network cisco ccna gns3 certification arteq

network cisco ccna gns3 certification arteq
a network runs through it

Search insearchofthecert

Sunday, January 1, 2012

egress, ingress in achille's lists...

where to place the damn thing...

ip access-group in
ip access-group out


for me this always makes a lot of sense with extended access lists because they are placed closest to the source, often blocking the traffic before it comes into the router... stop it at munich... but with standard lists the whole of ip is being blocked closest to the destination, which means before it arrives at the destination and from the router's point of view... standard lists are often allowed ingress (into a router) then blocked at egress, the interface feeding the destination...

the sending host (bad host) is on another network, routerB, and the destination ice cream server is hanging off a directly connected router, routerA...  the bad host isn't allowed to get to the ice cream server off  routerA or any of it's wonderful flavors so we'll shut the bad host down completely, the whole smash...

the bad host comes into routerB fa0/0 and egresses routerB s0/0, then onto router A, ingressing at s0/0 and wants to egress at routerA fa0/0 to get the ice cream... sorry buddy, no peanut butter delight for you...

routerA(config)#access-list 1 deny host
routerA(config)#int fa0/0
routerA(config-if)#ip access-group 1 out

the router has a point of view...
and never liked class B addresses anyway

No comments:

Post a Comment