OK, Think a 3 Interface Router E0,E1,S0 E0 Ip address 192.168.1.1 255.255.255.0 E1 IP address 192.168.2.1 255.255.255.0 S0 192.168.3.0 255.255.255.252
Access-list 100 deny tcp any any eq 21 Access-list 100 permit ip any any If you wanted to have users be able to FTP between E0 and E1, but not out across the Wan Link S0, you would Apply the access-list as: S0 Ip access-group 100 out This would block all FTP traffic from going out across the S0, but not stop ( or even inspect ) traffic Flowing between the E0 and E1 interfaces. If you were to apply it as an in on S0, it would only block traffic that originated across the WAN. The big issue with this besides it doesn't stop E0 and E1 from FTP'ing is that this traffic still crossed the WAN and used bandwidth only to be dropped at the router. You could re-write the access list to drop traffic with a source port of 21 and that would stop the return Packets and prevent a connection, but once again the traffic still crossed the WAN. First line rewrote as( access-list 100 deny tcp any eq 21 any ) As an alternative you could do this. Access-list 100 permit tcp any 192.168.1.0 0.0.0.255 eq 21 Access-list 100 permit tcp any 192.168.2.0 0.0.0.255 eq 21 Access-list 100 deny tcp any any eq ftp Access-list 100 permit ip any any Then under the E0 and E1 interface: Access-group 100 in On the E0 interface the second line would permit it, while on the E1 interface the first line would. Either way the traffic that wasn't bound for the opposite Ethernet interface would get blocked. The issue with doing this is that if you have a large amount of traffic between the interfaces, and the Router is already running with high utilization, you have killed the router because it will have to do a Lookup on every packet coming into the interface, regardless of protocol and regardless of destination. Most access-list can be re-written to be applied inbound or outbound on any interface, it all Comes down to how efficient and clean you want the config to be. You can usually ( IMO ) tell the skill of The person administrating a router(s) by how "clean" the config is. The less the router has to do to a packet, the faster it will be. Not big on small office routers, but in high speed Datacenter/LAN switching environment, this becomes much more important. Thanks Larry -----Original Message----- From: none ya [mailto:[EMAIL PROTECTED]] Sent: Friday, February 15, 2002 9:03 PM To: [EMAIL PROTECTED] Subject: access-group ## in or out? [7:35578] Would someone please give me a simple explanation/example that will clarify when to use "in" or "out" when you apply an ACL to a router interface? Thanks! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35584&t=35578 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
