thehourman wrote: » If you want to filter packets that is coming in, you want to use the in; and if you want to filter packets that is coming out then you use the out. For example, let's say you have a topology like this: PC0 [Router] Internet | | PC1 If you want to filter packets coming from the internet, you're going to use in on the router's interface facing the internet because the packets from the internet is coming into the router that is why you use in. If you don't want PC0 to access the internet, but want it to access PC1, which is in a different subnet, you can use the out on the router's interface facing the internet. So that every time the PC0 tries to go out to the internet it will be filtered, but if PC0 tries to access PC1, it will be fine.
bermovick wrote: » I'll chime in as well; although I don't know if one of the previous replies has helped already. Sortof like Rogue (and Jeremy) have said, think of the direction the data is moving; if it's moving from the internet to PC0, the data is flowing (in hourman's picture) from right to left. When it hits the router, it's flowing IN the right-most port on the router, and back OUT the left port. Similarly when data is flowing from PC0 out to the internet, it's flowing from left to right; IN the left-most port of the router and OUT the right-most port. Regarding where you would want to place an ACL; that depends on if it's a standard or extended ACL. I don't know if you're studied that material yet, but once you do it makes more sense about WHERE you would want to apply it.
rogue2shadow wrote: » Yup. This is how I've learned it. With standard ACLs you want it as close to the destination as possible because you have less filtering options. Put extended ACLs closest to the source (correct me if im wrong).
