Results 1 to 5 of 5

Thread: Cisco ACL in/out question

  1. #1
    Junior Member
    Join Date
    May 2006

    Cisco ACL in/out question

    When working with Cisco ACLs, the access-groups are applied to individual interfaces.

    int s0
    access - group 101 in
    access - group 102 out

    My understanding is that "in" is always traffic going towards the router, and "out" is always traffic going away from the router. Like this:

    in = leaving the out = leaving the company
    private network going to the Internet
    ----------------> ----------------------->
    e0 | router | s0
    out = entering the in = coming into the
    private network company from the Internet
    <-------------- <----------------------

    So packets from the internal network to the Internet are "in" on e0 and "out" on s0.

    Are my assumptions of in/out correct?

    Also, can you split the in/out between interfaces like this:

    int s0
    access-group 101 in
    int e0
    access-group 102 in

    Or should they be applied to the same interface?


  2. #2
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Since its applied to the interface, you must consider it that way, not 'to the router' persay...

    So, from the interface perspective:
    int s0
    access-group 101 in
    access-group 102 out

    Anything leaving interface s0 will be covered by 102, anything entering the interface s0 will be covered by 101. Where you put the ACL is really up to you. I've seen it done both ways (sorry, had to edit this part, must remember to have a cup of coffee before reading/responding to posts), generally with the consideration of avoiding passing packets through the router only to drop them as they attempt to leave the interface...

    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  3. #3
    Senior Member
    Join Date
    Sep 2001
    Indeed, you usually try to drop traffic as close to the edge as possible.

    However, one reason for filtering out on an interface could be if you have a router with multiple interfaces and wanted to secure (default deny) the zone behind one of those interfaces from all other interfaces. Then it's much easier to "deny ip any any" out on said interface than try to deny in based on destination on all other interfaces ...

    Credit travels up, blame travels down -- The Boss

  4. #4
    Junior Member
    Join Date
    Aug 2004
    Standard acl should be placed close to destination Extended acl should be placed close to source,that should be your guide when you think about placing acls, the other is really up to your whishes.Oh, and you shouldn't watch it from the routers prespective, take the interfaces point of view (so to say ) when you say in it means inbound traffic on that interface out means outbound traffic on that interface so on every interface you can have in and out...
    Only those who dare to fail greatly can ever achieve greatly.

  5. #5
    Senior Member
    Join Date
    Mar 2004
    I agree with the previous advice but have a few additional comments. I always write my access lists and apply them in the inbound direction to the interface for a few reasons.

    1. I drop the traffic closer to the source.

    2. It makes it easier to trace where a packet is dropped.

    3. Because I am a nice guy and it makes it easier for the next engineer.

    I usually use extended acl's as they are easier to edit on the fly.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts