Inbound or Outbound?

mwill

Hi all,

I'm currently studying for my CCNA and would like some help if one could give.

I'm confused with access-list's. The part i'm confused on is: When to apply an ACL on an inbound interface or outbound interface. I always want to put it on an inbound inteface to restirct traffic from comming into the router to begin with so it would stop the waste of CPU cycles.

However from reading and studying they put most on outbound interfaces and not inbound or vice versa. I cant seem to find anywhere that gives me enough information on when or why to place an ACL on outbound or inbound!

Can somone help me clear this up before the big day?

Thanks in advance,
mwill

Gogousa

Everything depends on what ACL are you using and what do you want to achieve. Standard ACL can only filter on source IP, but on Extended ACL you can filter by many parameters, like source or destination IP, PORT, etc.
If you understand this, imagine you are a packet traveling through the cable and you bring with you information like source IP and destination IP, you are getting into the router and you find the interface (if someone applies and outbound ACL your are not going to be checked by this ACL), but if someone puts and Inbound interface you are going to be checked by this. The key to understand where to apply the ACL is to understand what information is bringing the packet that you are trying to block.
By general rule you apply Standard ACL as close to the destination as possible, because can only filter on source address, so if you apply a Standard ACL close to the source every packet that is trying to go out is going to match the ACL and be dropped.
Extended ACL are applied close to the source (not to waste CPU like you said), you can do this because extended ACL is more flexible on the rules and you can filter by source or destination for example.
I hope this can help you a little bit.

mwill

Thanks for the reply Gogousa.

I do understand where to place the standard or extended access list entry. However when to place it on the "in" or "out" interface is my problem.

I think i comperhend it some by following the packet and thinking where it should placed. But i'm not always 100% correct.

Is there an easier way to know where to place the entry on either "in" or "out"?

kplab

Use the following configuration as an example:

LAN1

---

Router A

---

LAN2
LAN3

---

LAN1, LAN2, and LAN3 are connected through Router A.

If you want to block traffic from a range of IP addresses in LAN1 to all other networks, you need to apply the standard access list on the LAN1 interface inbound.

If you want to block traffic from a range of IP addresses in any LAN to LAN2 only, you need to apply the standard access list on the LAN2 interface outbound.

SV

Try going through this link:

http://www.techexams.net/forums/viewtopic.php?p=63422#63422

This is taken from the post.


Lets say you have a router (THE_ROUTER) connected to LAN1 using s0 interface. LAN2 using e0 interface and LAN3 using s1 interface.

I visualize IN and OUT in the following manner:

* Traffic from lan2 gets IN to the router through e0
* Traffic from lan2 can get OUT of the router through either s0 or s1
* Traffic from lan1 can get IN to the router through s0
* Traffic from lan1 can get OUT of the through e0 or s1

Doesn't it make sense to say “block lan2 traffic coming IN to the router through e0” rather than saying “block lan2 traffic going OUT from router through e0.” Other correct statement would be “block lan2 traffic going OUT from router through s0.”

mwill

Thanks for the help guys. I understand it better now.

darkuser

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml