Hi, I am looking over the Security chapter and have a question on ACLS....there's an example on page 616 of the newest apri 2011 release of the ccna book which does this:

access-list 10 deny 172.16.40.0 0.0.0.255
access-list 10 permit any
int fa/01
ip access-group 10 out

So by going into interface fa/01 and using the out keyword, is the network traffic that has a source of 172.16.40.0 actually getting into the LAN but then when the host on int fa/01 tries to send the packet back it's getting denied...wait that can't be it..the source ip address isn't 172.16.40.* anymore...

See the wording to me is confusing..you're blocking outbound access, to me fa/01 outbound is heading out of the lan, not into the lan...

TLDR i need a good explanation on the wording of outbound vs inbound

Hi, I am looking over the Security chapter and have a question on ACLS....there's an example on page 616 of the newest apri 2011 release of the ccna book which does this:

access-list 10 deny 172.16.40.0 0.0.0.255
access-list 10 permit any
int fa/01
ip access-group 10 out

So by going into interface fa/01 and using the out keyword, is the network traffic that has a source of 172.16.40.0 actually getting into the LAN but then when the host on int fa/01 tries to send the packet back it's getting denied...wait that can't be it..the source ip address isn't 172.16.40.* anymore...

See the wording to me is confusing..you're blocking outbound access, to me fa/01 outbound is heading out of the lan, not into the lan...


Hey,

Good question, glad your challenging it.

First thing to note is yes the access list is only checked on the outbound part of the interface. However this is the correct part to do it. To think about it consider the path of the packet.

A machine in Sales tries to ping a machine in Finance. Lets say they are :

192.168.40.100 and 192.168.50.100.

The Sales PC will build a packet with its own source IP address, and the destination address. It will also have the layer 2 data (mac addresses). I know it will have its own source MAC, but unsure about its destination in this case.

This packet will go down the line to the router. The router will check for any inbound access list on Fa 0/0. Nothing to stop it, so the packet arrives inside the router. It will read it and decide to route the packet down the FA0/1 interface as thats where the 192.168.50.0/24 network lives.

At this point it will not change the layer 3 data in the packet. Aka it won't change the IP address for source or destination. It might however change the layer 2 stuff, the mac address. (Clarification needed)

Before sending it down the Fa0/1 interface the access list for outbound will challenge the packet. This list is saying anything coming from the IP 192.168.40.0/24 network cannot go down here. It will read the source IP address in the packet, match the details and block it. Hence the packet will be dropped at this point.


TLDR i need a good explanation on the wording of outbound vs inbound


Inbound is when a packet comes in from a network into the router. So anytime the data is flowing away from a workstation into a router, it comes into the router. Consider the router as a roundabout on the road (Do you drive?) You come upto the roundabout on your road, in which case your incoming into the roundabout.

Outbound is when the packet has been routed. The router has decided that the packet needs to head in that direction over there to get to where it needs to be. At this point after the routing decision is made, it will hit the outbound access list where it effectively needs permission to leave the router on its way. In driving terms its when you then indicate left on a roundabout wanting to come off onto a road. You can only do this if the road is open and clear of traffic. (Or perhaps there is a barrier there, police have closed the road. This is an example of the access list stopping you going that route).

Hope that all helped :-)

Thanks for the thorough explanation, that really helped. My confusion was that I was thinking that outbound and inbound were in relation to the overall path the packet was taking, instead of looking at it as if I am a router and I have inbound and outbound traffic...thanks again now I get it.:cool:

As for the mac address issue, I am interested to see if anyone could clear that up.

Not to worry and im glad it all clicked in the end.

Its all about the point of view of the router. Packet incoming to me, then packet outgoing to a new destination.