Posted on 2004-10-08
Last Modified: 2010-04-17
How do you decide if you apply an access list IN or OUT?  
Take this diagram for example:

If I wanted to deny the SALES lan from accessing FINANCE.  
It would be

                 access-list deny
                 access-list permit any

I would then apply it to the e0 interface. But would I apply it inbound or outbound?  How can you tell?
Question by:dissolved
  • 3
  • 3
LVL 43

Assisted Solution

JFrederick29 earned 150 total points
ID: 12263427
In your access-list, is the source subnet so you would deny it outbound if applying it to E0.  If you were to apply it to E2, you would apply it inbound.

You can tell by looking at how the source and destination looks to the router interface.  If you send data to Finance, from Sales, the source address received on E2 is 172.16.40.x and the destination is Finance.  If you applied it inbound on E2, sales wouldn't be able to communicate with anything, all packets would be dropped.  When you apply it outbound on E0, only traffic with a source of will be dropped.  If you applied it inbound on E0, it would have no effect because the source address would be a Finance subnet address.

Author Comment

ID: 12263472
Thanks JFrederick.  I understand that the ACL is applied outbound to e0 because traffic is going "out" e0, destined for FINANCE. Makes sense now thanks.

When would I use an IN statement ?  Could you possibly given an example with my diagram?
LVL 13

Expert Comment

ID: 12264109
If you changed it to deny you could apply it to E2 with the in statement and get the same effect. One thing I should note if sales has access to any of the computers in marketing your security plan goes down the drain. You should really lock down the servers, and workstations in finance, and limit what workstations sales people can long into. So that the access list is another layer of security, instead of your only layer of security.
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

LVL 13

Expert Comment

ID: 12264132
That should have been

access-list 101 deny ip any

As you will need to use an extented access list in this case.

Author Comment

ID: 12264610
Thanks DR IP.  What happens if I use both ACLs ?

They both essentially do the same thing.  Is this normally done?

Last question: Why do they say (when using extended ACLs) to always apply it closest to the source?

LVL 13

Accepted Solution

Dr-IP earned 350 total points
ID: 12264743
If you use both, you are effectively duplicating the same thing. As for using extended access list closest to the source, it’s to hopefully limit the amount of packets that need to be filtered thought the access list. Just look at it this way, if you put it on E0, every packet going to finance needs to be inspected, but if you use it on the sales interface, it only needs to check the packets coming from sales. In the diagram you provided the impact of not placing it on the source probably wouldn’t be that great, but think of how much more work the router would have to do if it had to inspect the packets from a dozen interfaces at one time sending traffic to finance.  

Author Comment

ID: 12264836
Thanks a lot. Very helpful

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Port 808 is being blocked 9 59
Error on login Cisco RV016 1 33
Configuring EIGRP with neighbor command 25 56
EIGRP Multicast vs Unicast 7 57
This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now