I have been trying to understand the access-lists concept on a router especially the ccna level(extended, standard, named etc).
I couldnt get the concept of what is inbound and outbound where is it implemented on an interface, like which direction should be considered, why is it IN or OUT ? If IN from where it is IN or from where it is OUT i mean for example: Router(config)#int e1
router(config-if)#ip access-group 10 out or in.
Just that you can get an idea what i am trying to say , i kno wthis is a freak example but experts can get it
Is it away from the interface or coming into the interface or leaving the interface, how it should be considered, what is the reference point in such type of access-lists?
Please help me nail this concept i need to become perfect in configuring any type of access-lists on routers for any condition.
Can somebody please explain this or sugesst a good reading/practise material to understand it easily?
[code:1]Router(config)# int e1
Router(config-if)# ip access-group 10 in[/code:1]
The above code tells the router to use access-list 10 for checking all traffic (packets) that ENTER the interface E1. If the access-list 10 permits the packet, it will be allowed to enter the router. If the access-list 10 denies the packet, it will NOT be allowed to enter the router (i.e it will dropped).
[code:1]Router(config)# int e1
Router(config-if)# ip access-group 10 out[/code:1]
The above code tells the router to use access-list 10 for checking all traffic (packets) that EXIT the interface E1. If the access-list 10 permits the packet, it will be allowed to exit the router. If the access-list 10 denies the packet, it will NOT be allowed to exit the router (i.e it will dropped).
Standard access-lists: numbered from 1 to 99 and gives you limited features. For example, you can not specify TCP ports or specify destination IP addresses.
Extended access-lists: numbered from 100 and above (I think up to 199) and gives you the full set of features.
Named access-lists: Instead of using a number, you use a name to identify the access-list. Named access-lists can be either standard or extended. You specify in the command line, like this:
[code:1]ip access-list extended ACL1[/code:1]
[code:1]ip access-list standard ACL1[/code:1]
I know it's not easy to grasp every detail by only reading. The more you practice the more you'll get used to it.
Hope this helps and don't hesitate to ask if you have more questions.
Thanks for your quick reply SOlo.
But i as you have said do not hesitate to ask more i will never hesitate to ask to make myslef perfect .
The point is in your explanation you have said entering the interface E1, okay. Well... if i am a packet coming in from the internet i think as entering the router interface or if am a packet coming in from the LAN connected to the router that also means i am entering the interface connected to it whatever the int may be E1 or E0.
Same way if i have more than one LAN connected to the router from which direction i should consider as entering or leaving. You mean if anything coming into the interface from a LAN can be considered as entering or if a packet is leaving one of the interfaces and entering another LAN what should i consider it as?
#For example if i have a rouer with three LANs connected to E0 and E1 and E2.
Query is hosts in E1 LAN should not communicate to Hosts in E0 LAN but should communicate to other LANs.
How should i apply an Access list, please explain with directions in and out...please.
My confusion starts if a router has more than one LAN connected and which point is taken as entering or leaving from which side?
Hope i did not confuse you Sir, let me know if i did.
MAny thanks for your explanation and looking forward for one more to make me NAIL it! or any reading guide with many examples will also do Sir.
Redpix (Working as a Network Admin in an ISP - India)
The access list applies to a specific interface. So if there are multiple interfaces then each interface can have its own access list which applies just to the traffic going IN to or OUT of that interface. They way to understand this is to think of yourself as a packet and consider where you (as the packet) are. For example, you're on the LAN and approaching the router's E0 interface. So any IN access list on that interface is going to filter you. Okay, you got through and now you're inside the router and you're destined for the internet via BRI0. So as you approach BRI0 to go OUT, if there is an OUT access list on that interface it will filter you. You get out, hit the web server or whatever and now you're a reply packet coming back from the internet and approaching the router's BRI0 port. If there's an IN access list on BRI0 then it will filter you. So now you're inside the router again and destined for the local LAN so you approach E0 to go OUT. If there is an OUT access list on interface E0 then it will filter you.
Get the idea?
Great answer !! now i have a fair idea than before but the word "filter" you used means blocking me or allowing me? Please clarify. And are there any good reading stuff available on the internet to get to know these access-lists to understand them? thanks again Bishop and Thanks to you SOl0
Any better analogies are also from other people i am ready to take them too ..thanks all..
Redpix(working as a Network Admain with an ISP)
but the word "filter" you used means blocking me or allowing me? Please clarify.
It depends on the what you specify in the access list it self, you can permit or deny, it's your choice. Just remember one thing that there is always a hidden deny at the end of any access-list. So if your access list does not specify an action (permit or deny) for certain packets, the packets will be denied (i.e blocked).
And are there any good reading stuff available on the internet to get to know these access-lists to understand them?