We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


Standard access-lists question

Dilan77 asked
Medium Priority
Last Modified: 2010-03-19
Hi experts,

CCNA question!

I have a network containing the subnet (LAN 1) on interface f0/1 on Router1 and subnet (LAN 8) on Router6.

I'd like to block access to any host on LAN8 accessing LAN1 using a standard access-list on the router.

I was thinking of doing this on the f0/1 interface of Router 1.

2600(conf)#access-list 1 deny
2600(conf)#access-list 1 permit any
2600(conf)#interface f0/1
2600(conf-if)#ip access-group 1 in

So basically I am applying an inbound access list to the f0/1 interface blocking the entire subnet of
But, it doesn't work!

It works (as most books suggest) by applying the list as an outbound access list on the the f0/0 interface, but I was wondering why? Why not block it from entering in the first place?
Conversely, if I apply the list as an inbound list on the serial interface of Router1 connecting it to Router6 it works, but not as an outbound? Why is this, and why is the s0/0's behaviour opposite to f0/0?

Hope someone can help me!
Watch Question

When you applied it inbound, essentially you're saying "Anything I receive inbound on this interface apply this acl to it".  The only thing that you're going to receive inbound on that interface is traffic from  Standard access lists are based on source address so your ACL will permit it because it's denying and permitting everything else.  Same situation on s0/0.  Make sense?

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Kfullarton is correct.

The thing to remember with ACL's is that the inbound and outbound are from the perspective of the interface. So inbound is from the attached network into that interface, and outbound is from that out to the attached network from that interface.

A lot of people think that it is from the perspective of the attached network. In to the network (out the interface) or out of the network (in to the interface), which is backwards.




Thanks guys...I think I'm misunderstanding the concept of inbound/outbound.

So, inbound is from the attached network into the interface and outbound is to the attached network from the interface?

This would also explain why it's the opposite for the serial interface, as in that case the traffic is going FROM the attached network TO the interface. Whereas with f0/0, the traffic is going TO the attached network FROM the interface.

As Gary said, I was looking at it from the perspective of the network, not the interface.

Just one final question, where would be it be best to put the ACL? On the f0/0 or s0/0 interfaces? For Router1, there is only one serial and one Ethernet connection so I'm guessing it wouldn't make much difference. However, if there were multiple interfaces I'm assuming the ACL would have to be applied on the f0/0 so that it doesn't block legitimate traffic for elsewhere, as standard ACL's act on source IP address alone. Is this correct?

The general rule for Standard ACLs is to apply them closest to the destination.  So you are correct.


Brilliant, thanks for the explanations!
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.