ACL OUT vs IN ?

Even during my CCNA days this always seemed to throw me off.

access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20
access-list permit ip any any
interface e0 (which is on the 172.16.3.0 subnet)
ip access-group out

Now if I am trying to access the 172.16.3.0 FROM the 172.16.4.0 subnet then would this be INBOUND?

I included a quick drawing.

Thanks

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

notgoing2fail

It would be INBOUND on E1 or OUTBOUND on E0...

Take your pick....but according to best practices since this is an extended ACL where do you place your ACL?

You place it as close to the source as possible. So in this case, E1 before the routing process.

If it were standard, you'd put it on E0 after the routing process....

flipmad

The light bulb just went off. I get it now.

thanks.

fly351

I had trouble remembering this too, but IMO the easiest way is to think "Inbound traffic to the interface" or "Outbound traffic to the interface".

To explain a little better..

ACL applied on e0 as Outbound: Traffic from e1 to e0 has been processed by the router, so the exit interface is the "outbound" interface. So the traffic isn't being sent to e0 as "inbound" traffic.

ACL applied on e1 as Inbound: Traffic to e1 from 172.16.4.0 /x is processed as inbound traffic to e1.

thenjduke

Extended always goes closer to destination and standard always closer to the source.

fly351

thenjduke wrote: »

Extended always goes closer to destination and standard always closer to the source.

Actually that is incorrect. It is recommended to apply a Standard ACL closer to the destination. That is because a standard ACL doesn't filter on Layer 4 ports or Layer 3 Destination addresses like Extended ACLs do.

Extended ACLs are recommended to be applied closest to the source because they can filter specifically what to deny or permit, which stops the traffic from traveling half way through your network before being denied.

Look at it this way... if Host A was trying to talk to Host B and I had a standard access list closest to the source...

Host A/B/C --- RouterA --- RouterB ---- RouterC --- Host D/E/F

RouterA# show run
ip access-list 1 deny 10.1.1.0 0.0.0.255
ip access-list 1 permit 0.0.0.0 255.255.255.255

Granted, we could add multiple lines to permit each host, but that adds more processing to the router since it has to go through each line. Not to mention that if we applied an standard ACL to RouterA then we are denying any traffic, that matches the criteria, from accessing the segment.

Same example...

RouterA# show run
ip access-list 100 deny tcp 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 eq www
ip access-list 100 permit ip any any

Now we are getting somewhere.. 80 traffic is blocked to 10.1.2.0, but anything else is allowed. You can't accomplish that with a standard ACL. Instead, the standard is going to permit or deny on the SOURCE address only. If we applied standard ACLs closer to the source, we probably wouldn't have much network traffic... that's my 2cents

johnwest43

Here is picture i used while studying to remind me of in/out.

router.jpg

geezer

I remember Jeremy (CBT Nuggets) saying to remember the Standard ACL placement by the acronym SAD (Standard Access-list Destination). Extended ACL would be the opposite to this - therefore closer to Source.

Extended better then as all the router hops won't have to process lookups and the bandwidth won't be affected by the unnecessary traffic as well as potentially unwanted routing anomalies further along the network path.

IINS now booked so here's hoping and praying...