Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
9650
Views
5
Helpful
9
Replies

Multiple Access List

T1success
Level 1
Level 1

‎05-05-2008 02:02 PM - edited ‎03-05-2019 10:46 PM

Hi all ,

Please i need exaplnation on multiple access list.I have 2 interfaces on my router and I want to create access list.

Bearing in mind the access list :per interface per protocol per direction.

How do i implement multiple access list

ie

ip access- list 121 ..........

int fa0/0

in

ip access list 142

int fa0/0

in

ip access list 169

int fa0/0

in

Pls i understand the command ,but it is the interface inbound and outbound isssue that i want clarification .

I will be expecting your reply .

Regards

Labels:
0 Helpful
9 Replies 9

Mark Yeates
Level 7
Level 7

‎05-05-2008 03:11 PM

I hope the below helps clear up the confusion.

Out-Traffic that has already been through the router and leaves the interface. The source is where it has been, on the other side of the router, and the destination is where it goes.

In-Traffic that arrives on the interface and then goes through the router. The source is where it has been and the destination is where it goes, on the other side of the router.

Mark

0 Helpful

michael.leblanc
Level 4
Level 4

‎05-08-2008 04:27 PM

Your post suggests that you are trying to apply access lists 121, 142, and 169 to int fa0/0 inbound.

Is this true?

When you state - "Bearing in mind the access list :per interface per protocol per direction."

What protocols are being implemented with the three different ACLs?

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to michael.leblanc

‎05-09-2008 08:53 AM

Michael

"access list per interface per protocol per direction" goes back to the days when Cisco routers were multipotocol routers and might be processing IP, and IPX, and perhaps Appletalk. So you could have an IP access list in and out, and an IPX access list in and out, and perhaps an Appletalk filter. As Istvan points out, in todays environment we deal almost exclusively with IP and in effect the rule is now one access list in and one access list out per interface.

HTH

Rick

HTH

Rick
0 Helpful

michael.leblanc
Level 4
Level 4
In response to Richard Burts

‎05-09-2008 09:10 AM

You mis-understood my post.

I was probing to find out whether the original poster was using IP, IPX, and AppleTalk, or whether he was separating TCP/IP application protocols into different ACLs.

Best Regards,

0 Helpful

Istvan_Rabai
Level 7
Level 7

‎05-09-2008 08:18 AM

Hi Taiwo,

You can apply only ONE access-list inbound and ONE access-list outbound to each interface.

You have to construct the ip access-lists so that they contain all the necessary protocol filtering in ONE access-list inbound and ONE access-list outbound.

Then you have to apply the access-lists to the interfaces similarly to this:

interface fa0/0

ip access-group 121 in

ip access-group xxx out

Does this answer your question?

Cheers:

Istvan

illusion_rox
Level 1
Level 1

‎05-09-2008 08:51 AM

Can you tell us, what issue you will run into if you merge these access lists into 1 access list ?

0 Helpful

Istvan_Rabai
Level 7
Level 7
In response to illusion_rox

‎05-09-2008 10:53 AM

Hi Illusion Rox,

When you construct access-lists, there may be several issues you can run into. The most important rules that are recommended to follow are:

1. Every standard access-list has an implicit "deny any" and every extended access-list has an implicit "deny ip any any" at the end.

Therefore, if you want to deny a specific traffic and allow the rest of the traffic, then you need to apply "permit any" or "permit ip any any" respectively at the end to override this behavior.

2. Access-lists are evaluated in sequence. This is why you have to configure the more specific acl entries first, then the more general statements.

3. Generally speaking, standard acls need to be applied as close to the destination as possible.

Extended acls are recommended to apply as close to the source as possible.

But every specific application is different, so these are not very strict rules.

You may apply acls in a cute way to limit the unnecessary traffic burden on the network.

Cheers:

Istvan

0 Helpful

illusion_rox
Level 1
Level 1
In response to Istvan_Rabai

‎05-09-2008 11:19 AM

hi Istvan, i knew that :-), what i am trying to say that instead of applying 3 different acls why dont merge them into 1 ? what kind of payoff can we expect ? if you guys are getting what i mean then instead of applying different acls its better to apply 1 by merging them all, i think there is no need to apply different acls at all, so what you guys think ?

0 Helpful

Istvan_Rabai
Level 7
Level 7
In response to illusion_rox

‎05-09-2008 11:24 AM

Hi,

This is exactly what I told in my first post.

Cheers:

Istvan

0 Helpful
Top