Also keep in mind that inbound access lists will hammer your routing (distance vector) protocols whereas outbound will not.
also learned that the hard way;) Dave "Hire, Ejay" wrote: > > I Just posted this in the associate group, but I'll cross-post it here. > The context was that the chap wanted to block smtp traffic from a specific > external subnet. > > Visualize it. Let's assume your connection to the internet looks like this. > Mailserver --- Ethernet0 (Router) Serial 0 --- ISP --- Badpeople > > The "source" of the traffic you want to block is badpeople. Pretend you are > the router. You want to block traffic from badpeople (SOURCE) that is going > to your mailserver (Destination) and you want to block it as it travels IN > (Inbound) from your ISP (Serial 0). > -access-list 101 deny xx.xx.xx.0 0.0.0.255 123.123.123.123 eq 25 > -access-list 101 permit any any > -interface serial 0 > -access-group 101 in > > Alternately, you could let the traffic cross you (the router) and block it > as it travels OUT (outbound) of the Ethernet port (E0) towards the mail > server. It would be a waste of router resources to let it cross the router > before being dropped, but if this was a very busy router with many ports and > a dedicated port to the mail server then it might be an option. > -access-list 101 deny xx.xx.xx.0 0.0.0.255 123.123.123.123 eq 25 > -access-list 101 permit any any > -interface Ethernet 0 > -access-group 101 out > > Additionally, Traffic travels in both directions. I can't think of a reason > why you'd want to, but you could block traffic as it leaves the mail server > (source) headed back to badpeople (destination). This traffic would travel > In the ethernet port (ethernet 0 access-group xxx in) and Out the serial > port (serial 0 access-group xxx out). You don't block traffic this (if > possible) because you don't know what port the outbound tcp connection will > be on. > > -Ejay > > I'm a CCNA and CCNP and I'm looking for full-time or Contract work, please > contact me off-list if you have any openings or suggestions. > > -----Original Message----- > From: none ya [mailto:[EMAIL PROTECTED]] > Sent: Friday, February 15, 2002 9:03 PM > To: [EMAIL PROTECTED] > Subject: access-group ## in or out? [7:35578] > > Would someone please give me a simple explanation/example that will clarify > when to use "in" or "out" when you apply an ACL to a router interface? > Thanks! -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 "Emotion should reflect reason not guide it" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35794&t=35578 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
