When to apply ACL in or out

e24ohm · November 2010

Folks:
I am having a hard time understanding when to apply an ACL on in or out of the interface. When do I want to apply the ACL on the IN, and when do I want to apply the OUT?

the Cisco models are so #$@%@ confusing to me.

thanks.

Heero · November 2010

In -- when you are running traffic coming INTO the interface through an ACL.
Out -- when you are running traffic leaving the interface through an ACL.

thehourman · November 2010

If you want to filter packets that is coming in, you want to use the in; and if you want to filter packets that is coming out then you use the out.

For example, let's say you have a topology like this:
PC0

[Router]

Internet

|

PC1

If you want to filter packets coming from the internet, you're going to use in on the router's interface facing the internet because the packets from the internet is coming into the router that is why you use in.
If you don't want PC0 to access the internet, but want it to access PC1, which is in a different subnet, you can use the out on the router's interface facing the internet. So that every time the PC0 tries to go out to the internet it will be filtered, but if PC0 tries to access PC1, it will be fine.

jojopramos · November 2010

Just think that before going to the router, it is IN and after it pass the router it is OUT.

rogue2shadow · November 2010

All the above is correct. Jeremy Cioara says "Be the router; hold your hands out". The data's flow determines in or out.

e24ohm · November 2010

thehourman wrote: »

If you want to filter packets that is coming in, you want to use the in; and if you want to filter packets that is coming out then you use the out.

For example, let's say you have a topology like this:
PC0
[Router]
Internet

|

|

PC1

If you want to filter packets coming from the internet, you're going to use in on the router's interface facing the internet because the packets from the internet is coming into the router that is why you use in.
If you don't want PC0 to access the internet, but want it to access PC1, which is in a different subnet, you can use the out on the router's interface facing the internet. So that every time the PC0 tries to go out to the internet it will be filtered, but if PC0 tries to access PC1, it will be fine.

Thanks for the help, but see this is where I get a little confused. Wouldn't I want the ACL for blocking PC0 from the Internet on IN on the router interface for PC0. This way - the ACL would save processing power?

Does it matter if the ACL is Standard or Extended?

earweed · November 2010

I think you would require the same or more processing if the out rule were on the PC0 side. Always apply the rule on the interface facing what is being "controlled" if you don't want PC1 to communicate with PC0 then the out rule would be on the PC0 side.

bermovick · November 2010

I'll chime in as well; although I don't know if one of the previous replies has helped already.

Sortof like Rogue (and Jeremy) have said, think of the direction the data is moving; if it's moving from the internet to PC0, the data is flowing (in hourman's picture) from right to left. When it hits the router, it's flowing IN the right-most port on the router, and back OUT the left port.

Similarly when data is flowing from PC0 out to the internet, it's flowing from left to right; IN the left-most port of the router and OUT the right-most port.

Regarding where you would want to place an ACL; that depends on if it's a standard or extended ACL. I don't know if you're studied that material yet, but once you do it makes more sense about WHERE you would want to apply it.

rogue2shadow · November 2010

bermovick wrote: »

I'll chime in as well; although I don't know if one of the previous replies has helped already.

Sortof like Rogue (and Jeremy) have said, think of the direction the data is moving; if it's moving from the internet to PC0, the data is flowing (in hourman's picture) from right to left. When it hits the router, it's flowing IN the right-most port on the router, and back OUT the left port.

Similarly when data is flowing from PC0 out to the internet, it's flowing from left to right; IN the left-most port of the router and OUT the right-most port.

Regarding where you would want to place an ACL; that depends on if it's a standard or extended ACL. I don't know if you're studied that material yet, but once you do it makes more sense about WHERE you would want to apply it.

Yup. This is how I've learned it. With standard ACLs you want it as close to the destination as possible because you have less filtering options. Put extended ACLs closest to the source (correct me if im wrong).

e24ohm · November 2010

rogue2shadow wrote: »

Yup. This is how I've learned it. With standard ACLs you want it as close to the destination as possible because you have less filtering options. Put extended ACLs closest to the source (correct me if im wrong).

So you would apply Standard ACLs OUT on the interface facing the destination.

Extended ACL will be applied to the IN on the forward facing interface.

is that right?

kawong_1999 · March 2015

Here is easy way to think of it. you are the router:

In = toward the interface
Out = away from the interface

satishtech · March 2015

I think I read this in the lammle book,maybe this helps.

Place Standard ACL's as close to the Destination as possible.
Place Extended ACL's as close to the Source as possible.

When to apply ACL in or out

Comments