Dam You ACLs..... In or Out?

I am just not getting it... I can master subnetting no prob.. But I cannot figure out when to apply an ACL inbound or outbound? Can someone lay it out in lamens?

Everytime I "think" I have it.. I find another question that gets me all confused.

The technotes show this example:

---

You can prevent SMTP traffic originating from the WANs from traveling over link A to an SMTP server wuth destination 192.168.115.20 by putting an outbound extended IP access list on the Serial 0 interface of RouterX and using the following commands on RouterX (or RouterY):

router(config)#access-list 105 deny TCP any host 192.168.115.20 eq SMTP
router(config)#access-list 105 permit IP any any
router(config)#interface serial 0
router(config-if)#ip access-group 105 out

---

Why is this out? Wouldn't packets coming from the WAN be inbound on s0?

Thanks.

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

marlon23

In and Out defines when you want packets to be filtered.
Out - Traffic leaving interface - after routing decision
In - Traffik coming to interface - before routing decision.

So little example:

Imagine this :
-We will ignore recomendation about placing ACLs
-draw this
S1 - Internet
E0 - LAN 1 (172.16.1.0)
E1 - LAN 2 (172.16.2.0)

Let us consider ACL 160 blocking IP of **** servers (by destination ip, very looong list)
Let us consider ACL 161 blocking ftp to 172.16.0.0(our LAN) network.

When you put ACL 160 to E0&inbound. JohnyD from E1 can still browse ****. When you put it on E1&inbound ClarkC from E0 can browse. When you put it on E1 or E0 outbond. But when you put it on s1&outbond, JohnyD and ClarkC have to work.
Now ACL 161, when you put it on s1&inbound you will protect all your network. When you put it on one Enet outbond, you will protect one of your LANs (E0, LAN1..). When you put it on one E as inbound, you will block ftp to another LAN.

As you can see, placement on different places take different effect, and out&in has different efffect too. So placement very depends, on what you wanna do, and where you want to place acl.
Ciscos giving advice put extended ACL close to source as possible, and standart ACL close to destination as possible. And then based on direction your traffic is flowing put in or out. And when you know place, you can write ACL to fit your needs. And is a lot harder to choose placement of already created ACL.

And this tech example:

When you put it out you will block all your users access to smtp server somewhere in WAN, and when you put it in, you will block all users from outside of your network to reach that smtp server on your lan.
And as they speak about blocking smtp from WAN, I'll choose to place it on s0 as inbound. (when you wanna place it s0&out you have to filter based only on source ip of server only, so they can reach server but no packet will travel from server to them)

I hope that this will help you

david_r

Take a deep breath, look at the second diagram again and accept the fact that you probably do understand ACLs

Ser 0 is not the WAN connection on router X. Since this is an extended ACL, you want to place it as close to the source as possible. If you place it any closer to the source, you'll have to place it inbound on two interfaces. That could get complicated in the real world.

Danman32

Become one with the packets, and all will become clear.

In other words, pretend to be a packet flowing through the router, and figure out what the ACL would do with such packets.

tuscani

Thanks all. This helps... But since Cisco says to place the extended ACLs closest to the source.. why not apply the ACL to s1 on Router Y as inbound?

tuscani

david_r wrote:

Take a deep breath, look at the second diagram again and accept the fact that you probably do understand ACLs

Ser 0 is not the WAN connection on router X. Since this is an extended ACL, you want to place it as close to the source as possible. If you place it any closer to the source, you'll have to place it inbound on two interfaces. That could get complicated in the real world.

Two places? Wouldn't you just define the inbound ACL to S1 on Router Y?

Danman32

Ideally, you would want to control the traffic as close to the source as possible to reduce the routing work the router would have to do, only to have to discard it at the end. However, you also have to consider YOUR administrative effort. If you have several potential source interfaces, but only one destination, it might be better to place the ACL at the destination interface.

But then, it's only one text based script, and only one ACL list potentially used by the multiple source interfaces, so even then it might be better to put apply the ACL to the source interfaces.

if you have to update 10 interfaces/subinterfaces by hand, you might disagree with the previous paragraph though.

lwwarner

justindu wrote:

Two places? Wouldn't you just define the inbound ACL to S1 on Router Y?

You could, but by placing the ACL outbound on RouterX's S0 you prevent the traffic from crossing link A just to be dropped by Y, while still avoiding duplication of the ACL.

In addition to the info above, another reason to avoid duplicating the ACL (inbound on X's S1 & S2) is that when you inevitably add the 3rd, 4th, etc., WAN links you don't have to remember to filter each of these also, and then wonder why the bad guys are beating on your server when you forget...

IMO the best answer here is the one provided by the TechNote: The ACL goes outbound on X's S0. This is the single point closest to the source of the traffic. This allows you to drop the traffic as soon as possible in one place.

david_r

Thanks all. This helps... But since Cisco says to place the extended ACLs closest to the source.. why not apply the ACL to s1 on Router Y as inbound?

Two places? Wouldn't you just define the inbound ACL to S1 on Router Y?

Where's the source? If we are trying to block traffic from the WAN with an extended ACL, it should be placed as close to the WAN interface as reasonable. Since there are two WAN interfaces, a real world decision to place it outbound (to the LAN) on the internal interface of the WAN router was made and not on router Y which is further away from the source than desired. Not likely to come up in the test, I would guess.

Danman32

As a form question, they may ask you for the best place to put the ACL. For those of us who have taken MS tests, there may be multiple choices that would technically work, but when they say 'best' or 'least admistrative effort', often that limits the choice to one.

For a SIM, it may not matter other than time constraints, unless they qualify your objectives with 'least administrative effort' or some other constraint like that.