Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4129
Views
1
Helpful
1
Replies

ACL placement?

Lasse_Jensen
Level 1
Level 1

‎01-22-2020 04:42 AM - edited ‎02-21-2020 11:13 AM

Dear Cisco Community,

 

I'm struggling to understand where to place ACLs.

I know there are numbered ACLs, standard named ACLs and extended named ACLs.

 

The rule of thumb for standard and numbered lists is:

Standard ACLs do not look at the destination address, therefore, you should place them closest to the destination network that you are filtering packets to. For example, if you want to filter traffic from network A to network B, standard ACLs should be as close as possible to network B.

 

The rule of thumb for extended lists is:

For the extended type of ACLs, you should place them closest to the source of the traffic. Since they can filter traffic based on different types of criteria, it would be effective to place them on a router closest to the source of the traffic that is being filtered since this way other routers in the domain do not have to process undesired traffic.

 

My question is primarily regarding the standard ACLs:

In which direction should they be placed?

 

I'm using a topology like one found in CCNA 2, see below.

 

Udklip.PNG

 

1) Say I have an ACL that is to deny trafic from LAN 1 to LAN 2, but permit traffic from all other LANs (LAN 3), does that mean I place the ACL on the interface that faces the destination LAN 2? in outbound direction?

 

2) Say I have an ACL that is to deny a single host in LAN 2 from accessing LAN 3, but permit all other traffic. Does a server count as a host or just a computer? Should I then apply this ACL on the inbound interface from LAN 2 to the router? or on the outbound interface facing LAN 3?

 

3) Say I have an ACL that is to permit a single host in LAN 3 access to LAN 1. Should I then apply that ACL on the inbound interface to the router from LAN 3?

 

I know inbound and outbound directions have to do with whether a packet is rejected before or after processing by a router, but what difference does it make? How can I tell where 'nearest to the destination' is, if I have only one router? Surely that would appear to be the outbound interface to the specific LAN in question?

 

I hope you can help me understand better.

 

Thanks in advance

 

Lasse

Labels:
0 Helpful
1 Reply 1

luis_cordova
VIP Alumni
VIP Alumni

‎01-22-2020 05:59 AM

Hi @Lasse_Jensen 

 

On where to apply an ACL, what you indicate is correct.
On the direction, this must be decided from the point of view of the device where the ACL was configured.
For example, if the device is a router, you must ask yourself, do I want the ACL to be applied when the packet enters the router (IN) or when it leaves the router (OUT)?
Looking at it from the point of view of the router, it will make it easier for you to decide the direction to apply.

 

1) Say I have an ACL that is to deny trafic from LAN 1 to LAN 2, but permit traffic from all other LANs (LAN 3), does that mean I place the ACL on the interface that faces the destination LAN 2? in outbound direction?

 

Yes, because if you apply it on the interface that connects LAN1, you would also be blocking packets that go to LAN3, because a standard ACL can only filter according to the source of the packages.

 

2) Say I have an ACL that is to deny a single host in LAN 2 from accessing LAN 3, but permit all other traffic. Does a server count as a host or just a computer?

 

Any device or interface that has an IP configured is considered a host, so the servers are also hosts.

 

Should I then apply this ACL on the inbound interface from LAN 2 to the router? or on the outbound interface facing LAN 3?

 

It should be applied on the interface that connects with LAN3 with direction out, because, as indicated in the first question, applying it on the interface that connects with LAN2 would deny that host's access to LAN1 as well.

 

3) Say I have an ACL that is to permit a single host in LAN 3 access to LAN 1. Should I then apply that ACL on the inbound interface to the router from LAN 3?

 

No, for the same reason above.
For example, in this case the ACL could be something like this:

 

access-list 1 permit 172.16.0.x

 

If you apply this ACL on the interface that connects to LAN3, then you are allowing only that host for LAN2 and for LAN1, so that ACL should be applied on the interface that connects to LAN1, with direction out.

 

Regards

 

Customers Also Viewed These Support Documents