Access List In/Out clarification

Hello everyone, I have a clarifying question re: placing an access list into or out of an interface.

let's say for the sake of keeping it basic that I have this topology:

PC1--->E0Router1E1<----PC2

If I want to apply an access list that deny's all packets with source add pc1 to PC2 can I do it two ways:

Place an IN access-group command on E0 or an OUT access-group command on E1? Would the Cisco recommended way be to put it on E1 since it's the closest to the destination?

This is regarding Standard ACL's but I'm assuming this will also come up on Extended ones.

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

/usr

That sounds correct. Standard ACLs should be placed as close to the destination as possible so they do not block traffic you do not wish to block.

Extended ACLs should be placed as close to the source as possible.

jscimeca715

Cool that's what I thought. That was the one obstacle to understanding these things. There's just two different ways of saying the same thing but there is a best practice (placing close to destination in standard and close to source in extended.) I thought there was some secret algorithm you had to run to determine which one it was!

mzinz

jscimeca715 wrote: »

Cool that's what I thought. That was the one obstacle to understanding these things. There's just two different ways of saying the same thing but there is a best practice (placing close to destination in standard and close to source in extended.) I thought there was some secret algorithm you had to run to determine which one it was!

As said above, for _extended_ ACL's you always want them as close to the source as possible. The reason this is done is to have the traffic dropped *before* the CPU has to spend cycles looking at the packet and making judgments of where to send it.