Hi,
I am studying for the ccna and I am a little confused with the concept of "IN" and "OUT" when creating access lists. I am reading a book by todd lammle and his example is that he has a router with 3 lan e0=sales, e1=finance, e2=marketing and one wan connection to the internet. what he does not want is users on the sales lan to access the finance lan but the marketing lan needs access. he give the config for the access list: (i left out he router name) #access-list 11 deny host 172.16.40.0; (Next line) access-list 11 permit any. then he adds the list to e1 with ip access-group 11 out.
The book says "this completely stops traffic from 172.16.40.0 (not sure if this was the sales lan or finance lan. the chapter did not specify) from getting out of e1. It has no effec on the ohosts from the sales lan accessing the marketing lan and the internet, since traffice to those destinations doesnt go through e1. Any packet trying to exit out e1 will have to go through the access list first. If there were an inbout list placed on e0, then any packet trying to enter e0 would have to go through the access list before being routed to an exit interface. (todd lammle pg 451 Sybex ccna 2004)
What I dont understand is the 2nd paragraph. assuming that 172.16.40.0 is the sales lan which is e0 why is the list applied to e1. Should this be applied to the source? (e0). I dont understand the concept of "IN" and "OUT" when you say ip access-group # in (does that me you are permitting something from the outside into a specific interface? and ip access-group # out blocks access?
Please explain. Is the book i am using off?
Comptek
A+, Network+
I am studying for the ccna and I am a little confused with the concept of "IN" and "OUT" when creating access lists. I am reading a book by todd lammle and his example is that he has a router with 3 lan e0=sales, e1=finance, e2=marketing and one wan connection to the internet. what he does not want is users on the sales lan to access the finance lan but the marketing lan needs access. he give the config for the access list: (i left out he router name) #access-list 11 deny host 172.16.40.0; (Next line) access-list 11 permit any. then he adds the list to e1 with ip access-group 11 out.
The book says "this completely stops traffic from 172.16.40.0 (not sure if this was the sales lan or finance lan. the chapter did not specify) from getting out of e1. It has no effec on the ohosts from the sales lan accessing the marketing lan and the internet, since traffice to those destinations doesnt go through e1. Any packet trying to exit out e1 will have to go through the access list first. If there were an inbout list placed on e0, then any packet trying to enter e0 would have to go through the access list before being routed to an exit interface. (todd lammle pg 451 Sybex ccna 2004)
What I dont understand is the 2nd paragraph. assuming that 172.16.40.0 is the sales lan which is e0 why is the list applied to e1. Should this be applied to the source? (e0). I dont understand the concept of "IN" and "OUT" when you say ip access-group # in (does that me you are permitting something from the outside into a specific interface? and ip access-group # out blocks access?
Please explain. Is the book i am using off?
Comptek
A+, Network+