where to place the damn thing...
ip access-group in
ip access-group out
ingress=in
egress=out
for me this always makes a lot of sense with extended access lists because they are placed closest to the source, often blocking the traffic before it comes into the router... stop it at munich... but with standard lists the whole of ip is being blocked closest to the destination, which means before it arrives at the destination and from the router's point of view... standard lists are often allowed ingress (into a router) then blocked at egress, the interface feeding the destination...
the sending host (bad host) is on another network, routerB, and the destination ice cream server is hanging off a directly connected router, routerA... the bad host isn't allowed to get to the ice cream server off routerA or any of it's wonderful flavors so we'll shut the bad host down completely, the whole smash...
the bad host comes into routerB fa0/0 and egresses routerB s0/0, then onto router A, ingressing at s0/0 and wants to egress at routerA fa0/0 to get the ice cream... sorry buddy, no peanut butter delight for you...
routerA(config)#access-list 1 deny host 172.16.10.10
routerA(config)#int fa0/0
routerA(config-if)#ip access-group 1 out
routerA(config-if)#end
routerA#
the router has a point of view...
and never liked class B addresses anyway
network cisco ccna gns3 certification arteq
a network runs through it
No comments:
Post a Comment