I do understand the basic difference but I find it confusing. One processes packet first then routes it and other routes first and then it's processed in ACL. If I want to save routers resources then I should always pick first (process then route). If a packet is certainly going to get dropped by ACL why would I waste time in routing it in the first place. I know both are necessary and practiced in real world but I can't imagine any use of second.
答案1
If we're talking about a cisco router,
acl inbound at an interface would mean 'let the acl process the packets coming into the router through that interface' i:e; while packets enter the router through that interface, but not on packets that exit through that interface.
acl outbound at an interface means 'apply the acl to packets exiting out of the router through that interface, but not on incoming packets.
Ping from 192.168.1.1 to 10.0.2.1
When CASE 1 is configured :
The ping request will not pass through R1's Fa0/1, because acl 55 is set to process outbound traffic, and the source address of the request matches the IP range specified in acl. Ping output will be:
Destination Host Unreachable
When CASE 2 is configured :
The ping request will reach 10.0.2.1, but the reply from 10.0.2.1 will be stopped at R1's Fa0/1 because the acl is set to process inbound traffic and the source address of the reply matches the IP range in acl. Ping output will be:
Request timed out
When CASE 3 is configured :
The ping will be successfull. The ping request will not be filtered at R1's Fa0/1 as the acl is only for inbound traffic. Although the ping reply will be considered at R1's Fa0/1 as it is inbound, it will pass through because the source address of the reply is not in the 10.0.2.0 0.0.0.255 range, as specified in the acl.
答案2
scenario :
Creating access list 12
access-list deny 192.168.12.0 255.255.255.0
access-list permit any
Applying it to interface VLAN 10
ip access-group 12 in
or
ip access-group 12 out
Here,
outbound = coming into the VLAN 10 (coming **out to** VLAN 10 from any other network ) inbound = coming from the VLAN 10 (coming **in** from VLAN 10 **into** any other network )
if you use outbound , then it will filter incoming traffic.
use inbound to isolate the network from other networks , as it will filter all the packets comming from that network to other networks
if you create a ACL 10 to deny all 192.168.10.0 network; and apply to VLAN 10 inbound , then VLAN 10 can't communicate with other networks
答案3
The ALC's only really apply to local user accounts/groups and local built in accounts/groups because it is only looking for SID's from it's own identify aka from the local computer. This is why when you have a file which has an ACL entry for a user that does not exist in the SAM database, it will show up in the ACL list as a SID string rather than a username and will have a red x beside it.
You can add from other users to an active directory database however they are still treat like local users, that means the local computers must be part of the domain and must be contacable via the network when say, an ALE is changed for that computer.