Access-lists in or out dilemma???

itdaddyitdaddy Senior MemberPosts: 2,088Member ■■■■□□□□□□
Okay ACL gurus.

I know I know this subject has been beaten to death but I just do not understand
when in or out do you apply..the ACL...I guess what I really do not understand
is why you would apply the ACL to an interface going out?? going in sure but going
out??

I do not understand the imagination of riding the bits and bites on the cable like a cable car scenario.

To me it makes sence better if you would explain to me why and give me examples
to which it is based off of from the or can you give me any good documents on from what point do I apply and ACL.

Say for example you have two routers to go through? do you place the ACL on the out of one router and on the in and out of the other?? confused.??
thanks

Comments

  • dtlokeedtlokee Posts: 2,381Member
    It all depends on what you're trying to accomplish. The Cisco rule is to place an extended ACL as close as possible to the source while a standard acl should be placed close to the destination. This would imply that you should place an extended ACL inbound on the input interface and the standard acl outbound on the output interface. Now if the router has 3 or more interfaces you will need to consider the optimal way to apply it so you're not testing the same packets against the same ACL on different interfaces.
    The only easy day was yesterday!
  • APAAPA Posts: 959Member
    Put yourself inside the router........

    Now visualize the traffic flow......

    Which interface is the traffic going into (in) and where will it be exiting (out)........

    :D

    CCNA | CCNA:Security | CCNP | CCIP
    JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
    JNCIS:SP | JNCIP:SP
  • itdaddyitdaddy Senior Member Posts: 2,088Member ■■■■□□□□□□
    thanks guys
    i will try practicing these techniques. Iwill ride the cat 5 icon_lol.gif
  • phantasmphantasm Posts: 995Member
    I just whipped this up. I believe it's correct. lol. If it's not, let me know and I'll redo it.

    ACL.gif
    "No man ever steps in the same river twice, for it's not the same river and he's not the same man." -Heraclitus
  • PashPash Posts: 1,601Member ■■■■■□□□□□
    phantasm wrote:
    I just whipped this up. I believe it's correct. lol. If it's not, let me know and I'll redo it.

    ACL.gif

    It's not very clear phantasm.

    Funnily enough as APA says the best way is to put yourself on the wire, literally. Inbound traffic is coming in on the wire, outbound traffic is going out on the wire. Remember this and its extremely helpful when designing ACL locations.
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • itdaddyitdaddy Senior Member Posts: 2,088Member ■■■■□□□□□□
    thank a lot! yeah i was doing some ACLs last night and i get it i just have to play with them
    ;) play play play
  • eleguaelegua Posts: 282Member
    Hi itdaddy,

    Here's one example when to use (out) in the access list, standard access list has a rule:
    Place standard access list close to the destination as possible.
    

    Knowing this, here's an example based on this Picture.

    accesslistps2.jpg

    Example:

    Deny PC-1 access to FTP-server using standard access-list:

    Router_A(config)#access-list 10 deny host 192.168.3.1
    Router_A(config)#access-list 10 permit any
    
    Router_A(config)#interface FastEthernet0/1
    Router_A(config)#ip access-group 10 out <-- Using Out
    

    As you can see in the picture, the traffic flow from PC-1 to the FTP-Server, the Inbound interface will be s0/1 and the outbound interface will be FE0/1 in Router_A, Why in router_A interface FE0/1?, because if you deny on s0/1 In you are denying access to the Web-Server as well and you only want deny access from PC-1 to the FTP-Server.

    If you want access to the FTP-Server and deny access to Web-Server you only have to apply the ip access-group 10 out on the FE0/2 interface.

    If you want to deny PC-1 to access network 192.168.1.0, then you apply the ip access-group 10 in on the s0/1 interface in Router_A or in Router_B outbound interface, if you deny traffic on interface e0/1 on Router_B you also are denying PC-1 access other devices in your network and that is why you have to place a standard access list close to the destination as possible.

    This's not the best explanation but you can have a better idea.

    Hope this Help. icon_wink.gif icon_wink.gif
  • PashPash Posts: 1,601Member ■■■■■□□□□□
    good explanation elegua, exactly as you cannot define source address in an standard ACL, hence why you should put it as close to the destination as possible.
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • NullCodeNullCode Posts: 73Member ■■□□□□□□□□
    thx elegua ..for the reply .. it helped me too ;)
  • kentrgkentrg Posts: 18Member ■□□□□□□□□□
    great explanation elegua
Sign In or Register to comment.