Hi Todd

I believe the network addresses were left out of the diagram, or at least it is harder to understand without including the network addresses.:)

- Andre

Hi Todd

I believe the network addresses were left out of the diagram, or at least it is harder to understand without including the network addresses.:)

- Andre

Hi Andre,

I just noticed the same problem in the book.

The Sales network should be labeled 172.16.40.0/24.

The network number of the Marketing and Finance networks aren't required since they're not discussed in the example that follows the figure.

Yes, it would be nice if figure 10.2 had some labels, but it is not necassary. The information is in the text. I left the figure blank in order to use it in any example, but yes, IP addreses on the figure would be nice. You can write in your book the IP addreses you want to use on each interface and write out ACL's.
Cheers!
Todd

Shouldnt't the ACL be placed inbound on E1 ?

I'm stuck at this and other examples.

I mean, if the sales Network is 172.16.40.0 and it should NOT access the Finance Lan (E1 interface), why dont we do a :

# int eth1
#ip access-goung 10 IN

I guess the difference is that we stop the packets from getting into E1,
this does NOT mean that the Finance users cannot access the Sales Lan.

As we learned , we ACL per interfacer and per direction.
If the ACL would be placed Outbound on E1 as the book suggests,then, packets from the Sales would still would enter the Interface E1 but would not be responded, and this would also prevent the finance users from accessing the Sales Lan.

In figure 10.3 , Todd applies the ACL again as Outbound and NOT Inbound.
Can anyone help me a little further, this is getting confusing.

Appreciate it.

Thanks

see, that is a standard access list and it filters traffic based on source address not destination.
and ACL in inbound direction filter the traffic enter the router's interface
ACL in outbound direction filters the traffic leaving the router's interface

if we have applied this ACL as inbound it will not work becasue we want sales LAN to deny accessing finance LAN and to reach finance LAN packets from Sales LAN must have to exit or out from E1 interface of router so that is the traffic leaving the router interface so ACL that place in outbound direction will filter that traffic not inbound one.
finance LAN would be able to access sales lan because the traffic from Finance subnet is entering the router's E1 interface and there is no ACL placed as inbound to filter the traffic that in from E1.

Hope this will help!!

Dear colleagues,

I appreciete the help, I hope you can help further

see, that is a standard access list and it filters traffic based on source address not destination.
and ACL in inbound direction filter the traffic enter the router's interface
ACL in outbound direction filters the traffic leaving the router's interface

Until now, I completely agree with you, just to stress that , when talking about entering and leaving an interface, its easier to think about of being a nod /pc connected to an ethernet interface.

if we have applied this ACL as inbound it will not work becasue we want sales LAN to deny accessing finance LAN ( No, we want the finance LAN to deny access to the Sales LAN, because we can just deny sources here, so the interpretation is the other way round! The Sales, which is the source has nothing to deny in standard ACL's, it has to be denied!!!Thats why the book/Todd, and I agree, that the ACL has to be placed on the Finance interface E1, the issue here is the direction...)

and to reach finance LAN (here we still want to reach the Marketing LAN, small irrelevant mistake...)packets from Sales LAN must have to exit or out from E1 interface of router( The ACL , as per the book and my logic is not placed on E0, its on the E1, the destination network!!) so that is the traffic leaving the router interface so ACL that place in outbound direction will filter that traffic not inbound one.( Again, we don't want to control packets leaving from E0/ Sales, since we want to block sources and nothing else, then we apply them at our destination interfaces as Inbound traffic)
finance LAN would be able to access sales lan because the traffic from Finance subnet is entering the router's E1 interface and there is no ACL placed as inbound to filter the traffic that in from E1.

Dear Pramod, you will notice what I mean, look what Todd further says after applyiing the list outbound:

The following (a & b statements are contradictory):

a) Users on the Sales LAN should not have access to the Finance LAN, but they should be able to access the Internet and the marketing department.

b) (at the end of the exercise)This completely stops traffic from 172.16.40.0 from getting out Ethernet 1
"

Now , this is the point!!!!!!! The 172.16.40.0 network is the Sales Network, we dont want their packets to get in at all !Acctually they should get out, as the finance users still might need to access the Sales Lan.

So we want the contrary, that means: Prevent packets from entering E1 and not block packets leaving E1.

Please, I stopped my ccna studies 2 months with this exercise, please check. I appreciate your all efforts.

Thanks in advance
Mgerson

Is our aim to stop packets
Hope this will help!!

Originally Posted by Pramod.purohit http://www.lammle.com/discussion/images/buttons/viewpost.gif (http://www.lammle.com/discussion/showthread.php?p=8134#post8134)
see, that is a standard access list and it filters traffic based on source address not destination.
and ACL in inbound direction filter the traffic enter the router's interface
ACL in outbound direction filters the traffic leaving the router's interface

Until now, I completely agree with you, just to stress that , when talking about entering and leaving an interface, its easier to think about of being a nod /pc connected to an ethernet interface.

if we have applied this ACL as inbound it will not work becasue we want sales LAN to deny accessing finance LAN (see what I mean here if we apply this ACL as inbound on the interface connected to finance LAN then it will not have any effect as this ACL meant only to block sales LAN and that is the traffic leaving finance interface) ( No, we want the finance LAN to deny access to the Sales LAN, because we can just deny sources here,(so source is Sales lan not finance LAN) so the interpretation is the other way round! The Sales, which is the source has nothing to deny in standard ACL's, it has to be denied!!!Thats why the book/Todd, and I agree, that the ACL has to be placed on the Finance interface E1, (exactly becoz if we place it to E0 as inbound it will block all trafic from sales LAN) the issue here is the direction...) (so the direction would be inbound here not outbound)

and to reach finance LAN (here we still want to reach the Marketing LAN, small irrelevant mistake...)packets from Sales LAN must have to exit or out from E1 interface of router( The ACL , as per the book and my logic is not placed on E0, its on the E1, the destination(yes it should placed on E1) network!!) so that is the traffic leaving the router interface so ACL that place in outbound direction will filter that traffic not inbound one.( Again, we don't want to control packets leaving from E0/ Sales, since we want to block sources and nothing else,(so source is sales not finance) then we apply them at our destination interfaces as Inbound traffic)(that is outbound traffic for E1 interface of router)
finance LAN would be able to access sales lan because the traffic from Finance subnet is entering the router's E1 interface and there is no ACL placed as inbound to filter the traffic that in from E1.

Dear Pramod, you will notice what I mean, look what Todd further says after applyiing the list outbound:

The following (a & b statements are contradictory):

a) Users on the Sales LAN should not have access to the Finance LAN, but they should be able to access the Internet and the marketing department.

b) (at the end of the exercise)This completely stops traffic from 172.16.40.0 from getting out Ethernet 1
"

Now , this is the point!!!!!!! The 172.16.40.0 network is the Sales Network, we dont want their packets to get in at all !Acctually they should get out, as the finance users still might need to access the Sales Lan.

So we want the contrary, that means: Prevent packets from entering E1 and not block packets leaving E1.

Please, I stopped my ccna studies 2 months with this exercise, please check. I appreciate your all efforts.

Thanks in advance
Mgerson

Hope this will help