Ingress verses egress ACL filtering

Posted on 2006-05-07
Last Modified: 2012-06-22
Assuming the need for filtering on an internal VLANs on a network, what is considered to be the best practice between the two if you have limited resources and can choose only one?  Assume a setup of at least two VLANS with standard workstations and a server VLAN.  Assume a mixtures of Voice and data networks, and assume that Windows and Linux networks are in place.  Are there exceptions to this rule that you set up because of certain technologies?  What are the reasons for your opinions?
Question by:awakenings
    LVL 79

    Accepted Solution

    The phrasing of the question makes it sound like a homework assignment, but I've read some of your other questions and comments, so I'll bite on this one.

    Ingress and Egress can have two different meanings with two different scenarios.
    Ingress/Egress to/from a network - Ingress from outside world into the network, Egress out of the network to the rest of the world. We typically see very stringent access rules on what can come in (unsolicited) to the network, for example only port 80 to a specific web server, only port 25 to a specific mail server, etc. We set up Egress filters to restrict outgoing traffc to match our local policies. For instance, we can restrict outbound smtp to only the ip address of the mail server, restrict outbound port 80 to the www server, restrict certain ip subnets to only using web services outbound to port 80 only, etc, etc..

    Ingress/Egress from a Cisco device perspective - Ingress is a filter on any interface coming into the box, regardless of perspective from the network point of view. Filters in/out  can be described in this way:
    Think of the cisco device as a room. From outside this room, every door (interface) is marked "IN". From inside this room, every door is marked "OUT".
    On the outside of each door, there is a doorman. His name is 'ingress'. He must check everyone's ID against a list before allowing entrance.
    On the inside of the room is one bouncer. His name is "egress". He has his rules that require certain guests be only allowed to go out certain doors (based on route tables among other things).
    One entrace has no doorman at all (this is the "inside" interface to the local LAN) so no packets are challenged getting into the room. Now it is up to "egress" to determine what to do with all these guests (packets).

    If you put an ingress doorman (filter, acl-group "in") on the outer door, you reduce the work on the bouncer.
    If you only put an egress rule on the bouncer (filter, acl-group "out") but don't restrict what gets into the room, then the lone bouncer (CPU) has to do all the work.
    It is far more efficient to put the doormen on the outsides of the room and never allow anything in at all that the bouncer would just have to kick out anyway (to the bit bucket). We very rarely apply cisco access-list filters "out" on an interface because we block at the other interface (nearest the source) "in".
    So, even an Egress filter restricting outbound traffic from the network to the world is applied as an Ingress filter at the cisco device.


    Author Comment


         I completely forgot.  I'm sorry.  I had something I was thinking in regards to this.  Your arguments are very good. I was thinking purely of internal networks, but neglected to mention this.  Let me throw a couple more ideas your way.  Lets assume that you wanted to protect a network.  Obviously the kinds of likely threats are worms, spyware, etc.  If you had say 20 or 30 different VLANs that you wanted to put ACLs on, would you choose internal or external?  What if your object was security and not productivity, but didn't want to upset the business unit with slow speeds?  Would your answer change?  Would you put ACLs on the outbound or inbound?  In other words, if you do outbound traffic, you would slow things down somewhat, but you could potentially protect other networks from potentially negligent traffic or from some worms, etc.  If you did inbound you assume that all is "bad" from other subnets and protect them people connecting where they shouldn't.  What would you choose to do and why?

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Join & Write a Comment

    As dyndns has reduced the capabilities of the free service, I looked around for other free providers of Dynamic DNS service. After testing several I decided to move my DNS hosting to Hurricane Electric as then domains that require dynamic hostnam…
    Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now