View Full Version : Applying an ACL Question?
09-11-2008, 05:59 PM
I'm a little confuse on where to apply an ACL after it has been created.
Do you apply it on the Router interface closest to the destination of the Packet?
When applying the access-group <value>, what is the best method in order to remember to use "in" or "out" value?
09-11-2008, 06:19 PM
it depends on what type of access list you are using.
If your using a standard access list, then you should apply it as close to the destination as possible.
if your using a exstend access list then you should apply it as close to the source as possible so you that the data doesnt have to swarm the network.
Now... for the IN and OUT part.
the access list has to be applied to an interface..
lets take the following command.
access-list 1 deny 10.2.2.2. 0.0.0.0
now ask yourself this questions... hold out your arms if necessary..
do you want to block the host 10.2.2.2 from entering your interface. (in)
or do you want to block the host 10.2.2.2 from exiting that interface and going to other networks (out)
let say this.
do you want to block 10.2.2.2 that resides on the internet from entering router A s0 interace ?
if so apply an IN
10.2.2.0 /24-----Router A--s0---------internet
or do you want to block host 10.2.2.2 from exiting s0 and accessing the internet.
if so then apply the access-list outbound.
hope this helps
09-12-2008, 03:38 AM
Good answer Marcus. ;)
vBulletin® v3.8.7, Copyright ©2000-2013, vBulletin Solutions, Inc.