Hi Elie, The order of hosts/network and ports listed in each ACE, and the direction and interface to which the ACL is applied are directly correlated. Consider the following HTTP traffic flow:
100.100.100.1 ----------fa0/0-->(R1)--fa0/1---------> Internet Per your example, host 100.100.100.1 is sending an HTTP request packet to the Internet. The packet enters R1 on interface fa0/0 and exits R1 on interface fa0/1 to reach the Internet. An ACL can be applied "in" or "out" on either fa0/0 or fa0/1. But the order of elements in the ACE and the direction/interface to which the ACL is applied makes all the difference in whether it works. An extended ACL entry is always written in the form "ACTION PROTOCOL SRC_NET SRC_MASK [eq SRC_PORT] DST_NET DST_MASK [eq DST_PORT]" In other words, it's describing traffic FROM the source TO the destination. So your ACL looks like this: access-list 101 deny tcp host 100.100.100.1 any eq www Which is evaluated as this: ACTION=deny PROTOCOL=tcp SRC_NET=100.100.100.1 SRC_MASK=255.255.255.255 (implied by 'host' keyword) SRC_PORT=any (implied by lack of specified port) DST_NET=any DST_MASK=any (implied by 'any' destination net) DST_PORT=80 (implied by 'www' keyword) Now, there are four ways to assign it: "in" to fa0/0 "out" to fa0/0 "in" to fa0/1 "out" to fa0/1 Consider the impact from each option: *"in" on fa0/0:* This would be the desired place, as traffic arriving (coming "in") to fa0/0 might match the specified source and destination information. *"out" on fa0/0:* There's no way a packet egressing fa0/0 could (well, should) have a source IP of 100.100.100.1, so you'd never match your ACL. *"in" on fa0/1:* Same as above, you should never see your source 100.100.100.1 *entering* fa0/1. You would never match the ACL if it were applied in this way. *"out" on fa0/1:* This would also work, as traffic from 100.100.100.1 to the Internet could be egressing out from this interface toward the Internet. So you could apply your ACL in these two fashions: int fa0/0 ip access-group 101 in OR int fa0/1 ip access-group 101 out So which is better? Well, general security practices suggest killing traffic as close to the source as possible. Why process it on one or more devices only to drop it later on. So (assuming no lab-related restrictions), applying this ACL to the input direction on fa0/0 would be preferable. If you were restricted from applying an ACL on fa0/0, you could also apply it outbound on fa0/1 to drop the traffic as it is leaving R1. The net effect is blocking the HTTP requests coming from the client going to destination port 80 on an Internet connected host. You could, alternatively, allow the request out and block the response. You'd flip your ACL around as such: access-list 101 deny tcp any eq www host 100.100.100.1 And then you'd apply it either inbound on fa0/1, OR outbound on fa0/0. You never need to apply it to both. Also keep in mind that your ACL, as written, would also block all other traffic due to the implicit 'deny ip any any' at the end of every ACL. If you were only trying to block that one flow, you'd need a 'permit ip any any' at the end. I can't think of a better place to look this stuff up than in the DOC-CD: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/12-4t/sec-access-list-ov.html Being as this is a CCIE study list, I recommend pursuing CCNA or CCNP curriculums to learn these fundamentals before heading after the CCIE. Best Regards, Bob On Sat, Mar 3, 2012 at 2:15 PM, Elie Raad <[email protected]> wrote: > > Hello Bob > > I have a misunderstanding in the access-list Inbound direction and > outbound direction compared to the source and destination in an > access-list. Assuming i want to deny an ip address (100.100.100.1) from > accessing the web . > so i use access-list 101 deny host 100.100.100.1 any eq www . > my problem is when applying it . > should i apply it inbound or outbound and why! > anyway i you have some links that talks in details about this topic! > > Best Regards, > elie > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs
