cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1292
Views
0
Helpful
9
Replies

Access-List

rivanfrank
Beginner
Beginner

Hi Everyone,

I need help regarding access-list. I really don't understand the concept of outbound and inbound.

access-list.jpg

This is working fine, but my question is when i put the access-group in serial interface of router 0 the access list won't work.

Please Advise.

Thanks.

3 Accepted Solutions

Accepted Solutions

cadet alain
Mentor
Mentor

Hi,

if you apply it to serial0  then it must be inbound as packets with a source address of 192.168.3.10 are entering this interface not exiting.

But then it will block communication betwen this host and all hosts in the subnets on the fatethernet ports of the left router not just the hosts from the

fastethernet0 interface.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

Hi,

it all depends of what you want to achieve. if you wanted to block this host from communicating wit the right one on the left router then putting it outbound on f0 is the right way to do even though the packet will be forwarded and then dropped by the ACL.Now  if you wanted to block communication with both clients on the left then you could either apply it inbound on s0 or outbound on both fastethernet interfaces. doing it inbound on s0 Would save a routing lookup and frame rewrite on the router as the packet would get dropped before being routed.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

Hi,

best practice is to put standard ACL as close to destination as possible  because if you put it inbound on your router you are going to block some communication you didn't want to.

for example you won't ping your router or manage it via telnet/ssh or http(s) from your host, you won't get no more dhcp addresses for this host too.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

9 Replies 9

cadet alain
Mentor
Mentor

Hi,

if you apply it to serial0  then it must be inbound as packets with a source address of 192.168.3.10 are entering this interface not exiting.

But then it will block communication betwen this host and all hosts in the subnets on the fatethernet ports of the left router not just the hosts from the

fastethernet0 interface.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Thanks for the quick reply, so what would be the standard deny it inbound in se0/0/0 or outbound fa0/0?