Re: Access List, in/out Help

als2018 · ‎04-06-2019

Hello, I understand that Standard ACLs are typically placed in the outbound direction and Extended ACLs are typically placed in the inbound direction but when due these change? In what real world scenario would an Extended ACL be placed in the outbound direction and Standard placed in the inbound direction? Thanks!

luis_cordova · ‎04-06-2019

Hi @als2018 ,

In a real environment, standard ACLs are used for the NAT and the extended ACLs are occupied in the frontier routers.

In these routers, in which interface is applied and the direction for this depends on the purpose of the ACL.

Regards

Alan Ng'ethe · ‎04-06-2019

Hi, genrally the rule of thumb is to apply standard acls as close to the destination as possible and extended acls as close to the source as possible;

Standard ACLs

ACLs Inbound and Outbound

In keeping with the above, for a standard acl to be as close as possible to the destination host/network, the most practical place to apply it would be on the interface closest to the host, in the outbound direction (from the perspective of the source host).

Howeber, there are no hard and fast rules regarding in which direction either kind of access list should be applied, as this all depends on the topology and the desired results.

In practice i have found that applying whatever kind of access lists, in the inbound direction has rarely failed me.

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.

Deepak Kumar · ‎04-06-2019

Hi,

Standard ACLs are typically placed in the outbound direction and Extended ACLs are typically placed in the inbound direction

Above statement is not always true. Let try to understand the difference between both type of ACL:

Standard ACL
1. Checks ACL source address
2. Permits or denies entire protocol suite
Extended ACL
1. Checks source and destination address
2. Generally permits or denies specific protocols and applications
Source and destination TCP and UDP ports
Protocol type (IP, ICMP, UDP, TCP or protocol number)

Where we used Standard ACL:

Really I will use Standard ACL where I will not care about destination host/network or protocol. I want to allow or deny a source IP address. Then I will use as Standard ACL. Standard ACL we will try to put a near to destination network or host because I don't want to block or allow some other communication.

This type of ACL can be applied as an INBOUND or OUTBOUND direction but mostly we are using as OUTBOUND.

Where we used Extended ACL:

I will use the extended ACL where I want to block or allow some specific source to a specific destination or specific protocol or port number. As I have an End-user system 10.10.10.1 and destination server 8.8.8.8. Now I want to block only ICMP for this particular user or all users. Here I will use the extended ACL for block specific protocol to a specific destination. I will try to put this ACL near to the Source because this ACL is configured for specific parameters and it will allow or block communication as per configured source/destination/protocol/port number. So I don't want to make my other router/system/bandwidth busy with the traffic which I don't want to block.

This type of ACL can be applied as an INBOUND or OUTBOUND direction.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!