A while ago poor Cisco Freak from the Whirlpool Forum and others had the arduous task of trying to get me to properly understand what happens when a Cisco IP Access Control List (ACL) is applied to an interface as in or out.
This sounds simple enough and for 20 years or so I had thought it was. That’s until I gave some (rather poor) advice to a poor soul regarding blocking some VLAN traffic on his Cisco switch. Due to some misconceptions on my part my advice was errant. The above mentioned gurus set about patiently (at least it seemed patiently to me) correcting my minor, yet important misconceptions regarding the nuances of applying Cisco ACLs to interfaces.
I have since found what I reckon is the best explanation of the concept I have read. And surprisingly it is from the cisco site.
The relevant section is…
When you refer to a router, these terms have these meanings.
Out—Traffic that has already been through the router and leaves the interface. The source is where it has been, on the other side of the router, and the destination is where it goes.
In—Traffic that arrives on the interface and then goes through the router. The source is where it has been and the destination is where it goes, on the other side of the router.
Inbound —If the access list is inbound, when the router receives a packet, the Cisco IOS software checks the criteria statements of the access list for a match. If the packet is permitted, the software continues to process the packet. If the packet is denied, the software discards the packet.
Outbound—If the access list is outbound, after the software receives and routes a packet to the outbound interface, the software checks the criteria statements of the access list for a match. If the packet is permitted, the software transmits the packet. If the packet is denied, the software discards the packet.
The in ACL has a source on a segment of the interface to which it is applied and a destination off of any other interface. The out ACL has a source on a segment of any interface other than the interface to which it is applied and a destination off of the interface to which it is applied.
For this to cement with me I had to imagine I am a Traffic Cop on a router interface. So to keep it simple, let’s imagine a simple router that only has one LAN and one WAN interface. Then imagine you are the Policeman standing guard on the LAN interface on that router. That means you stand facing (connected to) the LAN (probably a switch). In this instance, Inbound traffic is coming at you head on, headed for the router.
So if an ACL is applied in on you that means you are deciding if it should be allowed from the LAN into the Router. if an ACL is applied out on you that means it you are deciding if it should be allowed from the Router to the LAN. In both cases you will look at your rule book and consider if the traffic is permissible or not. Hence why it is important to block traffic at it’s source to conserve precious CPU resources.
Back to the analogy, being the good Cop you are you know that if you get a positive match on your list you stop looking any further. So you see a deny statement for a packet you instantly deflect it and don’t have to deal with it anymore. You don’t keep looking down the list to see if it’s permitted elsewhere. Equally if it’s permitted, you don’t keep looking to see if it is later denied. That’d be silly.
Just remember the Cop (ACL) always faces the direction the interface is connected to. LAN faces the LAN, WAN faces the WAN, VLAN faces that VLAN. That’s a tricky one. The VLAN ACLs inbound traffic is coming at it from the VLAN headed elsewhere! Hence, on a VLAN ACL, if the ACL is applied out, it is traffic destined for the VLAN! If you remember/understand that, the rest is a cinch.