Standard access-lists question

Posted on 2006-03-29
Last Modified: 2010-03-19
Hi experts,

CCNA question!

I have a network containing the subnet (LAN 1) on interface f0/1 on Router1 and subnet (LAN 8) on Router6.

I'd like to block access to any host on LAN8 accessing LAN1 using a standard access-list on the router.

I was thinking of doing this on the f0/1 interface of Router 1.

2600(conf)#access-list 1 deny
2600(conf)#access-list 1 permit any
2600(conf)#interface f0/1
2600(conf-if)#ip access-group 1 in

So basically I am applying an inbound access list to the f0/1 interface blocking the entire subnet of
But, it doesn't work!

It works (as most books suggest) by applying the list as an outbound access list on the the f0/0 interface, but I was wondering why? Why not block it from entering in the first place?
Conversely, if I apply the list as an inbound list on the serial interface of Router1 connecting it to Router6 it works, but not as an outbound? Why is this, and why is the s0/0's behaviour opposite to f0/0?

Hope someone can help me!
Question by:Dilan77
    LVL 9

    Accepted Solution

    When you applied it inbound, essentially you're saying "Anything I receive inbound on this interface apply this acl to it".  The only thing that you're going to receive inbound on that interface is traffic from  Standard access lists are based on source address so your ACL will permit it because it's denying and permitting everything else.  Same situation on s0/0.  Make sense?
    LVL 11

    Assisted Solution

    Kfullarton is correct.

    The thing to remember with ACL's is that the inbound and outbound are from the perspective of the interface. So inbound is from the attached network into that interface, and outbound is from that out to the attached network from that interface.

    A lot of people think that it is from the perspective of the attached network. In to the network (out the interface) or out of the network (in to the interface), which is backwards.


    LVL 2

    Author Comment

    Thanks guys...I think I'm misunderstanding the concept of inbound/outbound.

    So, inbound is from the attached network into the interface and outbound is to the attached network from the interface?

    This would also explain why it's the opposite for the serial interface, as in that case the traffic is going FROM the attached network TO the interface. Whereas with f0/0, the traffic is going TO the attached network FROM the interface.

    As Gary said, I was looking at it from the perspective of the network, not the interface.

    Just one final question, where would be it be best to put the ACL? On the f0/0 or s0/0 interfaces? For Router1, there is only one serial and one Ethernet connection so I'm guessing it wouldn't make much difference. However, if there were multiple interfaces I'm assuming the ACL would have to be applied on the f0/0 so that it doesn't block legitimate traffic for elsewhere, as standard ACL's act on source IP address alone. Is this correct?

    LVL 9

    Expert Comment

    The general rule for Standard ACLs is to apply them closest to the destination.  So you are correct.
    LVL 2

    Author Comment

    Brilliant, thanks for the explanations!

    Featured Post

    Gigs: Get Your Project Delivered by an Expert

    Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

    Join & Write a Comment

    What is IRC? IRC (Internet Relay Chat) is a form of communication between multiple users. It is available freely to anyone with inernet access. IRC is a great way to communicate with others e.g. There is an IRC channel for Ubuntu Linux, which is fo…
    If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now