ACLs Inbound and Outbound confusion?
Beany
Member Posts: 177
in CCNA & CCENT
Morning,
Recently studied this topic and really enjoyed it but I'm seriously confused when it comes to using inbound and outbound interfaces. What I cannot work out is when to use IN or OUT esp. when the network is huge.
can someone please provide me some examples so that I can get my head around it.
Thanks
Recently studied this topic and really enjoyed it but I'm seriously confused when it comes to using inbound and outbound interfaces. What I cannot work out is when to use IN or OUT esp. when the network is huge.
can someone please provide me some examples so that I can get my head around it.
Thanks
Comments
-
networker050184 Mod Posts: 11,962 ModWhat are you not understanding exactly? If the traffic you want to block with your ACL is coming into an interface then use an inbound ACL. If the traffic you want to block is going out an interface use an outbound ACL. It makes more sense usually to block inbound as close to the source as possible so the traffic doesn't have to traverse the network just to be dropped.
I don't know if it's still taught this way, but the old rule of thumb for CCNA was standard ACL close to the destination as possible and extended close to the source. Not the biggest fan of that though as it always just depends on your network setup and goals.An expert is a man who has made all the mistakes which can be made. -
steveyeung Member Posts: 44 ■■□□□□□□□□imagine yourself as the router, out means controlling traffic get out of you.
and in means controlling traffic get inside of you. -
Beany Member Posts: 177can anyone point me to some ACL practice questions with answers? I think I'll get the hang of it with some testing questions.
-
RouteMyPacket Member Posts: 1,104networker050184 wrote: »What are you not understanding exactly? If the traffic you want to block with your ACL is coming into an interface then use an inbound ACL. If the traffic you want to block is going out an interface use an outbound ACL. It makes more sense usually to block inbound as close to the source as possible so the traffic doesn't have to traverse the network just to be dropped.
I don't know if it's still taught this way, but the old rule of thumb for CCNA was standard ACL close to the destination as possible and extended close to the source. Not the biggest fan of that though as it always just depends on your network setup and goals.
/threadModularity and Design Simplicity:
Think of the 2:00 a.m. test—if you were awakened in the
middle of the night because of a network problem and had to figure out the
traffic flows in your network while you were half asleep, could you do it? -
TechGuru80 Member Posts: 1,539 ■■■■■■□□□□Stand up, hold your arms out, and your body is the router with each arm being a link.
-
DANMOH009 Member Posts: 241can anyone point me to some ACL practice questions with answers? I think I'll get the hang of it with some testing questions.
I used this when studying for my CCNA, i found it super useful for practice.
Home | ACL Practice
Also if i can add my two cents 90% of the time, you'll be using an IN statement rather then an OUT, as you wont really want an packet to consumer router resources only to drop on an exit interface. Thats not set in stone but is something you come across more in the industry (well thats what ive found). -
theodoxa Member Posts: 1,340 ■■■■□□□□□□As previously mentioned, you would usually use "in." "out" would be used if you had a router with several interfaces and only wanted to filter the traffic leaving one specific interface. For example, I want to block certain computers/devices from accessing the internet. I would use a standard ACL on the router that is connected to my ISP and apply the ACL "out" on the interface connected to my ISP. That way, the ACL is only checked when traffic goes out to my ISP and not when it stays on my network.R&S: CCENT → CCNA → CCNP → CCIE [ ]
Security: CCNA [ ]
Virtualization: VCA-DCV [ ] -
awitt11 Member Posts: 50 ■□□□□□□□□□ACLs can be tricky. The one thing to remember is that ACLs IN are before the routing logic, and ACLs OUT are after. So, maybe you want to allow traffic to facebook on your main link, but not the backup link. An ACL OUT statement could be applied to the backup link interface to only allow necessary traffic until the main link is restored.