RE: Access-list 's in and out

From: Driessens.Hans (hans.driessens@siemens.com)
Date: Wed Feb 18 2004 - 13:47:43 GMT-3

• Next message: David Deng: "distance command on OSPF"
• Previous message: Packet Man: "RE: Limiting ICMP using CAR"
• Maybe in reply to: Tom Young: "Access-list 's in and out"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi all

there is also the "source routing" thing. If your topology has more exit
points and different outgoing access-lists and source-routing is enabled, it
might be possible to circumvent an acl.
(bit far fetched maybe, but it can be a big difference:)
If a packed is strictly source routed, the source ip changes during
transport so acls need to respond to that

Hans D
#12844 security

-----Oorspronkelijk bericht-----
Van: Packet Man [mailto:ccie2b@hotmail.com]
Verzonden: Wednesday, February 18, 2004 15:02
Aan: gitsyoung@yahoo.co.jp; ccielab@groupstudy.com
Onderwerp: RE: Access-list 's in and out

Actually, Tom, there's not much difference in effect - the denied packets
will either be dropped when they try to enter the router or they'll be
dropped when they try to leave the router. Either way the denied packets are

dropped.

For example, let's say you need to block pings from users on the inside to
all ip addresses on the outside and you have a 2 interface router where 1
interface is a LAN interface on the inside and the other is a WAN interface
connected to the outside.

Once you create your access-list, you need to apply it to an interface. If
you apply it to your LAN interface, the pings will get dropped at the LAN
interface before being processed by the router's cpu, before a table lookup
is done and before the packets are switched to the WAN interface. As a
result, you save a bit of router resources.

If, however, you apply the access-lilst to the outside WAN interface, all
those things get done only for the packet to be dropped at the WAN interface

- a waste of a bit router resource.

HTH, PM

>From: Tom Young <gitsyoung@yahoo.co.jp>
>Reply-To: Tom Young <gitsyoung@yahoo.co.jp>
>To: ccielab@groupstudy.com
>Subject: Access-list 's in and out
>Date: Wed, 18 Feb 2004 20:01:49 +0900 (JST)
>
>Hi, group
>
> I always confused with one access-list question, what
>is the different between set the in list on inside
>interface and set the out list on outside interface.
>
>Thanks alot
>
>__________________________________________________
>Do You Yahoo!?
>http://bb.yahoo.co.jp/
>
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

• Next message: David Deng: "distance command on OSPF"
• Previous message: Packet Man: "RE: Limiting ICMP using CAR"
• Maybe in reply to: Tom Young: "Access-list 's in and out"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Mar 05 2004 - 07:13:51 GMT-3