ACL IN or OUT

chinpohpang851 · ‎11-25-2018

I found the configuring guide here configuring ACL, that define:

Out—Traffic that has already been through the router and leaves the interface

In—Traffic that arrives on the interface and then goes through the router.

I can understand both definitions but I can't figure out in what scenario we should use OUT. I guess both will go through TCAM check so consumed processing power should be the same?

Dennis Mink · ‎11-25-2018

typically you would only need to worry about ingress ACLs.

Please remember to rate useful posts, by clicking on the stars below.

Seb Rupik · ‎11-25-2018

Hi there,

If you have multiple points of ingress to your network, it could be argued that each would need an in bound ACL to block traffic reaching a particular destination.

In this scenario using an out bound ACL on the only interface (ie connected to the subnet) that can reach a particular destination would therefore reduce the number of ACL you have to manage. However if you are bandwidth constrained this approach is obviously wasteful has network capacity has needless been consumed only for the packets to be dropped at the last hop.

Cheers,

Seb.

Joseph W. Doherty · ‎11-26-2018

As Seb notes, one common usage for usage of an outbound ACL would be to avoid management of many interfaces with inbound ACLs, especially if they (the ACLs) need to be different for different inbound interfaces. However, you may need/requrie an outbound ACL to filer traffic sourced by that local device itself.