Posted on 2004-10-08
Last Modified: 2010-04-17
How do you decide if you apply an access list IN or OUT?  
Take this diagram for example:

If I wanted to deny the SALES lan from accessing FINANCE.  
It would be

                 access-list deny
                 access-list permit any

I would then apply it to the e0 interface. But would I apply it inbound or outbound?  How can you tell?
Question by:dissolved
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 43

Assisted Solution

JFrederick29 earned 150 total points
ID: 12263427
In your access-list, is the source subnet so you would deny it outbound if applying it to E0.  If you were to apply it to E2, you would apply it inbound.

You can tell by looking at how the source and destination looks to the router interface.  If you send data to Finance, from Sales, the source address received on E2 is 172.16.40.x and the destination is Finance.  If you applied it inbound on E2, sales wouldn't be able to communicate with anything, all packets would be dropped.  When you apply it outbound on E0, only traffic with a source of will be dropped.  If you applied it inbound on E0, it would have no effect because the source address would be a Finance subnet address.

Author Comment

ID: 12263472
Thanks JFrederick.  I understand that the ACL is applied outbound to e0 because traffic is going "out" e0, destined for FINANCE. Makes sense now thanks.

When would I use an IN statement ?  Could you possibly given an example with my diagram?
LVL 13

Expert Comment

ID: 12264109
If you changed it to deny you could apply it to E2 with the in statement and get the same effect. One thing I should note if sales has access to any of the computers in marketing your security plan goes down the drain. You should really lock down the servers, and workstations in finance, and limit what workstations sales people can long into. So that the access list is another layer of security, instead of your only layer of security.
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 13

Expert Comment

ID: 12264132
That should have been

access-list 101 deny ip any

As you will need to use an extented access list in this case.

Author Comment

ID: 12264610
Thanks DR IP.  What happens if I use both ACLs ?

They both essentially do the same thing.  Is this normally done?

Last question: Why do they say (when using extended ACLs) to always apply it closest to the source?

LVL 13

Accepted Solution

Dr-IP earned 350 total points
ID: 12264743
If you use both, you are effectively duplicating the same thing. As for using extended access list closest to the source, it’s to hopefully limit the amount of packets that need to be filtered thought the access list. Just look at it this way, if you put it on E0, every packet going to finance needs to be inspected, but if you use it on the sales interface, it only needs to check the packets coming from sales. In the diagram you provided the impact of not placing it on the source probably wouldn’t be that great, but think of how much more work the router would have to do if it had to inspect the packets from a dozen interfaces at one time sending traffic to finance.  

Author Comment

ID: 12264836
Thanks a lot. Very helpful

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Fortigate 100D NTP Issue 4 157
Cisco 800 router unable to connect through TPG network 12 36
Understanding Extended-Access List 6 41
Advice on router and switch 25 46
While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

697 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question