Access List Inbound or Outbound.

lon21lon21 Member Posts: 201
When applying a access list.

Is it better to place it inbound of the interface or outbound.

I understand that if your only trying to restrict access to one network behind the router its best to place it inbound as the traffic goes in, to stop unnecessary router CPU.

Also on a router, is the inbound inside the router or outside? Because depending of where the traffic is coming from it can be on either side?

Comments

  • Steveg31Steveg31 Member Posts: 29 ■□□□□□□□□□
    Well you have certain aspects down but seems like you need to brush up on your ACLs a little more.

    Inbound is traffic coming into the router on any interface while outbound is any traffic leaving the router on any interface.

    As for where you are applying the ACL. That all depends on Standard or Extended. You want standard on an interface furtherest away from the source. Since standard isn't very specific you don't want to accidentally block traffic thats suppose to head out another interface.

    Extended you'd want on an interface closest to the source as smartly possible. Its more detailed/specific so if you create it right, you won't accidentally block anything that might need to exit out of specific interface. Also extended is more cpu intensive (more to read and process) So you don't want traffic going through the router to only get denied at another interface.

    Hope this helps.
  • lon21lon21 Member Posts: 201
    Steveg31 wrote: »
    Well you have certain aspects down but seems like you need to brush up on your ACLs a little more.

    Inbound is traffic coming into the router on any interface while outbound is any traffic leaving the router on any interface.

    As for where you are applying the ACL. That all depends on Standard or Extended. You want standard on an interface furtherest away from the source. Since standard isn't very specific you don't want to accidentally block traffic thats suppose to head out another interface.

    Extended you'd want on an interface closest to the source as smartly possible. Its more detailed/specific so if you create it right, you won't accidentally block anything that might need to exit out of specific interface. Also extended is more cpu intensive (more to read and process) So you don't want traffic going through the router to only get denied at another interface.

    Hope this helps.

    For example router A has 2 interfaces, 1 fa0/1 which is connected to a host (PC) and 2 WAN se0/1

    When the traffic is from the se0/1 and going into fa0/1 would this be inbound (inside the router near fa0/1)?

    Also if the fa0/1 is send data to se0/1 would the fa0/1 inside the router be outbound or inbound (as above)?

    If this is true then it means that one interface has 1 inbound and 1 outbound on each side of the interface depending on which way the traffic is flowing.

    Thanks
  • pham0329pham0329 Member Posts: 556
    lon21 wrote: »
    When the traffic is from the se0/1 and going into fa0/1 would this be inbound (inside the router near fa0/1)?

    Also if the fa0/1 is send data to se0/1 would the fa0/1 inside the router be outbound or inbound (as above)?

    If this is true then it means that one interface has 1 inbound and 1 outbound on each side of the interface depending on which way the traffic is flowing.

    Thanks

    Yes, it depends on what you want to do. Traffic coming from the host, into the router would be inbound on the Fa 0/1. If it exits the router out on Se 0/1, it would be outbound on Se 0/1

    I think Jeremy from CBT nuggets has a great way of teaching it. He said to pretend to be a router. Your body is the router, and your arm are the interface. If your right arm is connected to Host A, and left arm is the se 0/1, traffic from Host A would enter your right arm (in), into your body, and out your left arm (out).
  • andy4techandy4tech Member Posts: 138
    Hi Ion22,
    When an access list is created ,the interface to applied the access list to depends on what the question you are asked,you cannot just decides that you want to apply it inbound or outbound,the application should go with whatever you want to achieve,i.e if you want to make decisions concerning an access list, standard access list only allow you to make decisions based on source address while extended access list allow you to make decisions based on source address,destination address,port number and protocol.Just think very well about what is needed before applying an access list.
Sign In or Register to comment.