ip access-group in or out?

Hey everybody,
When it comes to the access-lists, I am having trouble understanding how to apply them to the interface. In other words, I don't know when to type "in" or to type "out". What does "in" and "out" mean? Is this different when extended than standard? Any help on this subject is greatly appreciated.

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

sprkymrk

The way I was taught to determine if it should be in or out is this:
Draw a picture of your router and each network it is attached to. Now place your pencil on the interface in question (E0, E1, S0, etc) and decide if the packet is coming INto the interface from the attached network or leaving OUT the interface from the router itself (in other words a different ineterface). It's really easy once you get this concept.

wizarddeath

Another way to place the list is, extended go as close to the SOURCE as possible(so most likely the closet IN interface), while standard list go as close to the DESTINATION as possible(meaning closest out interface to where the packet is heading).

Danman32

Think of the router as the earth, and the internals of the router as the center of the earth, with the interfaces of the router as crater openings into the earth. Either you are going IN the earth, or you are coming OUT of the earth. You'll have to pass through the center to get from one opening to the other, going into one, passing through the earth (router) and coming out another crater.

I agree though kowing the optimal interface to place an ACL can be tricky. The trick is to not require the router to do a lot of work to route a packet that is never going to go anywhere anyway based on the ACL. You can almost think of it this way: A good car dealer will get a basic understanding of your finances before going through all the trouble of finding you a car, going through all the paperwork, only to find out you can't pay for the car in the first place. There's no sense in a router trying to figure out where a packet is going to go only to find out that the packet is not allowed to leave in the first place. However, you have to be careful that you don't block packets from being routed to interfaces that it is allowed to go to even if it is not allowed in others. Again with the car dealer example, it would not be a good idea for a dealer to not talk to you because you only have $10K to spend since there are some cars on his lot that you could afford at that price, though there are others you are not allowed to touch.

EdTheLad

Danman32 wrote:

Think of the router as the earth, and the internals of the router as the center of the earth, with the interfaces of the router as crater openings into the earth. Either you are going IN the earth, or you are coming OUT of the earth. You'll have to pass through the center to get from one opening to the other, going into one, passing through the earth (router) and coming out another crater.

Or another example,
Think of a router with input/output ports, data enters INto the router and leaves OUT of the router.

Think of your house, you walk IN the front door and you walk OUT the back door.You can also walk IN the backdoor and OUT the front door,but dont forget your keys.

I could do this all day but i should get back to study.

Danman32

... and every time you have to go from the front door to the back door, or vice versa, you have to ask the butler how to get through the house to get to the other door. When you get to the other door, it is locked and you don't have the key. The butler is tired of you wasting his time in getting to a door you can't open.