deny ip x.x.x.x(my entire network) any log
int s0
access-group 103 in.
IS this configuration correct for anti-spoofing.
Thanks in Advance.
09-13-2002 12:02 PM
Yes you are correct, and I advise you to do it.
Steve
09-13-2002 12:03 PM
Thanks a lot for your time. I will implement in our network
09-13-2002 12:00 PM
Yes , Its true In means Filter inbound traffic .
You will start dicarding packets received for host x.x.x.x and anthing else will not match will hit 192.168.10.0
Regards,
09-13-2002 12:04 PM
Thank you so much
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide