Hello,
on the ACL sim why is the ACL applied to the fa0/0 interface outbound and not the fa0/1 inbound. I was of the belief that extended acls were applied as close to the source as possible.
Thank you
Posts: 398
Threads: 11
Joined: Jan 2001
Reputation:
22
It is only a general guideline for extended ACL. You can apply an extended ACL to any place to get desired result. In this sim no other location/direction fulfills all given requirements.
Thank you for the reply.
can you explain what requirement it wouldn't fulfil if it was applied inbound on the fa0/1 int?
Surely the acl applied inbound on the fa0/1 interface would fulfil the given requirements, without the router having to process the blocked packets to the outbound interface.
Posts: 398
Threads: 11
Joined: Jan 2001
Reputation:
22
Please read your book and understand access list directions. Then understand requirements in this sim:
Only host C should be able to access Stock Web Server. No other host from Hosts LAN or Core network should be able to access the Stock Web Server.
All other traffic from hosts to other servers should be allowed.
ACL applied on interface fa0/0 (servers LAN) as "out" means to check every packet exiting the router towards Servers LAN through fa0/0 - and the ACL allows Host C explicitly and denies any other hosts access to the Stock Web Server. All other hosts are allowed to access other web servers by "permit ip any any".
The "in" direction will only check packets originating from Servers LAN - which is contrary to the requirement.
If you place this ACL on fa0/1 as inbound, it will filter the traffic from Hosts LAN but it has no control on the traffic from the Core network - again contrary to the requirement.