From: Nikhil Prashar (nyp112@xxxxxxxxxxx)
Date: Sun Jun 17 2001 - 03:11:59 GMT-3
Inbound ACLs are used on an interface for traffic coming IN to an
interface. Outbound ACLs are used on an interface for traffic going OUT
of an interface. For example, in your scenerio, a client's request to
your server comes in through s0 and out to the server through e0. The
server's reply comes in through e0 and out through s0. To filter traffic
coming into the server to only a particular subnet, you have to use
what's called wildcard masking.
First, create the ACL:
Router(config)#access-list [ACL#] permit tcp [Source] [Wildcard] eq 80
ACL#: This is the type of ACL, specified by a number. For this situation,
we need an extended IP ACL, so any number 100 through 199 will do.
Source: The beginning source IP subnet
Wildcard: The ending source IP subnet
So, if I wanted to allow all traffic from only the network 170.23.12.0,
my line would like something like this:
Router(config)#access-list 110 permit tcp 170.23.12.0 0.0.0.255 eq 80
(keep in mind routers have an implicit deny on ACLs, so only this network
would be allowed and all other traffic will be dropped)
Next, we have to apply this IP ACL to Interface E0. This is the easy
part; all we do is make e0 part of the 110 access-group:
Router(config-if)#ip access-group 110 in
I realize this isn't too well-explained out, but if you tinker with it
it'll make sense really fast. Also, could I suggest putting the ACL on
the incoming s0? It's less load on your router.
Best of luck,
Nikhil Prashar
------------------------------------------------------------------------
Get your FREE download of MSN Explorer at http://explorer.msn.com
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:25 GMT-3