Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
717
Views
5
Helpful
3
Replies

Configure ACL for In and Out?

Go to solution
CiscoPurpleBelt
Level 6
Level 6

‎01-29-2020 11:47 AM

Is it proper to configure a router interface with an ACL for In and Out if you don't want that particular traffic to be allowed?

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to chrihussey

‎01-29-2020 02:41 PM

The answer depends on understanding precisely what you are trying to accomplish. If the goal is to prevent communication between the two subnets, and since most of our IP traffic is bi-directional (hostA sends something to hostB and hostB sends a response to hostA), a single access list would be sufficient to prevent communication (and could be either inbound or outbound). If your goal is to make sure that no traffic from one subnet goes to the other subnet then you would need an access list inbound and another access list outbound.

 

HTH

 

Rick

HTH

Rick

View solution in original post

3 Replies 3

Go to solution
chrihussey
VIP Alumni
VIP Alumni

‎01-29-2020 11:51 AM

It really depends on the nature of the traffic and the direction you want to prevent or block the traffic? If it's into the interface then an inbound, leaving the interface, then an outbound. Additionally, if an ACL is needed, it's generally a good practice to apply both an in and out ACL to cover all bases.

Hope this helps

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to chrihussey

‎01-29-2020 02:41 PM

The answer depends on understanding precisely what you are trying to accomplish. If the goal is to prevent communication between the two subnets, and since most of our IP traffic is bi-directional (hostA sends something to hostB and hostB sends a response to hostA), a single access list would be sufficient to prevent communication (and could be either inbound or outbound). If your goal is to make sure that no traffic from one subnet goes to the other subnet then you would need an access list inbound and another access list outbound.

 

HTH

 

Rick

HTH

Rick

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to Richard Burts

‎01-29-2020 03:33 PM

Yes I guess in and out would be best if we want NO traffic at all between subnets/VLANS. Given the subnets are 1 to 1 mapped to VLANs, extended access lists on the router interface/sub-int would be sufficient. When would VACLs actually come into play as a good option to restrict access between VLAN?
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card