Security Basics mailing list archives
RE: about access-list location?
From: "Richard Kullmann" <rkullmann () universal-associates com>
Date: Mon, 23 Jun 2003 16:05:19 -0700
What do you mean by "why I should like this"? A "Standard" IP access list on a Cisco router filters traffic based only on the source IP address in the packet. An "Extended" IP access list on a Cisco route allows you to filter traffic based on both the source and destination IP addresses as well as the value of the protocol filed in the IP header and also based on additional information such as L4 source and destination ports, control field information (syn, ack), message types (echo, echo-reply, ttl-exceeded, etc). For example look at the two following access-list conditions: access-list 1 deny 172.16.32.0 0.0.0.255 access-list 101 deny tcp 172.16.32.0 0.0.0.255 host 192.168.1.2 eq telnet The first condition (ACL 1) blocks all traffic originating on subnetwork 172.16.32.0. If you place this condition on the router that connects to 172.16.32.0 you will stop that traffic from getting anywhere. You would need to place this condition close to the destination so that traffic would be allowed anywhere between the source and the destination you are blocking it from. The second condition (ACL 2) only blocks traffic that is attempting to telnet from subnetwork 172.16.32.0 to host 192.168.1.2. If you place this close to the destination (192.168.1.2), the packets traverse the network until they get close to the destination and then they get blocked. If you place this close to the source (172.16.32.0), the traffic gets blocked only if it is attempting to telnet to specific host 192.168.1.2 and it doesn't waste bandwidth traversing the network. I hope this helps. Richard Kullmann -----Original Message----- From: SB CH [mailto:chulmin2 () hotmail com] Sent: Sunday, June 22, 2003 8:51 AM To: security-basics () securityfocus com Subject: about access-list location? Hello. I have a question about the "access-list" of the cisco. some say, extended access list is located near source and standard access list is located near destination. I have no idea why I should like this. Thanks in advance. _________________________________________________________________ 보다 빠르고 보기 편한 뉴스. 오늘의 화제는 MSN 뉴스에서 확인하세요. http://www.msn.co.kr/news/ --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
Current thread:
- about access-list location? SB CH (Jun 23)
- RE: about access-list location? Richard Kullmann (Jun 24)
- RE: about access-list location? David Gillett (Jun 24)
- <Possible follow-ups>
- RE: about access-list location? Naman Latif (Jun 24)
- Re: about access-list location? Mike Heitz (Jun 24)
- RE: about access-list location? DeGennaro, Gregory (Jun 25)