Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Can someone explain "IN" and "OUT" access lists?

Status
Not open for further replies.

comptek

Technical User
Nov 8, 2002
102
US
Hi,

I am studying for the ccna and I am a little confused with the concept of "IN" and "OUT" when creating access lists. I am reading a book by todd lammle and his example is that he has a router with 3 lan e0=sales, e1=finance, e2=marketing and one wan connection to the internet. what he does not want is users on the sales lan to access the finance lan but the marketing lan needs access. he give the config for the access list: (i left out he router name) #access-list 11 deny host 172.16.40.0; (Next line) access-list 11 permit any. then he adds the list to e1 with ip access-group 11 out.

The book says "this completely stops traffic from 172.16.40.0 (not sure if this was the sales lan or finance lan. the chapter did not specify) from getting out of e1. It has no effec on the ohosts from the sales lan accessing the marketing lan and the internet, since traffice to those destinations doesnt go through e1. Any packet trying to exit out e1 will have to go through the access list first. If there were an inbout list placed on e0, then any packet trying to enter e0 would have to go through the access list before being routed to an exit interface. (todd lammle pg 451 Sybex ccna 2004)

What I dont understand is the 2nd paragraph. assuming that 172.16.40.0 is the sales lan which is e0 why is the list applied to e1. Should this be applied to the source? (e0). I dont understand the concept of "IN" and "OUT" when you say ip access-group # in (does that me you are permitting something from the outside into a specific interface? and ip access-group # out blocks access?

Please explain. Is the book i am using off?


Comptek
A+, Network+
 
Well, technically when blocking traffic it is better to block as close to the source as possible. Inbound and outbound should be though of as this


Inbound: When a packet is entering a interface


----> (RTR1E0)

Outbound: When a packet is leaving a interface

(RTR1E0) ---->

There are probably not too many situations where you will absolutely need to block a packet outbound unless maybe for routing purposes. The example you had was just that, an example. Outbound acls are arguable. Just know the purpose.


 
NetworkGhost,

Thanks for your response. So you are saying that if I wanted to block outsiders from coming into my network say via telnet or internet etc ---> (RTR1E0) I would I would apply the list as "ip access-group ## in. Because that would block outsiders from coming into my LAN? Out would have worked too like in the example above because if I placed the acl on the interface that connects to my LAN the acl could be applied as an OUT, and would prevent traffic from entering my LAN. It would still hit the router but not my LAN right?

Thank you again.


Comptek
A+, Network+
 
comptek,

If you want to keep "sales" E0 out of "finance" E1
Then you must put the ACL "out" on E1 (Finance)
If you put
#access-list 11 deny host 172.16.40.0
#access-list 11 permit any

"in" on E0 (sales) - you just have shut down sales from going anywhere - a standard ACL only filters on source 172.16.40.0, when you get to extended ACLs you will see that you have more options - one being filtering on destination, in that case you could write an extended ACL that could be put "in" on E0 that will filter traffic trying to go to "Finance".

Good rule -
Standard ACL should be placed close to destination
Extended ACL should be placed close to source

I hope this helps!


E.A. Broda
CCNA, CCDA, CCAI, Network +
 
I should also take in consideration the order in which Routing process and ACL filtering process should happen in both the IN and OUT of cases.
The rule is:
by 'IN': the ACL-filtering process happens before the routing process (preserving routing cpu usage)
by 'OUT: the routing process is executed before the ACL-filtering.

I don't know if this is a benefit if we compare cpu usage for acl filtering and routing processing.
Has any body an idea, which takes most cpu usage
 
I think you would have to look at the size of your routing tables compared to ACL size. If you had large routing tables but a small ACL the decision would be obvious. For Access-list the packet is read alittle deeper than for routing.
 
I read from the same book and the example that was trying to be provided was one of a standard access-list and what could be affected if you applied it out on E0 instead of in on E1, like Cisco Guy mentions, shutting down the sales network from going anywhere. One other thing to keep in mind on this book is the CCNA test has evolved from what this book covered (If I remember the book), so topics like setting up OSPF and IGRP are not covered in the book, just brief descriptions.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top