Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
986
Views
10
Helpful
6
Replies

IP ACCESS LIST simple understanding problem

Go to solution
B@B@r
Level 1
Level 1

‎01-02-2018 10:32 AM - edited ‎03-08-2019 01:16 PM

Dear all please solve my confusion on basic concept of ACLSBABARS.jpg

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul driver
VIP
VIP

‎01-02-2018 11:34 AM - edited ‎01-03-2018 01:55 AM

Hello

The reason for that is the acl egress (outbound) isnt being matched on due to the fact you are sourcing from the BABAR rtr itself ( Mgt/control plane - traffic originated from the router itself) and not its data plane ( traffic traversing the rtr) and as such no traffic is hitting the outside interface, if you had a device internal to BABAR rtr then that would indeed match the acl and be denied.

 

As for the ingress (inbound) acl, well traffic is being matched due to the return traffic from outside the BABAR rtr  and as such it will be denied.

res

Paul

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

6 Replies 6

Go to solution
Georg Pauwen
VIP
VIP

‎01-02-2018 10:41 AM

What do you want to achieve ? And what means 'working' and 'not working' ? You want to deny TELNET traffic from left to right router ?

That said, with your access list and just that one deny statement, all traffic will be blocked, due to the implicit deny rule in access lists.

0 Helpful

Go to solution
B@B@r
Level 1
Level 1
In response to Georg Pauwen

‎01-03-2018 12:06 AM

i want to achieve : Babar could not telnet tipu. (deny telnet from babar)
Not working : means when i apply access-list to out on interface fa0/0 , it is telneting tipu.
working : mean when i apply same access-list as IN on int fa0/0 , it is achieving my goal.
i intentionally apply one deny statement coz i am learning the concept . and i want to block telnet from babar to tipu
0 Helpful

Go to solution
paul driver
VIP
VIP

‎01-02-2018 11:34 AM - edited ‎01-03-2018 01:55 AM

Hello

The reason for that is the acl egress (outbound) isnt being matched on due to the fact you are sourcing from the BABAR rtr itself ( Mgt/control plane - traffic originated from the router itself) and not its data plane ( traffic traversing the rtr) and as such no traffic is hitting the outside interface, if you had a device internal to BABAR rtr then that would indeed match the acl and be denied.

 

As for the ingress (inbound) acl, well traffic is being matched due to the return traffic from outside the BABAR rtr  and as such it will be denied.

res

Paul

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
B@B@r
Level 1
Level 1
In response to paul driver

‎01-03-2018 12:13 AM - edited ‎01-03-2018 12:58 AM

its mean that if traffic generate by router itself : either its int fastethernet , serial or loopback or tunnel access. it Not in data plane its in control plane and IN and OUT will only effect on data plan traffic. The IN(ingress) or OUT(egress) will behave differently when its generated by rtr itself and when it is transit traffic

0 Helpful

Go to solution
Julio E. Moisa
VIP Alumni
VIP Alumni

‎01-02-2018 11:42 AM - edited ‎01-02-2018 11:47 AM

Hi

As the traffic is being originated into BARBAR router it will not be applied to the ACL, it will work for transit traffic (data plane) only, so you should apply the ACL under TIPU's interface facing BARBAR with IN (inbound).

 

Hope it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Go to solution
B@B@r
Level 1
Level 1
In response to Julio E. Moisa

‎01-03-2018 12:27 AM - edited ‎01-03-2018 01:00 AM

1--its mean that if traffic generate by router itself : either its int fastethernet , serial or loopback or tunnel access. it Not in data plane its in control plane while the IN and out will only effect on Data plane . The IN(ingress) or OUT(egress) will behave differently when its generated by rtr itself and when it is transit traffic...

2- suppose if i couldn't have privileges to apply ACL under TIPU's BOSS rtr interface facing BABAR with in?
So then i have only option to apply it IN of Babar facing TIPU's. But when we enable debug or packet tracer (wireshark) tipu intface fa0/0. The boss router TIPU will show that someone is TELNETing . isnt it other way to stop it? so that MY BOSS router found that i am good NEtwork ENginner do what He want..

:) not any telnet request

i want that my boss router could not revieve any pack of telnet form BABAR. although it is block at BABAR side but i want it in that way?

telnet.png

 

 

Thankyou guys...

0 Helpful
Customers Also Viewed These Support Documents