>> An ACL by itself doesn't do anything.It needs to know which interface on a router to examine packets and in which direction,inbound to the router or outbound from the router.Consider this topology.If we want to block traffic to network 4 from network 1,there are technically four locations that an ACL can be applied.The left interface of router A, the right interface of router A, the left interfaceof router B, and the right interface of router B. If traffic is being sent from network 1,it's considered inbound traffic to the left interface of router A. Outbound trafficfrom the right interface of router A. Inbound traffic to the left interface of router Band outbound traffic to the right interface of router B. If we apply the standard ACL inboundon the left interface of router A, this will block all trafficfrom network 1 regardless if it's destined for network 4.So that's not a good idea.If we apply it outbound on the right interface of router A, this would block all trafficfrom network 1 destined for any network in that direction including network 3.For the same reason, we wouldn't make it inbound on the left interfaceof router B. That's why the recommendation is to place standard ACLs as close as possibleto the destination so that traffic doesn't get unnecessarily filtered.In this case, it's an outbound ACL on the right interface of router B. Direction is important.What do you think will happen if apply the ACL that blocks traffic from network 1as an inbound list on the right interface of router B?Well that would be a logic error.The ACL would be worthless because traffic sourced by network 1 will never go inboundinto the right interface of router B. Only outbound.We say that stateless packet filters permit or deny packets to enter or exit a network.However, when configuring an ACL and applying it to an interface, the direction,inbound or outbound, is always in relation to the routerwhich will always be the opposite direction for the network.Furthermore, only one ACL can be applied per direction per interface.In other words, an interface can have just one inbound ACLand just outbound ACL making the maximum number of ACLs per interface 2.
转载于:https://www.cnblogs.com/sec875/articles/10028626.html
