Hot Downloads

Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1
  • 2

TOPIC: Router Access-lists concept(interface direction)

Router Access-lists concept(interface direction) 7 years 7 months ago #30200

  • Redpix
  • Redpix's Avatar
  • Offline
  • Frequent Member
  • Posts: 21
  • Karma: 0
Hi All,

I have been trying to understand the access-lists concept on a router especially the ccna level(extended, standard, named etc).
I couldnt get the concept of what is inbound and outbound where is it implemented on an interface, like which direction should be considered, why is it IN or OUT ? If IN from where it is IN or from where it is OUT i mean for example:
Router(config)#int e1
router(config-if)#ip access-group 10 out or in.

Just that you can get an idea what i am trying to say , i kno wthis is a freak example but experts can get it ;-)
Is it away from the interface or coming into the interface or leaving the interface, how it should be considered, what is the reference point in such type of access-lists?
Please help me nail this concept i need to become perfect in configuring any type of access-lists on routers for any condition.
Can somebody please explain this or sugesst a good reading/practise material to understand it easily?

Many thanks in Advance people....:)
The administrator has disabled public write access.

Re: Router Access-lists concept(interface direction) 7 years 7 months ago #30201

  • S0lo
  • S0lo's Avatar
  • Offline
  • Moderator
  • Posts: 1577
  • Thank you received: 7
  • Karma: 3
Hi Redpix,

[code:1]Router(config)# int e1
Router(config-if)# ip access-group 10 in[/code:1]

The above code tells the router to use access-list 10 for checking all traffic (packets) that ENTER the interface E1. If the access-list 10 permits the packet, it will be allowed to enter the router. If the access-list 10 denies the packet, it will NOT be allowed to enter the router (i.e it will dropped).

[code:1]Router(config)# int e1
Router(config-if)# ip access-group 10 out[/code:1]

The above code tells the router to use access-list 10 for checking all traffic (packets) that EXIT the interface E1. If the access-list 10 permits the packet, it will be allowed to exit the router. If the access-list 10 denies the packet, it will NOT be allowed to exit the router (i.e it will dropped).


Standard access-lists: numbered from 1 to 99 and gives you limited features. For example, you can not specify TCP ports or specify destination IP addresses.

Extended access-lists: numbered from 100 and above (I think up to 199) and gives you the full set of features.

Named access-lists: Instead of using a number, you use a name to identify the access-list. Named access-lists can be either standard or extended. You specify in the command line, like this:

[code:1]ip access-list extended ACL1[/code:1]

or

[code:1]ip access-list standard ACL1[/code:1]

I know it's not easy to grasp every detail by only reading. The more you practice the more you'll get used to it.

Hope this helps and don't hesitate to ask if you have more questions.
Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
The administrator has disabled public write access.

Re: Router Access-lists concept(interface direction) 7 years 7 months ago #30209

  • Redpix
  • Redpix's Avatar
  • Offline
  • Frequent Member
  • Posts: 21
  • Karma: 0
Thanks for your quick reply SOlo.
But i as you have said do not hesitate to ask more i will never hesitate to ask to make myslef perfect ;-).

The point is in your explanation you have said entering the interface E1, okay. Well... if i am a packet coming in from the internet i think as entering the router interface or if am a packet coming in from the LAN connected to the router that also means i am entering the interface connected to it whatever the int may be E1 or E0.

Same way if i have more than one LAN connected to the router from which direction i should consider as entering or leaving. You mean if anything coming into the interface from a LAN can be considered as entering or if a packet is leaving one of the interfaces and entering another LAN what should i consider it as?

#For example if i have a rouer with three LANs connected to E0 and E1 and E2.
Query is hosts in E1 LAN should not communicate to Hosts in E0 LAN but should communicate to other LANs.
How should i apply an Access list, please explain with directions in and out...please.


My confusion starts if a router has more than one LAN connected and which point is taken as entering or leaving from which side?

Hope i did not confuse you Sir, let me know if i did.

MAny thanks for your explanation and looking forward for one more to make me NAIL it! or any reading guide with many examples will also do Sir.

Thanks
Redpix (Working as a Network Admin in an ISP - India)
The administrator has disabled public write access.

Re: Router Access-lists concept(interface direction) 7 years 7 months ago #30217

  • TheBishop
  • TheBishop's Avatar
  • Offline
  • Moderator
  • Posts: 1719
  • Thank you received: 8
  • Karma: 5
The access list applies to a specific interface. So if there are multiple interfaces then each interface can have its own access list which applies just to the traffic going IN to or OUT of that interface. They way to understand this is to think of yourself as a packet and consider where you (as the packet) are. For example, you're on the LAN and approaching the router's E0 interface. So any IN access list on that interface is going to filter you. Okay, you got through and now you're inside the router and you're destined for the internet via BRI0. So as you approach BRI0 to go OUT, if there is an OUT access list on that interface it will filter you. You get out, hit the web server or whatever and now you're a reply packet coming back from the internet and approaching the router's BRI0 port. If there's an IN access list on BRI0 then it will filter you. So now you're inside the router again and destined for the local LAN so you approach E0 to go OUT. If there is an OUT access list on interface E0 then it will filter you.
Get the idea?
The administrator has disabled public write access.

Re: Router Access-lists concept(interface direction) 7 years 7 months ago #30224

  • Redpix
  • Redpix's Avatar
  • Offline
  • Frequent Member
  • Posts: 21
  • Karma: 0
Hello Bishop,

Great answer !! now i have a fair idea than before but the word "filter" you used means blocking me or allowing me? Please clarify. And are there any good reading stuff available on the internet to get to know these access-lists to understand them? thanks again Bishop and Thanks to you SOl0 ;-)

Any better analogies are also from other people i am ready to take them too ..thanks all..

Bye
Redpix(working as a Network Admain with an ISP)
The administrator has disabled public write access.

Re: Router Access-lists concept(interface direction) 7 years 7 months ago #30225

  • S0lo
  • S0lo's Avatar
  • Offline
  • Moderator
  • Posts: 1577
  • Thank you received: 7
  • Karma: 3
but the word "filter" you used means blocking me or allowing me? Please clarify.

It depends on the what you specify in the access list it self, you can permit or deny, it's your choice. Just remember one thing that there is always a hidden deny at the end of any access-list. So if your access list does not specify an action (permit or deny) for certain packets, the packets will be denied (i.e blocked).
And are there any good reading stuff available on the internet to get to know these access-lists to understand them?

Try here:
www.cisco.com/en/US/products/sw/secursw/...186a00800a5b9a.shtml

www.cisco.com/en/US/tech/tk648/tk361/tec...186a0080100548.shtml

Hope this helps.
Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
The administrator has disabled public write access.
  • Page:
  • 1
  • 2
Time to create page: 0.086 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup