access list question

examseeker

Sorry if this sounds dumb or whatnot.. but, I am having trouble deciding when to use out and in for access lists. It seems when I study different texts--I think I know what I am doing, then the text does the opposite of what I think to use. Could you provide a source or a way of learning when to use 'out' and 'in' in access lists?

Most standard lists are out and extended lists are in--right?

Thank you for your help..
es

JayrodEF

Standard ACLs only filter on source address, extended lists can filter on both source and destination address. Try to think of the signal "flowing" when thinking of directions. If the traffic you're trying to block is flowing from another device into the device where the ACL is, then you filter on the IN direction. If you're trying to filter traffic that is flowing from the same device you apply the ACL, then you would use the OUT direction. Hope that helps.

elegua

Hi examseeker,

Here's one example when to use (out) in the access list, standard access list has a rule:

Place standard access list close to the destination as possible.

Knowing this, here's an example based on this Picture.



Example:

Deny PC-1 access to FTP-server using standard access-list:

Router_A(config)#access-list 10 deny host 192.168.3.1
Router_A(config)#access-list 10 permit any

Router_A(config)#interface FastEthernet0/1
Router_A(config)#ip access-group 10 out <-- Using Out

As you can see in the picture, the traffic flow from PC-1 to the FTP-Server, the Inbound interface will be s0/1 and the outbound interface will be FE0/1 in Router_A, Why in router_A interface FE0/1?, because if you deny on s0/1 In you are denying access to the Web-Server as well and you only want deny access from PC-1 to the FTP-Server.

If you want access to the FTP-Server and deny access to Web-Server you only have to apply the ip access-group 10 out on the FE0/2 interface.

If you want to deny PC-1 to access network 192.168.1.0, then you apply the ip access-group 10 in on the s0/1 interface in Router_A or in Router_B outbound interface, if you deny traffic on interface e0/1 on Router_B you also are denying PC-1 access other devices in your network and that is why you have to place a standard access list close to the destination as possible.

This's not the best explanation but you can have a better idea.

Hope this Help.

sprkymrk

I think in the real world you almost always use "in" for an acl that is used for security. In the above example I would have used an extended access list on router B and applied it to the inbound of E0/1.

I could be wrong but I thought the rule of thumb was always apply an acl "closest to source" to reduce traffic. Why have a packet traverse all the way through router B and the serial (WAN) link only to be stopped at the last moment?

EDIT>>However, I see on a second glance you did ask about standard vs extended in which case you are correct.

Anyway, that's just my take and since haven't cracked open a Cisco book in years I certainly could be wrong.

(Sneaks out of Cisco forums and hopes no one notices I was ever here).

geezer

sprkymrk wrote:

...I could be wrong but I thought the rule of thumb was always apply an acl "closest to source" to reduce traffic. Why have a packet traverse all the way through router B and the serial (WAN) link only to be stopped at the last moment?...

(Sneaks out of Cisco forums and hopes no one notices I was ever here).

As you can only filter by source address (and not protocols) if the standard ACL is as close to source as possible that would be a very short trip for the packet to the bit bucket!

Configuring ACLs