In and Out interface assignment

Edmondo83 · August 2011

Hello there,

I am slightly confused with the "in" and "out" assignment to different interfaces as I have read several conflicting statements and these seem to conflict with how Packet tracer behaves.

If I had for example 2 routers with one serial interface each (se 0/0) and one ethernet interface (fa 0/0) on each and two different networks (192.168.15.0 and 172.15.0.0) and I want to allow only one PC from the 172 network to be able to HTTP to a server on the 192 network, to get this to work correctly I have to apply the access-list to the 172 range's router on the fa 0/0 interface as inbound.

Can someone clarify how the in and out assignment on router interfaces works as I am fairly confused by this.

Many thanks

SteveO86 · August 2011

If you apply an ACL inbound let's say

int fa0/0
ip access-group 1 in

The access list will look at traffic entering the interface and permit/deny traffic accordingly.

On the flip side..

in s0/0
ip access-group 2 out

Only traffic specified in ACL will be permitted/denied out the s0/0 interface.

But you are correct for your type of situation only allowing 1 host on the network http access to a server, you want that applied inbound on the first interface it hits. Remember their is explicit deny any any statement at the end of every ACL.

It's typically best practice to have Standard ACL as close to the destination as possible and extended ACL as close to the source as possible.

(Now if that network has redundant links that can possibly lead to the 192 subnet you will want to apply that ACL inbound on every interface leaving the 172 subnet)

Edmondo83 · August 2011

Hello there!

Thank you for your reply, this has defiantly shed some light onto the situation for me.

Many thanks.

In and Out interface assignment

Comments