|
Home > Archive > CCNA > January 2002 > Inbound or Outbound Access-list
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Inbound or Outbound Access-list
|
|
| bhatok 2002-01-26, 10:30 pm |
| When applying an access-list to an interface how do you know if it should be inbound or outbound. I've read over this many times and i'm missing something. Can someone explain the difference? The book I'm reading says:
Inbound Access List - Packets are processed through the access-list before bein routed to the outbound interface.
Outbound Access List - Packets are routed to the outbound interface and then processed through the access-list.
Can anybody explain ????
Thanks
Brandon | |
| wbafrank 2002-01-26, 11:23 pm |
|  This may help:
For some protocols, you can apply up to two access lists to an interface: one inbound access list and one outbound access list. With other protocols, you apply only one access list which checks both inbound and outbound packets.
If the access list is inbound, when the router receives a packet, the Cisco IOS software checks the access list's criteria statements for a match. If the packet is permitted, the software continues to process the packet. If the packet is denied, the software discards the packet.
If the access list is outbound, after receiving and routing a packet to the outbound interface, the software checks the access list's criteria statements for a match. If the packet is permitted, the software transmits the packet. If the packet is denied, the software discards the packet. | |
| bhatok 2002-01-26, 11:39 pm |
| Thanks, now it makes a little more sense to me. | |
| CyDiver 2002-01-27, 3:08 am |
| Let me see if I can put this so you understand.
Lets say you have a router with only two interfaces...inbound and outbound... then if you are applying an access list to deny traffic. It would make more sense to put it on the inbound interface as this saves router resources as the packet is dropped inmmediately and not routed. Inbound access-lists affect the router as a whole.
Now if the router has more than two interfaces the above might will not work unless you want to block traffic to all possible outbound interfaces. If you want to block traffic to only one subnet then this is where you accesslist will be applied on the particular interface as outbound. In this way if the traffic is destined for another of the routers subnets then the packet is routed there.
hope this help!!! | |
|
|  bhatok
I answered a very similar question some time ago. Here's my reply; hope it helps.
Hiya
Access-lists are defined on the router. Take a standard IP access-list for example;
RouterA(config)Access-list 10 permit 172.16.100.10
Standard ACLs are defined by source IP address. This example ACL will permit traffic from host 172.16.100.10 INTO the router. When it is applied to an interface as follows:
RouterA(config)int e0
RouterA(config-if)ip access-group 10 in, or
RouterA(config-if)ip access-group 10 out
the keyword 'in' means PERMIT traffic FROM this SOURCE HOST, INTO int e0 (from the router), and
the keyword 'out' means PERMIT traffic FROM this SOURCE HOST, TO GO OUT OF int e0 (into the router.
Todd Lammle covers this subject well in chapter 9 of his study guide.
Cheers
Hippo
 | |
| bhatok 2002-01-27, 8:46 pm |
| You guys definitely got that one clear for me. Much appreciated!!!
I get better results on here than I do from school !!
Thanks a lot |
|
|
|
|