flipmadflipmad Member Posts: 184
Even during my CCNA days this always seemed to throw me off.

access-list 101 deny tcp eq 21
access-list 101 deny tcp eq 20
access-list permit ip any any
interface e0 (which is on the subnet)
ip access-group out

Now if I am trying to access the FROM the subnet then would this be INBOUND?

I included a quick drawing.



  • notgoing2failnotgoing2fail Member Posts: 1,138
    It would be INBOUND on E1 or OUTBOUND on E0...

    Take your pick....but according to best practices since this is an extended ACL where do you place your ACL?

    You place it as close to the source as possible. So in this case, E1 before the routing process.

    If it were standard, you'd put it on E0 after the routing process....
  • flipmadflipmad Member Posts: 184
    The light bulb just went off. I get it now.

  • fly351fly351 Member Posts: 360
    I had trouble remembering this too, but IMO the easiest way is to think "Inbound traffic to the interface" or "Outbound traffic to the interface".

    To explain a little better..

    ACL applied on e0 as Outbound: Traffic from e1 to e0 has been processed by the router, so the exit interface is the "outbound" interface. So the traffic isn't being sent to e0 as "inbound" traffic.

    ACL applied on e1 as Inbound: Traffic to e1 from /x is processed as inbound traffic to e1.
    CCNP :study:
  • thenjdukethenjduke Member Posts: 894 ■■■■□□□□□□
    Extended always goes closer to destination and standard always closer to the source.
    CCNA, MCP, MCSA, MCSE, MCDST, MCITP Enterprise Administrator, Working towards Networking BS. CCNP is Next.
  • fly351fly351 Member Posts: 360
    thenjduke wrote: »
    Extended always goes closer to destination and standard always closer to the source.

    Actually that is incorrect. It is recommended to apply a Standard ACL closer to the destination. That is because a standard ACL doesn't filter on Layer 4 ports or Layer 3 Destination addresses like Extended ACLs do.

    Extended ACLs are recommended to be applied closest to the source because they can filter specifically what to deny or permit, which stops the traffic from traveling half way through your network before being denied.

    Look at it this way... if Host A was trying to talk to Host B and I had a standard access list closest to the source...

    Host A/B/C --- RouterA --- RouterB ---- RouterC --- Host D/E/F

    RouterA# show run
    ip access-list 1 deny
    ip access-list 1 permit

    Granted, we could add multiple lines to permit each host, but that adds more processing to the router since it has to go through each line. Not to mention that if we applied an standard ACL to RouterA then we are denying any traffic, that matches the criteria, from accessing the segment.

    Same example...

    RouterA# show run
    ip access-list 100 deny tcp eq www
    ip access-list 100 permit ip any any

    Now we are getting somewhere.. 80 traffic is blocked to, but anything else is allowed. You can't accomplish that with a standard ACL. Instead, the standard is going to permit or deny on the SOURCE address only. If we applied standard ACLs closer to the source, we probably wouldn't have much network traffic... that's my 2cents icon_cool.gif
    CCNP :study:
  • johnwest43johnwest43 Member Posts: 294
    Here is picture i used while studying to remind me of in/out.
    CCNP: ROUTE B][COLOR=#ff0000]x[/COLOR][/B , SWITCH B][COLOR=#ff0000]x[/COLOR][/B, TSHOOT [X ] Completed on 2/18/2014
  • geezergeezer Member Posts: 136
    I remember Jeremy (CBT Nuggets) saying to remember the Standard ACL placement by the acronym SAD (Standard Access-list Destination). Extended ACL would be the opposite to this - therefore closer to Source.

    Extended better then as all the router hops won't have to process lookups and the bandwidth won't be affected by the unnecessary traffic as well as potentially unwanted routing anomalies further along the network path.

    IINS now booked so here's hoping and praying...
    I used to be undecided but now I'm not so sure.

    There are only 10 types of people in the world: Those who understand binary, and those who don't!
Sign In or Register to comment.