Access List In/Out clarification

jscimeca715 · June 2009

Hello everyone, I have a clarifying question re: placing an access list into or out of an interface.

let's say for the sake of keeping it basic that I have this topology:

PC1--->E0Router1E1<----PC2

If I want to apply an access list that deny's all packets with source add pc1 to PC2 can I do it two ways:

Place an IN access-group command on E0 or an OUT access-group command on E1? Would the Cisco recommended way be to put it on E1 since it's the closest to the destination?

This is regarding Standard ACL's but I'm assuming this will also come up on Extended ones.

/usr · June 2009

That sounds correct. Standard ACLs should be placed as close to the destination as possible so they do not block traffic you do not wish to block.

Extended ACLs should be placed as close to the source as possible.

jscimeca715 · June 2009

Cool that's what I thought. That was the one obstacle to understanding these things. There's just two different ways of saying the same thing but there is a best practice (placing close to destination in standard and close to source in extended.) I thought there was some secret algorithm you had to run to determine which one it was!

mzinz · June 2009

jscimeca715 wrote: »

Cool that's what I thought. That was the one obstacle to understanding these things. There's just two different ways of saying the same thing but there is a best practice (placing close to destination in standard and close to source in extended.) I thought there was some secret algorithm you had to run to determine which one it was!

As said above, for _extended_ ACL's you always want them as close to the source as possible. The reason this is done is to have the traffic dropped *before* the CPU has to spend cycles looking at the packet and making judgments of where to send it.

Access List In/Out clarification

Comments