06-11-2019 07:07 AM
Hi All,
I am learning Cisco ASA. I have queastion in applying ACL.
1.access-group <access-list name> in interface <interface name>
2.access-group <access-list name> out interface <interface name>
In the above syntax, I know where i have to use the first command which will configure ACL in " in" interface. But, Could some one explain me, In what kind of situatuion we have to use the second command which will configure ACL in "out" interface.
And please explain me, what will happen if I use second command?. Thank you
Solved! Go to Solution.
06-11-2019 07:20 AM
Hi there,
An access-group applied in the 'out' direction effects traffic which is leaving an interface towards its destination.
Typically you want to the position your ACLs as close to the source as possible, so they are normally implemented INbound on interfaces.
However depending on your topology you may have traffic arriving from multiple sources arriving on different interfaces where it is easier to create and apply a single ACL in the OUTbound direction as it is routed towards its destination.
cheers,
Seb.
06-11-2019 07:20 AM
Hi there,
An access-group applied in the 'out' direction effects traffic which is leaving an interface towards its destination.
Typically you want to the position your ACLs as close to the source as possible, so they are normally implemented INbound on interfaces.
However depending on your topology you may have traffic arriving from multiple sources arriving on different interfaces where it is easier to create and apply a single ACL in the OUTbound direction as it is routed towards its destination.
cheers,
Seb.
06-12-2019 05:35 AM
Thank you very much for the reply Seb. Can you please share any topology where we can use "outbound" acl?
06-12-2019 06:30 AM
It can be used in a any topology, for me it boils down to administrative preference.
If I have 20 subnets trying to access the a 'server' VLAN, instead of having to edit 20 INbound ACLs on those interfaces, I can instead create a single ACL which will cover the required policy and place it OUTbound on the server VLAN interface.
Lessening the administrative overhead must be weighed against the mantra of "placing ACLs as close to the source as possible".
cheers,
Seb.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide