ACLs - Inside Outside Application

rogue2shadow

Hey guys,

This has been driving me insane for the past week. I've read Odom, watched nuggets, and done tons of packet tracers for ACLs but I'm still confused as to how one would know when to use out vs. in and vice versa. So far, I've been seeing it as gates to get to the next hop and whether the traffic is flowing into or out of the interface, but then I do the labs and I'm getting the reverse result as the answer. I know standard acls should be closest to, if not facing, the destination interface-wise, and the extended acls should be closer to the source. I know with telnet and internet filtering (router as fwall) you would do in but in other cases, I just get confused.

I looked up some old threads on this and chromin had a great way of understanding it but I lost the page .

Is there an easy way to remember how this would be done?

aR15

a quick way that i remembered where to apply ACLs back in the day was the 'pretend you're a cop on a highway between two states' concept. (at least i think that's what it was called )


standard acl (1-99) situation:

as you correctly stated, these will be placed closest to the destination point on your network because standard ACLs mainly consist of permit/deny statements, nothing further:

if you want to block access for a particular host to that portion of the network, you will place it inbound on that specific interface so that any packets matching your access list statements never even make it "past the gate".

if you want to restrict a particular host on that portion of the network from talking across the network (leaving its area), you will place the access list on the outbound portion of that interface so that the packets are stopped dead before they can be processed and routed.


extended acl (100-199) situation:

almost the same concept applies here with the exception that you can block certain services rather than all IP services like the standard acl does. extended ACLs will be placed close to the source (transmitter). if you want 'computer a' to only access www (port 80) resources and nothing else on the opposite side of the network, you will apply this statement to the outbound portion of the interface.


in a nutshell, if you're a cop/bouncer (whatever you want to imagine yourself as, lol) and you're told to keep a certain person or group of people from entering the premises, you want to apply your statements on the inbound portion of the interface. if you want to keep a certain person or group contained, you apply your statements to the outbound portion.

i can provide a better example if you'd like, but i typed this in a hurry because i wasn't sure how pressed for time you were to get an answer. hope to hear back to see if this helped you at all!

rogue2shadow

Thanks man! I'm starting to see a trend in the labs I'm doing. If something is denied from going elsewhere in a network but needs to access other resources the outbound interface is being used. When they've phrased the problem as "are not allowed to leave the network" or "checked as it enters the router", the in option is used.

aR15

not a problem!

and you're exactly right! when an acl is placed on the outbound portion of an interface, packets are checked line by line as they exit the interface and head out onto the network.

inbound acl lists check packets line by line as they enter an interface from another part of the network.

once you say it a few times in your head it comes naturally, lol.

if you need further clarification, please don't hesitate to ask.

good luck man!

joe48184

I copied this for my own use from Cisco's web site, so if it helps I take no credit. The last paragraph helped me the most.

Define In, Out, Inbound, Outbound, Source, and Destination
The router uses the terms in, out, source, and destination as references. Traffic on the router can be compared to traffic on the highway. If you were a law enforcement officer in Pennsylvania and wanted to stop a truck going from Maryland to New York, the source of the truck is Maryland and the destination of the truck is New York. The roadblock could be applied at the Pennsylvania–New York border (out) or the Maryland–Pennsylvania border (in).
When you refer to a router, these terms have these meanings.
· Out—Traffic that has already been through the router and leaves the interface. The source is where it has been, on the other side of the router, and the destination is where it goes.
· In—Traffic that arrives on the interface and then goes through the router. The source is where it has been and the destination is where it goes, on the other side of the router.
· Inbound —If the access list is inbound, when the router receives a packet, the Cisco IOS software checks the criteria statements of the access list for a match. If the packet is permitted, the software continues to process the packet. If the packet is denied, the software discards the packet.
· Outbound—If the access list is outbound, after the software receives and routes a packet to the outbound interface, the software checks the criteria statements of the access list for a match. If the packet is permitted, the software transmits the packet. If the packet is denied, the software discards the packet.

The "in" ACL has a source on a segment of the interface to which it is applied and a destination off of any other interface. The "out" ACL has a source on a segment of any interface other than the interface to which it is applied and a destination off of the interface to which it is applied.

johnwest43

Here is a picture that i made to help me when studying.

dairou18

Not sure if you watched the CBT Nuggets but I liked how Jeremy Cioara explained it by holding out your arms to represent inside/outside. While it sounds ridiculous it helped me

TesseracT

yeah I like that arms outstretched analogy (BE THE ROUTER! hehe)

All traffic going in - traffic moving down your arms towards your torso
all traffic going out - traffic moving from your torso down your arms