Home > Archive > CCNP > August 2001 > Access-group





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Access-group
Hugh

2001-08-21, 7:22 pm

RouterC S0(172.16.40.1) connect to RouterD S1(172.16.40.2), RouterC S1(172.16.20.2);
RouterD-->
access-list 110 deny tcp host 172.16.40.2 host 172.16.20.2 eq telnet
access-list 110 permit ip any 0.0.0.0 255.255.255.255

My question is : Could I apply
int s1
ip access-group 110 out
in the RouterC ?

Or must apply to RouterD ?
Thanks!
(telnet from RouterD to RouterC S1 doesn't work)
Hoon

2001-08-22, 12:58 am

Apply on router D.
Hugh

2001-08-22, 6:13 pm

RouterC S0(172.16.40.1) connect to RouterD S1(172.16.40.2)

RouterD-->
access-list 110 deny tcp host 172.16.40.2 host 172.16.40.1 eq telnet
access-list 110 permit ip any 0.0.0.0 255.255.255.255
int s1
ip access-group 110 out

Why I can not deny telnet 172.16.40.1 from RouterD(172.16.40.2)? It still open. Why? Thanks!
MadChef

2001-08-23, 5:05 am

Router generated packets are not subject to being filtered by outbound access lists, and I believe that's what you're encountering here. Try to apply this inbound on your other router or if telnet is really what you're after, apply an access-class out on RtrD or in on rtrC.

MadChef
Hugh

2001-08-24, 5:01 pm

I got it!
http://www.faqs.org/faqs/cisco-networking-faq/
In general, Basic access lists are executed as filters on outgoing interfaces. Newer releases of the cisco code, such as 9.21 and 10, do have increased ability to filter on incoming ports. Certain special cases, such as broadcasts and bridged traffic, can be filtered on incoming interfaces in earlier releases. There are also special cases involving console access. Rules, written as ACCESS-LIST statements, are global for the entire cisco box; they are activated on individual outgoing interfaces by ACCESS-GROUP subcommands of the INTERFACE major command. Filters are applied after traffic has entered on an incoming interface and gone through a routing process; traffic that originates in a router (e.g., telnets from the console port) is not subject to filtering.
Retired-Mod

2001-08-24, 5:10 pm

To take MadChef's statement a step further, though the concept is the same, when you do policy routing on a router you can not verify it is working from that router for the same reason and that can be real annoying!

Retired
depamo

2001-08-24, 5:43 pm

You cannot apply an access list to filter traffic originating from the router. Filters only effect traffic passing through the router.
Sponsored Links





Free Braindumps | MCSE braindumps software forum

Copyright 2003 - 2009 examnotes.net