Cisco – Standard IP ACL inbound direction

aclcisco

The command syntax format of a standard ACL is

access-list access-list-number {permit|deny} {host|source source-wildcard|any}.

This is an example of the use of a standard ACL in order to block all traffic except that from source 10.1.1.x.

interface Ethernet0/0 
ip address 10.1.1.1 255.255.255.0 
ip access-group 1 in
access-list 1 permit 10.1.1.0 0.0.0.255

I have a question: If the Standard ACLs are applied on interfaces closer to the destination, I suppose they are always applied in the outbound direction. Am I wrong or in which situations can they be applied in the inbound direction?

Best Answer

The direction is always in reference to the router itself. In your example, you have applied the ACL inbound on E0/0. So the ACL applies to traffic from the source entering the router on E0/0.

Which direction you apply the ACL depends on what you are trying to do. But generally, it is better to filter as close to the source as possible. There's no point to allowing traffic to flow through the network, just to end up dropping it at the destination.

The exception is where traffic is allowed to one destination, but not another. If, in your example, the source was connected to E0/0, and you had two destinations on E0/1 and E0/2, where the source can talk to E0/1, but not E0/2. In this case, you would put the ACL outbound on E0/2.

Alternatively, you could use an extended ACL inbound on E0/0 that blocks the destination on E0/2.

Related Solutions

Cisco – Why does Cisco ios save and display access list entries out of order

From the Cisco documentation:

The major difference in a standard access list is that the Cisco IOS adds an entry by descending order of the IP address, not on a sequence number.

You can read more here.

HP Procurve 5406zl – ACL issue

According to the Access Security Guide for your device, the first address and mask of an ACE is source and the second address and mask is the destination. (Just in case, an ACE is an Access Control Entry; that is any line an access-list is made of)

ACE 20 of your ACL states source 192.168.50.0/24 and destination 192.168.101.0/24, then you apply the ACL at VLAN 101 input; however, your VLAN 101 is 192.168.101.0/24, so any input traffic at VLAN 101 would have source address in 192.168.101.0/24. So ACE 20 in your ACL is wrong, you need an ACE with action permit, source 192.168.101.0/24 and destination 192.168.50.0/24.

ip access-list extended "SecureContent"
    10 permit ip 192.168.101.0 0.0.0.255 192.168.50.0 0.0.0.255

Regarding the way back for this traffic, it will cross VLAN 101 outbound, so ACL should not be applied to this traffic and it should be allowed.

If traffic back is not allowed then you need to add the way back in your ACL.

ip access-list extended "SecureContent"
    10 permit ip 192.168.101.0 0.0.0.255 192.168.50.0 0.0.0.255
    20 permit ip 192.168.50.0 0.0.0.255 192.168.101.0 0.0.0.255

EDITED to change the line above to reflect proper ACL structure of numbered entries. (10, 20, etc).

Best Answer

Related Solutions

Cisco – Why does Cisco ios save and display access list entries out of order

HP Procurve 5406zl – ACL issue

Related Topic