ACL in vs out

Hey guys,

When it comes to applying an ACL to an interface, could someone give me a rule of thumb or an analogy as to when / why apply the ACL as in or out. As long as its applied, does it really matter whether its in or out ? Help me out here!

Find more posts tagged with

Comments

EdTheLad

Z3-Masterd wrote:

Hey guys,

When it comes to applying an ACL to an interface, could someone give me a rule of thumb or an analogy as to when / why apply the ACL as in or out. As long as its applied, does it really matter whether its in or out ? Help me out here!

Heres an analogy for you, you win a competition called money throw, you are given 4 guys with big sacks of 10 dollar bills.You have 1 minute to complete the task.2 guys are allowed inside the house and 2 guys outside the house.The guys inside the house stand at the front and back window respectfully,likewize the guys outside stand at the front and the back of the house respectfully.Now its your choice who throws the money,whatever money is left in your house at the end you keep.

A)Will you have the guys inside the house throwing the money out?
B)Will you have the guys outside throwing the money in?
C)Will they both sets throw in and out the money?

Does it really matter?It depends if you want the money i suppose!
So it would also depend if you want the data or not.

rakem

It helps if there is a diagram of the question, otherwise just try and picture the network in your mind...

the way i remember it is, i trace the path that the traffic is flowing with my finger, if router A sends some packets to router B then the packet is going OUT the routerA interface and then IN routerB, if routerB forwards that packet to another one of its networks then it is going OUT.

similiary if router B sends packets to router A it is going OUT of the router b interface and IN the router A interface, then if router A forwards the traffic to another network is is going OUT the routerA interface.

just try and visulise it and you will get it.

agustinchernitsky

Hi,

Always stand on the router... if traffic is going towards you from an interfarce x (call it e0), then its IN. If traffic is going from you on e0, then its e0.

Remember that (if possible):

1.- Standard access lists should be placed near the destination
2.- Extended access lists should be placed near the source

Also, remember what src addresses and destination addresses you should expect. ie:

NET A (192.168.0.0/24) --- e0 [ROUTER] e1 --- (192.168.1.0/24) NET B

e0 IN traffic: Src IP: 192.168.0.0/24, Dst IP: 192.168.1.0/24 or GW.
e0 OUT traffic: src IP: 192.168.1.0/24 or GW, Dst IP: 192.168.0.0/24

The same idea for e1.

Hope it helps!

DirtySouth

Like others have mentioned, I always picture myself inside the router. Is traffic coming in to the router or going out through an interface.