[cisco-bba] ACL application

Euan Galloway euang+cisco-bba at lists.eusahues.co.uk
Thu Dec 16 07:18:17 EST 2010


On Sat, Dec 11, 2010 at 07:56:54PM +1000, Edward avanti wrote:
> Halo all,
> 
> I understood that  ACL on int's were transitting traffic and ACL on line was
> to the router?

Packet has to come through the interface (and therefore any ACL on the interface), 
before it gets to any process running on the router (BGP/VTYs/anything else).

> I ask because I could not access router until I add my home IP on acl 101
> (the inbound)
> Is this because the external interface fe0 has inbound rules applied?
> For example, fe1 is to our network of servers I apply ingress rules on fe0
> which the SP link, is this right why I denied?

Yes

> 
> Should I invert this all?, have no rules on fe0 and apply the
> network-ingress, as an outbound rule on fe1 instead?

Probably not (you would normally drop "as soon as possible", i.e.
igress).

P.S. Wrong group, nothing to do with bba, although 30 seconds with 
google would have answered faster than posting here.

--
Euan Galloway


More information about the cisco-bba mailing list