ACLs Inbound and Outbound confusion?

Beany

Morning,

Recently studied this topic and really enjoyed it but I'm seriously confused when it comes to using inbound and outbound interfaces. What I cannot work out is when to use IN or OUT esp. when the network is huge.

can someone please provide me some examples so that I can get my head around it.


Thanks

networker050184

What are you not understanding exactly? If the traffic you want to block with your ACL is coming into an interface then use an inbound ACL. If the traffic you want to block is going out an interface use an outbound ACL. It makes more sense usually to block inbound as close to the source as possible so the traffic doesn't have to traverse the network just to be dropped.

I don't know if it's still taught this way, but the old rule of thumb for CCNA was standard ACL close to the destination as possible and extended close to the source. Not the biggest fan of that though as it always just depends on your network setup and goals.

steveyeung

imagine yourself as the router, out means controlling traffic get out of you.
and in means controlling traffic get inside of you.

Beany

can anyone point me to some ACL practice questions with answers? I think I'll get the hang of it with some testing questions.

RouteMyPacket

networker050184 wrote: »

What are you not understanding exactly? If the traffic you want to block with your ACL is coming into an interface then use an inbound ACL. If the traffic you want to block is going out an interface use an outbound ACL. It makes more sense usually to block inbound as close to the source as possible so the traffic doesn't have to traverse the network just to be dropped.

I don't know if it's still taught this way, but the old rule of thumb for CCNA was standard ACL close to the destination as possible and extended close to the source. Not the biggest fan of that though as it always just depends on your network setup and goals.

/thread

TechGuru80

Stand up, hold your arms out, and your body is the router with each arm being a link.

DANMOH009

Beany wrote: »

can anyone point me to some ACL practice questions with answers? I think I'll get the hang of it with some testing questions.

I used this when studying for my CCNA, i found it super useful for practice.

Home | ACL Practice

Also if i can add my two cents 90% of the time, you'll be using an IN statement rather then an OUT, as you wont really want an packet to consumer router resources only to drop on an exit interface. Thats not set in stone but is something you come across more in the industry (well thats what ive found).

theodoxa

As previously mentioned, you would usually use "in." "out" would be used if you had a router with several interfaces and only wanted to filter the traffic leaving one specific interface. For example, I want to block certain computers/devices from accessing the internet. I would use a standard ACL on the router that is connected to my ISP and apply the ACL "out" on the interface connected to my ISP. That way, the ACL is only checked when traffic goes out to my ISP and not when it stays on my network.

awitt11

ACLs can be tricky. The one thing to remember is that ACLs IN are before the routing logic, and ACLs OUT are after. So, maybe you want to allow traffic to facebook on your main link, but not the backup link. An ACL OUT statement could be applied to the backup link interface to only allow necessary traffic until the main link is restored.