July 27th, 2006, 03:22 PM
Cisco ACL in/out question
When working with Cisco ACLs, the access-groups are applied to individual interfaces.
access - group 101 in
access - group 102 out
My understanding is that "in" is always traffic going towards the router, and "out" is always traffic going away from the router. Like this:
in = leaving the out = leaving the company
private network going to the Internet
e0 | router | s0
out = entering the in = coming into the
private network company from the Internet
So packets from the internal network to the Internet are "in" on e0 and "out" on s0.
Are my assumptions of in/out correct?
Also, can you split the in/out between interfaces like this:
access-group 101 in
access-group 102 in
Or should they be applied to the same interface?
July 27th, 2006, 03:32 PM
Since its applied to the interface, you must consider it that way, not 'to the router' persay...
So, from the interface perspective:
access-group 101 in
access-group 102 out
Anything leaving interface s0 will be covered by 102, anything entering the interface s0 will be covered by 101. Where you put the ACL is really up to you. I've seen it done both ways (sorry, had to edit this part, must remember to have a cup of coffee before reading/responding to posts), generally with the consideration of avoiding passing packets through the router only to drop them as they attempt to leave the interface...
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
July 27th, 2006, 04:00 PM
Indeed, you usually try to drop traffic as close to the edge as possible.
However, one reason for filtering out on an interface could be if you have a router with multiple interfaces and wanted to secure (default deny) the zone behind one of those interfaces from all other interfaces. Then it's much easier to "deny ip any any" out on said interface than try to deny in based on destination on all other interfaces ...
Credit travels up, blame travels down -- The Boss
July 27th, 2006, 05:32 PM
Standard acl should be placed close to destination Extended acl should be placed close to source,that should be your guide when you think about placing acls, the other is really up to your whishes.Oh, and you shouldn't watch it from the routers prespective, take the interfaces point of view (so to say ) when you say in it means inbound traffic on that interface out means outbound traffic on that interface so on every interface you can have in and out...
Only those who dare to fail greatly can ever achieve greatly.
July 28th, 2006, 02:34 AM
I agree with the previous advice but have a few additional comments. I always write my access lists and apply them in the inbound direction to the interface for a few reasons.
1. I drop the traffic closer to the source.
2. It makes it easier to trace where a packet is dropped.
3. Because I am a nice guy and it makes it easier for the next engineer.
I usually use extended acl's as they are easier to edit on the fly.