Solved: Extended ACL applying on interface inbound or outbound direction

mahesh18 · ‎05-07-2012

Hi all,

I have question regarding applying extended ACL to inbound or outbound direction.

R1 is connected to R2 and R2 has connection to internet.

PC is connected to R1.

I was blocking PC to ping the IP address 4.x.x.x

When i apply the ACL to R1

access-list 100 deny ip host 192.168.20.25 host 4.x.x.x log

Now when i apply this to interface Fa0/11 of R1 this interface connects to R2.

I can see that ping is still working but when i apply this on interface fa0/11

outbound direction ----------ping is not working.

IF someone can explain me this please why it is not working when i apply inbound?

Thanks

Mahesh

nikolasgeyer · ‎05-07-2012

Inbound refers to packets coming in to the interface.

Outbound refers to packets going out from the interface.

So if PC is connected to R1 (we will assume interface Fa0/0) and R1's connection to R2 is using interface Fa0/11 the traffic flow for your ping packet would be;

Packet comes in to interface Fa0/0 on R1 from PC. Packet goes out from R1 to R2 on interface Fa0/11.

So as you can (hopefully) see now, where you have applied the ACL the packet is going in an outbound direction, which is why applying the ACL as inbound wont work.

Hope that makes sense and helps.

View solution in original post

Sergey Fer · ‎05-07-2012

If I've correctly understood your topology, f0/11 is connected to R2. You are using ACL that denies IP packets with 192.168.20.25 as a SOURCE and 4.x.x.x as a DESTINATION addresses. But your R1 does not see such packet inbound on F0/11 - they are all outbound. Inbound packets have the same addresses but in different places - 192.168.20.25 is a DESTINATION, 4.x.x.x is a SOURCE. Hope your ACL has more than one string because of implicit deny ip any any in the bottom.

View solution in original post

nikolasgeyer · ‎05-07-2012

Inbound refers to packets coming in to the interface.

Outbound refers to packets going out from the interface.

So if PC is connected to R1 (we will assume interface Fa0/0) and R1's connection to R2 is using interface Fa0/11 the traffic flow for your ping packet would be;

Packet comes in to interface Fa0/0 on R1 from PC. Packet goes out from R1 to R2 on interface Fa0/11.

So as you can (hopefully) see now, where you have applied the ACL the packet is going in an outbound direction, which is why applying the ACL as inbound wont work.

Hope that makes sense and helps.

mahesh18 · ‎05-08-2012

Hi,

Thanks for reply.

As ACL is applied on interface fa0/11 outbound-- connection between R1 and R2

So when PC traffic enters the interface on R1 say fa0/1 and when it goes out of R1 then ACL is applied on it right?

Before this when i apply inbound on fa0/11 then say packet enters the interface fa0/0 where pc is connected and that

has no ACL there then it goes to int fa0/11 out.

When we say inbound on R1 interface fa0/11 does it mean traffic coming from R2?

Thanks

MAhesh

Sergey Fer · ‎05-07-2012

If I've correctly understood your topology, f0/11 is connected to R2. You are using ACL that denies IP packets with 192.168.20.25 as a SOURCE and 4.x.x.x as a DESTINATION addresses. But your R1 does not see such packet inbound on F0/11 - they are all outbound. Inbound packets have the same addresses but in different places - 192.168.20.25 is a DESTINATION, 4.x.x.x is a SOURCE. Hope your ACL has more than one string because of implicit deny ip any any in the bottom.

mahesh18 · ‎05-08-2012

Hi Sergey,

Thanks for reply.

Yes i am using ACL to deny packets with 192.168.x.x as source and 4..x.x.x.x as destination.

When youu say ---

But your R1 does not see such packet inbound on F0/11 - they are all outbound.

Can you please explain me more on this?

Thanks

MAhesh

mahesh18 · ‎05-09-2012

Hi all,

Many thanks i read your reply now i understood what you mean.

Thanks agin to both of you.

Regards

MAhesh