How do you decide if you apply an access list IN or OUT?  
Take this diagram for example:

If I wanted to deny the SALES lan from accessing FINANCE.  
It would be

                 access-list deny
                 access-list permit any

I would then apply it to the e0 interface. But would I apply it inbound or outbound?  How can you tell?
Who is Participating?
Dr-IPConnect With a Mentor Commented:
If you use both, you are effectively duplicating the same thing. As for using extended access list closest to the source, it’s to hopefully limit the amount of packets that need to be filtered thought the access list. Just look at it this way, if you put it on E0, every packet going to finance needs to be inspected, but if you use it on the sales interface, it only needs to check the packets coming from sales. In the diagram you provided the impact of not placing it on the source probably wouldn’t be that great, but think of how much more work the router would have to do if it had to inspect the packets from a dozen interfaces at one time sending traffic to finance.  
JFrederick29Connect With a Mentor Commented:
In your access-list, is the source subnet so you would deny it outbound if applying it to E0.  If you were to apply it to E2, you would apply it inbound.

You can tell by looking at how the source and destination looks to the router interface.  If you send data to Finance, from Sales, the source address received on E2 is 172.16.40.x and the destination is Finance.  If you applied it inbound on E2, sales wouldn't be able to communicate with anything, all packets would be dropped.  When you apply it outbound on E0, only traffic with a source of will be dropped.  If you applied it inbound on E0, it would have no effect because the source address would be a Finance subnet address.
dissolvedAuthor Commented:
Thanks JFrederick.  I understand that the ACL is applied outbound to e0 because traffic is going "out" e0, destined for FINANCE. Makes sense now thanks.

When would I use an IN statement ?  Could you possibly given an example with my diagram?
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

If you changed it to deny you could apply it to E2 with the in statement and get the same effect. One thing I should note if sales has access to any of the computers in marketing your security plan goes down the drain. You should really lock down the servers, and workstations in finance, and limit what workstations sales people can long into. So that the access list is another layer of security, instead of your only layer of security.
That should have been

access-list 101 deny ip any

As you will need to use an extented access list in this case.
dissolvedAuthor Commented:
Thanks DR IP.  What happens if I use both ACLs ?

They both essentially do the same thing.  Is this normally done?

Last question: Why do they say (when using extended ACLs) to always apply it closest to the source?

dissolvedAuthor Commented:
Thanks a lot. Very helpful
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.