ACL'S IN OR OUT

I know it is very important to put an access list on the correct interface because if u put one on the wrong interface u might as well use the shutdown command, but as long as u put the access list on the correct interface should it really matter if its inbound or outbound because to me it doesnt seem as if it would make that much of a difference. so am i right or have i gone completely insane?

Find more posts tagged with

Comments

kplab

You need to apply the ACL on the appropriate interface for inbound or outbound depending on the direction of traffic you want to block/allow.

For example, if you want to block the ICMP ping traffic from an external network, you need to apply the ACL on the interface connecting to the external network for inbound traffic, but not for outbound traffic.

KGhaleon

Let me sit down with you and tell you about the birds and the bees.

Anyway, you really need to know what the network looks like before setting up any access lists to prevent those kind of mistakes. If anything, don't forget to use a "permit all" where it's needed.

KG

darkuser

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#applyacls

badboyziggy

darkuser i have been to that site and thats what lead me to that thought based on the explanation they gave for "in" and "out", i understand access-list i know how to write them and i know which interface to place them on, my biggest problem is trying to figure out when should it be inbound and when should it be outbound. if somone could kindly explain to me as simply and as clearly as possible with the use of an example when to set an access-list inbound or outbound i would greatly appreciate that.

Associating an ACL to an interface and its direction makes a lots of impact. With a very simple setup you might not notice it. But when you think about designing one with complex deny and permit statements it make a big difference.

Lets say you have router connected to LAN1 using s0 interface, LAN2 using e0 interface and LAN3 using s1 interface.

I visualize IN and OUT in the following manner:

* Traffic from lan2 gets IN to the router through e0
* Traffic from lan2 can get OUT of the router through either s0 or s1
* Traffic from lan1 can get IN to the router through s0
* Traffic from lan1 can get OUT of the through e0 or s1

Doesn't it make sense to say “block lan2 traffic coming IN to the router through e0” rather than saying “block lan2 traffic going OUT from router through e0.” Other correct statement would be “block lan2 traffic going OUT from router through s0.”

badboyziggy

Tnax alot that really help to clarify some things, seems like u guys r gonna be the ones to help me pass the exam