Re: access-group ## in or out? [7:35578]
for the ACL in, the traffic is checked before entering the router. for the ACL out the traffic may enter the router from one interface but bofore forwarding it to another interface it must be checked first Thanks and best regards _ _ _ _ _ _ _ _ _ _ - Original Message - From: "none ya" To: Sent: Saturday, February 16, 2002 4:03 AM Subject: access-group ## in or out? [7:35578] > Would someone please give me a simple explanation/example that will clarify > when to use "in" or "out" when you apply an ACL to a router interface? > Thanks! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35834&t=35578 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access-group ## in or out? [7:35578]
Also keep in mind that inbound access lists will hammer your routing (distance vector) protocols whereas outbound will not. also learned that the hard way;) Dave "Hire, Ejay" wrote: > > I Just posted this in the associate group, but I'll cross-post it here. > The context was that the chap wanted to block smtp traffic from a specific > external subnet. > > Visualize it. Let's assume your connection to the internet looks like this. > Mailserver --- Ethernet0 (Router) Serial 0 --- ISP --- Badpeople > > The "source" of the traffic you want to block is badpeople. Pretend you are > the router. You want to block traffic from badpeople (SOURCE) that is going > to your mailserver (Destination) and you want to block it as it travels IN > (Inbound) from your ISP (Serial 0). > -access-list 101 deny xx.xx.xx.0 0.0.0.255 123.123.123.123 eq 25 > -access-list 101 permit any any > -interface serial 0 > -access-group 101 in > > Alternately, you could let the traffic cross you (the router) and block it > as it travels OUT (outbound) of the Ethernet port (E0) towards the mail > server. It would be a waste of router resources to let it cross the router > before being dropped, but if this was a very busy router with many ports and > a dedicated port to the mail server then it might be an option. > -access-list 101 deny xx.xx.xx.0 0.0.0.255 123.123.123.123 eq 25 > -access-list 101 permit any any > -interface Ethernet 0 > -access-group 101 out > > Additionally, Traffic travels in both directions. I can't think of a reason > why you'd want to, but you could block traffic as it leaves the mail server > (source) headed back to badpeople (destination). This traffic would travel > In the ethernet port (ethernet 0 access-group xxx in) and Out the serial > port (serial 0 access-group xxx out). You don't block traffic this (if > possible) because you don't know what port the outbound tcp connection will > be on. > > -Ejay > > I'm a CCNA and CCNP and I'm looking for full-time or Contract work, please > contact me off-list if you have any openings or suggestions. > > -Original Message- > From: none ya [mailto:[EMAIL PROTECTED]] > Sent: Friday, February 15, 2002 9:03 PM > To: [EMAIL PROTECTED] > Subject: access-group ## in or out? [7:35578] > > Would someone please give me a simple explanation/example that will clarify > when to use "in" or "out" when you apply an ACL to a router interface? > Thanks! -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 "Emotion should reflect reason not guide it" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35794&t=35578 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: access-group ## in or out? [7:35578]
I Just posted this in the associate group, but I'll cross-post it here. The context was that the chap wanted to block smtp traffic from a specific external subnet. Visualize it. Let's assume your connection to the internet looks like this. Mailserver --- Ethernet0 (Router) Serial 0 --- ISP --- Badpeople The "source" of the traffic you want to block is badpeople. Pretend you are the router. You want to block traffic from badpeople (SOURCE) that is going to your mailserver (Destination) and you want to block it as it travels IN (Inbound) from your ISP (Serial 0). -access-list 101 deny xx.xx.xx.0 0.0.0.255 123.123.123.123 eq 25 -access-list 101 permit any any -interface serial 0 -access-group 101 in Alternately, you could let the traffic cross you (the router) and block it as it travels OUT (outbound) of the Ethernet port (E0) towards the mail server. It would be a waste of router resources to let it cross the router before being dropped, but if this was a very busy router with many ports and a dedicated port to the mail server then it might be an option. -access-list 101 deny xx.xx.xx.0 0.0.0.255 123.123.123.123 eq 25 -access-list 101 permit any any -interface Ethernet 0 -access-group 101 out Additionally, Traffic travels in both directions. I can't think of a reason why you'd want to, but you could block traffic as it leaves the mail server (source) headed back to badpeople (destination). This traffic would travel In the ethernet port (ethernet 0 access-group xxx in) and Out the serial port (serial 0 access-group xxx out). You don't block traffic this (if possible) because you don't know what port the outbound tcp connection will be on. -Ejay I'm a CCNA and CCNP and I'm looking for full-time or Contract work, please contact me off-list if you have any openings or suggestions. -Original Message- From: none ya [mailto:[EMAIL PROTECTED]] Sent: Friday, February 15, 2002 9:03 PM To: [EMAIL PROTECTED] Subject: access-group ## in or out? [7:35578] Would someone please give me a simple explanation/example that will clarify when to use "in" or "out" when you apply an ACL to a router interface? Thanks! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35737&t=35578 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access-group ## in or out? [7:35578]
