Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

ip access-group <access-list number> in/out

3 views
Skip to first unread message

Ashok Kumar B S

unread,
Aug 10, 1999, 3:00:00 AM8/10/99
to
Hello Everybody,

I am studying about the Cisco Router's access-list. I understand that the
access-list becomes active only when we apply the access-group on the
appropriate interface. I am using a router with two serial port (only one
serial port is active , the other serial interface is shutdown ) and one
Ethernet port .Now my problem is I am not able to understand the difference in
the following commands.

1. when applied on the Serial interface, connected to ISP
'ip access-group 100 out' and ip access-group 100 in'

when applied on the Ethernet interface connected to LAN
'ip access-group 100 out' and ip access-group 100 in'

Any help is highly appreciated .
Many Thanks in advance.

Ashok.
\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\
Ashok Kumar B S
Yokogawa Electric Corporation
mailto:ashok_s...@bigfoot.com
TEL : 81-422-52-5506 Extn: 26405
FAX : 81-422-52-0513
\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\

Pascal Gloor

unread,
Aug 10, 1999, 3:00:00 AM8/10/99
to
Hi,

be carefull ... there is a BIG difference ....

when a packet comes to the router ... first it is decapsulated by the
interface ... then goes thru the routing table (CPU) and then goes again to
an interface to be encapsulated ... and goes out ...

Access-lists take CPU processing .. so if you have a small rouer and BIG
traffic ..you should put ACL (access-lists) only in "IN" mode on the
interfaces to gain CPU time ... cause the packets are not processed before
deteing ...

in you case .. the only difference ..is that you DONT protect the router if
you put the ACL on the ETHERNET ... you should put it on the SERIAL.

Regards,
--
Pascal Gloor (PGL2-RIPE)
Network Manager
PETREL Communications SA (AS6893)
Geneva / Switzerland
Ashok Kumar B S <Ashok_S...@bigfoot.com> wrote in message
news:9342765...@news.Colorado.EDU...

Brian Morgan

unread,
Aug 10, 1999, 3:00:00 AM8/10/99
to
The 'in' or 'out' refers to traffic flow from the router's point of view.
If you apply it 'in'. You are filtering traffic coming into the router. If
you apply it 'out' you are filtering what leaves the router. However, the
access list cannot filter what is generated by the router. For example, if
you deny all telnet and apply it outbound on an interface, you will still be
able to initiate a telnet session from the router that goes out that
interface. You are filtering traffic going through the router.

ip access-group 100 out

refers to an IP Extended access list number 100 and will filter traffic
leaving the router. IP Standard access lists filter on source address only
and are numbered 1-99. IP Extended access lists filter on Source address,
destination address protocol and port number. These are numbered 100-199.

--
Brian Morgan
CCSI, CCIE #4865
bmor...@earthlink.net

Nenad Krajnovic

unread,
Aug 10, 1999, 3:00:00 AM8/10/99
to
>> From: IN%"Ashok_S...@bigfoot.com" "Ashok_S...@bigfoot.com" 10-AUG-1999 11:10:03.52

>>
>> I am studying about the Cisco Router's access-list. I understand that the
>> access-list becomes active only when we apply the access-group on the
>> appropriate interface. I am using a router with two serial port (only one
>> serial port is active , the other serial interface is shutdown ) and one
>> Ethernet port .Now my problem is I am not able to understand the difference in
>> the following commands.
>>
>> 1. when applied on the Serial interface, connected to ISP
>> 'ip access-group 100 out' and ip access-group 100 in'
>>
>> when applied on the Ethernet interface connected to LAN
>> 'ip access-group 100 out' and ip access-group 100 in'

When you applied 'ip access-group 100 out' on Serial interface, this mean
that access list 100 will be applied on all outgoing traffic on Serial
interface. If you put 'ip access-group 100 in' on Serial interface, access
list will be applied on all incoming traffic on Serial interface. In your case,
with 'ip access-group 100 out' applied on Serial interface you will filter all
traffic which is going TO your ISP. With 'ip access-group 100 in' applied on
Serial interface you will filter all traffic coming FROM your ISP.
Same story for LAN. If you applied 'ip access-group 100 out' on LAN interface,
you will filter all traffic going FROM your ROUTER TO LAN. With 'ip access-
group 100 in' you'll filter (when I said filter, I mean control traffic with
access list) all traffic coming FROM LAN TO ROUTER.

Regards,
Krajko

.-------. Nenad Krajnovic | e-mail: kra...@etf.bg.ac.yu
| --+-- | Network Engineer |
| /|\ University of Belgrade | Phone: (+381-11) 3221-419
|-(-+-)-| School of Electrical Engineering | 3370-106
| \|/ Bulevar Revolucije 73 | 3218-350,3218-322
| --+-- | 11000 Belgrade SERBIA, YUGOSLAVIA| Fax: (+381-11) 3248-681
`-------' --------------------------------------------------------------------

Bristow, Robert (Rob)

unread,
Aug 10, 1999, 3:00:00 AM8/10/99
to
Ashok,
When you use an ACL to filter packets, IN and OUT refer to the direction
that the packets are going. IN means you want to filter packets as they
arrive at the interface, and OUT means that you want to filter packets
destined to go out that interface.
Regards,
Rob Bristow
AT&T Solutions
CCIE #3335

> -----Original Message-----
> From: Ashok Kumar B S [mailto:Ashok_S...@bigfoot.com]
> Sent: Monday, August 09, 1999 2:32 PM
> To: 'Cisco Mailing List'
> Subject: ip access-group <access-list number> in/out
>
>
> Hello Everybody,


>
> I am studying about the Cisco Router's access-list. I
> understand that the
> access-list becomes active only when we apply the access-group on the
> appropriate interface. I am using a router with two serial
> port (only one
> serial port is active , the other serial interface is
> shutdown ) and one
> Ethernet port .Now my problem is I am not able to understand
> the difference in
> the following commands.
>
> 1. when applied on the Serial interface, connected to ISP
> 'ip access-group 100 out' and ip access-group 100 in'
>
> when applied on the Ethernet interface connected to LAN
> 'ip access-group 100 out' and ip access-group 100 in'
>

Zaheer Aziz

unread,
Aug 10, 1999, 3:00:00 AM8/10/99
to
>
> Ashok,
> When you use an ACL to filter packets, IN and OUT refer to the direction
> that the packets are going. IN means you want to filter packets as they
> arrive at the interface, and OUT means that you want to filter packets
> destined to go out that interface.

Just to add on the above correct definition of IN and OUT operation,
access-list OUT only applies to the transit traffic through the router.

e.g you are blocking icmp OUT in an access-list, but you will still be
able to ping from the router where the access-list is applied. All transit
pings from the router will be blocked.

Thanks
Zaheer

0 new messages