Question on ACLs

JVEJVE Member Posts: 76 ■■□□□□□□□□
in CCNA & CCENT
I can write an ACL just fine. My problem is, the wording on a test and actually in real life. What determines or at least helps decipher when an access list should be applied "in" or "out"

The wording on the test usually kills me for this. Any advice here would be appreciated. Thanks in advance
· Share on FacebookShare on Twitter

Comments

  • Danman32Danman32 Member Posts: 1,243
    In is from outside the router into the router. Out is from the router to outside the router.

    Think of a building with many doors as a router with many interfaces. You want to go from door A to door C. You go in door A and out door C.
    · Share on FacebookShare on Twitter
  • JVEJVE Member Posts: 76 ■■□□□□□□□□
    ok that sounds great, but when do you apply an "in" - when you dont want someone gaining access to something actually on the router?

    That is more what i am talking about. When do you put an in, in what scenario vs when you put an out. An example would be nice. Thanks
    · Share on FacebookShare on Twitter
  • Danman32Danman32 Member Posts: 1,243
    Well, it all depends. A packet has a source address and a destination address. A standard ACL can only 'filter' on the source address, where an extended filter can filter on either or both.
    So if you had a host on a network that you didn't want to be able to get to any other network via the router, you could put a standard ACL on the same interface as the blocked host using an IN assignment. This would avoid the router having to route the packet since it is blocked before it gets in. You could also use a standard ACL on the remaining interfaces as an OUT, but that would be more work to adminster, and the router would have to route the packet, only to have it discarded.

    However, if you only wanted one network blocked for that host, then you could put a standard ACL blocking that packet on the same interface connecting to the blocked destination. Again though, the router would route unneccesarily, but with standard you don't have much of a choice. Instead though, you could put an extended ACL on the 'source' port as an IN, specifying both the source host and the destination host or network to be denied. Thus the packet is dropped before it gets routed.
    · Share on FacebookShare on Twitter
  • JVEJVE Member Posts: 76 ■■□□□□□□□□
    thank you, you have helped me out with that! I am taking my test Sat morning and was having trouble with that and did not want to miss that on the test. Thanks
    · Share on FacebookShare on Twitter
Sign In or Register to comment.