Look at it from both the Router and the Interface perpective.eg if the interface facing your LAN is E0 and the interface to the internet is S0. For traffics coming from your LAN into the Router through the E0 interface, as the traffic is entering that interface from your LAN it is 'in' and as it passes and go out of that interface into the backplane of the router, it is considered 'out' relative to interface E0 and 'in' relative to interface S0, when it leaves interface S0 into the internet, it is then considered 'out' relative to interface S0. For traffics coming from the internet into the Router through the S0 interface, as the traffic is entering that interface from the internet it is 'in' and as it passes and go out of that interface into the backplane of the router, it is considered 'out' relative to interface S0 and 'in' relative to interface E0, when it leaves interface E0 into your LAN, it is then considered 'out' relative to interface E0. You now see that each interface have two instances of 'in' and two instances of 'out'. Most security designs uses 'in' more often than 'out' and you should consider using it as well, if tight security implementation is your goal. The 'in' keyword makes the router to examine the packets before they enter the interface and impose the Access-list on the traffic before they ever have the chance of either entering the Router or your network, while the 'out' keyword only do that after the traffic have pass through the interface in question, this should only be allowed for trusted traffics for which you only want to disallow access to certain services. If you want to restrict a particular source address from entering into your network or router, using the 'out' keyword have no effect and it is a security breach because the traffic would have entered your router or network before it is acted upon. Have a clear picture of what you want the access-list to do against the particular traffic, that will give you a clue on the keyword to use. However for me security is always at the back of my mind, so by default I use the 'in' keyword except where otherwise unnecessary. Regards. Oletu - Original Message - From: none ya To: Sent: Friday, February 15, 2002 6:03 PM Subject: access-group ## in or out? [7:35578] > Would someone please give me a simple explanation/example that will clarify > when to use "in" or "out" when you apply an ACL to a router interface? > Thanks! _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35651&t=35578 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access-group ## in or out? [7:35578]
Its all from the routers perspective, traffic from lan is coming IN your ethernet interface traffic from the net is coming in net connected interface, and out your lan connected int. Brian On Fri, 15 Feb 2002, none ya wrote: > Would someone please give me a simple explanation/example that will clarify > when to use "in" or "out" when you apply an ACL to a router interface? > Thanks! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35643&t=35578 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access-group ## in or out? [7:35578]
'in or out' depends on whether you want to apply the access list to the incoming or outgoing interface. Outgoing is the default. Jenn 2/15/2002 8:03:07 PM, "none ya" wrote: >Would someone please give me a simple explanation/example that will clarify >when to use "in" or "out" when you apply an ACL to a router interface? >Thanks! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35642&t=35578 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: access-group ## in or out? [7:35578]
OK, Think a 3 Interface Router E0,E1,S0 E0 Ip address 192.168.1.1 255.255.255.0 E1 IP address 192.168.2.1 255.255.255.0 S0 192.168.3.0 255.255.255.252 Access-list 100 deny tcp any any eq 21 Access-list 100 permit ip any any If you wanted to have users be able to FTP between E0 and E1, but not out across the Wan Link S0, you would Apply the access-list as: S0 Ip access-group 100 out This would block all FTP traffic from going out across the S0, but not stop ( or even inspect ) traffic Flowing between the E0 and E1 interfaces. If you were to apply it as an in on S0, it would only block traffic that originated across the WAN. The big issue with this besides it doesn't stop E0 and E1 from FTP'ing is that this traffic still crossed the WAN and used bandwidth only to be dropped at the router. You could re-write the access list to drop traffic with a source port of 21 and that would stop the return Packets and prevent a connection, but once again the traffic still crossed the WAN. First line rewrote as( access-list 100 deny tcp any eq 21 any ) As an alternative you could do this. Access-list 100 permit tcp any 192.168.1.0 0.0.0.255 eq 21 Access-list 100 permit tcp any 192.168.2.0 0.0.0.255 eq 21 Access-list 100 deny tcp any any eq ftp Access-list 100 permit ip any any Then under the E0 and E1 interface: Access-group 100 in On the E0 interface the second line would permit it, while on the E1 interface the first line would. Either way the traffic that wasn't bound for the opposite Ethernet interface would get blocked. The issue with doing this is that if you have a large amount of traffic between the interfaces, and the Router is already running with high utilization, you have killed the router because it will have to do a Lookup on every packet coming into the interface, regardless of protocol and regardless of destination. Most access-list can be re-written to be applied inbound or outbound on any interface, it all Comes down to how efficient and clean you want the config to be. You can usually ( IMO ) tell the skill of The person administrating a router(s) by how "clean" the config is. The less the router has to do to a packet, the faster it will be. Not big on small office routers, but in high speed Datacenter/LAN switching environment, this becomes much more important. Thanks Larry -Original Message- From: none ya [mailto:[EMAIL PROTECTED]] Sent: Friday, February 15, 2002 9:03 PM To: [EMAIL PROTECTED] Subject: access-group ## in or out? [7:35578] Would someone please give me a simple explanation/example that will clarify when to use "in" or "out" when you apply an ACL to a router interface? Thanks! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35584&t=35578 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
access-group ## in or out? [7:35578]
Would someone please give me a simple explanation/example that will clarify when to use "in" or "out" when you apply an ACL to a router interface? Thanks! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35578&t=35578 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
