the difference would be if you were using standard or extended access
lists.
apply standard access lists at the destination router
apply extended access lists at the source router
so for your example to block access to lan B from lan A
apply a standard access list to the in port of router B
or
apply an extended access list to the out port of router A
so to further your example, forbid tcp access to router b from host
10.0.10.10
rd
|
ra----------rc----------rb
ra = router a
rb = router b
rc = router c
rd = router d
using a standard access list to stop 10.0.10.10 traffic on ra will cause
no access to rc or rd
using an extended access list on rb to stop tcp traffic will still allow
traffic to rc and rd
> Raees Ahmed Shaikh wrote:
>
> Dear Buddies,
>
> The following situation is given as an example.
>
> Router A
> --------------------LAN
> A-------------------E0-[X]-S0------------------LAN
> B----------------------
>
> If I need to block LAN A access to LAN B,
>
> I can apply the access list to Router A's Ethernet E0 as in,
> and if I apply to the E0 out the packet should come inside checked
> against the out criteria and dependently dropped.
>
> I could apply the access list to Router A's Serial S0 as in, assuming
> the E0 accepted the packet and is forwarding to S0, so it would be an
> incoming packet for S0, would it work.
>
> I could apply the access list to Router A's Serial S0 as out,
> assuming the SO accepted the packet and is applying the list before
> forwarding to the the LAN B.
>
> I have not included another router just to simplify the matter.
>
> Actually I am really confused
>
> Some of the confused questions are as follows
>
> How and where should the acceslist placed and applied to the in/out of
> the interfaces.
>
see above
> Is the in/out concept with respect to the link/and or interface.
> meaning to say if the access list is applied to an interface as in,
> the packets coming from outside will be tested. What about the packets
> coming in from the other internal interface of the router it will be
> treated as in or out, ( Think of a two-way door, opening both sides,
> which is in and which is out in respect to both sides)
>
any other internal interfaces on the router should be on a different
network.
if the data is destined for the network the router interface is on it's
in
if the data is destined for a network other then the one the router
interface is on it's out
> Is the access list common for all the interfaces, like, Ethernet,
> Serial, Token, ISDN, Frame-Relay.
>
access lists for the most part are protocol based, TCP/IP, Appletalk,
IPX
> Can I apply a same access list to both in and out ports of an
> interface, What about different access list to the same interface.
>
some you can, some are applied to both in and out.
> Does the access list checks the criteria , on the internal interface
> of the same router, meaning if an Ethernet is passing to serial is the
>
> I could only guess that access lists concepts in/out are w.r.t.x where
> x is the link/int or ??????.
>
> If anybody could put more lights on this I would really be obliged,
>
> Thanks in Advance.
>
> Shaikh Raees Ahmed,
> Microsoft Certified Systems Engineer,
> CCNA , CCDA,
> Systems & Network,
> IT Division.
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
