nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Access-lists in or out dilemma???

itdaddy

Okay ACL gurus.

I know I know this subject has been beaten to death but I just do not understand
when in or out do you apply..the ACL...I guess what I really do not understand
is why you would apply the ACL to an interface going out?? going in sure but going
out??

I do not understand the imagination of riding the bits and bites on the cable like a cable car scenario.

To me it makes sence better if you would explain to me why and give me examples
to which it is based off of from the or can you give me any good documents on from what point do I apply and ACL.

Say for example you have two routers to go through? do you place the ACL on the out of one router and on the in and out of the other?? confused.??
thanks

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

dtlokee

It all depends on what you're trying to accomplish. The Cisco rule is to place an extended ACL as close as possible to the source while a standard acl should be placed close to the destination. This would imply that you should place an extended ACL inbound on the input interface and the standard acl outbound on the output interface. Now if the router has 3 or more interfaces you will need to consider the optimal way to apply it so you're not testing the same packets against the same ACL on different interfaces.

APA

Put yourself inside the router........

Now visualize the traffic flow......

Which interface is the traffic going into (in) and where will it be exiting (out)........

itdaddy

thanks guys
i will try practicing these techniques. Iwill ride the cat 5

phantasm

I just whipped this up. I believe it's correct. lol. If it's not, let me know and I'll redo it.

Pash

phantasm wrote:

I just whipped this up. I believe it's correct. lol. If it's not, let me know and I'll redo it.

It's not very clear phantasm.

Funnily enough as APA says the best way is to put yourself on the wire, literally. Inbound traffic is coming in on the wire, outbound traffic is going out on the wire. Remember this and its extremely helpful when designing ACL locations.

itdaddy

thank a lot! yeah i was doing some ACLs last night and i get it i just have to play with them

play play play

elegua

Hi itdaddy,

Here's one example when to use (out) in the access list, standard access list has a rule:

Place standard access list close to the destination as possible.

Knowing this, here's an example based on this Picture.

Example:

Deny PC-1 access to FTP-server using standard access-list:

Router_A(config)#access-list 10 deny host 192.168.3.1
Router_A(config)#access-list 10 permit any

Router_A(config)#interface FastEthernet0/1
Router_A(config)#ip access-group 10 out <-- Using Out

As you can see in the picture, the traffic flow from PC-1 to the FTP-Server, the Inbound interface will be s0/1 and the outbound interface will be FE0/1 in Router_A, Why in router_A interface FE0/1?, because if you deny on s0/1 In you are denying access to the Web-Server as well and you only want deny access from PC-1 to the FTP-Server.

If you want access to the FTP-Server and deny access to Web-Server you only have to apply the ip access-group 10 out on the FE0/2 interface.

If you want to deny PC-1 to access network 192.168.1.0, then you apply the ip access-group 10 in on the s0/1 interface in Router_A or in Router_B outbound interface, if you deny traffic on interface e0/1 on Router_B you also are denying PC-1 access other devices in your network and that is why you have to place a standard access list close to the destination as possible.

This's not the best explanation but you can have a better idea.

Hope this Help.

Pash

good explanation elegua, exactly as you cannot define source address in an standard ACL, hence why you should put it as close to the destination as possible.

NullCode

thx elegua ..for the reply .. it helped me too

kentrg

great explanation elegua