Access Control List

Unanswered Question
Jul 23rd, 2007

Hello all,

If I applied an acl like...

access-list 101 deny tcp host host eq 23

and apply this acl inbound near to source router as Extended ACL should be placed near to source....

If I change its direction i.e. inbound fa0/0 to outbound to serial 0/0 interface what will be its impact...

It will work as same as it was doing while placing inbound or what???



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
purohit_810 Mon, 07/23/2007 - 04:25


See, Access-list is set of art...

We can say.

If you apply at Serial Interface... It will be apply for only that serial interface for blocking Port 23.

If you Apply on Fa0/0, whatever traffic for Serial 0, 1 ... so on. It will filter for all of them.

Depend upon you where would you put, Depend upon that you will get great result.


Dharmesh Purohit

Richard Burts Mon, 07/23/2007 - 05:21


There is another aspect of this to consider. The extended access list specifies a source address and mask and a destination address and mask. If you change the access list from inbound to outbound it reverses which address is the source and which address is the destination.



junshah22 Tue, 07/24/2007 - 23:48

Hello Rick,

Thanks for your reply,

Can you please explain me in details how it reverses...



Pavel Bykov Mon, 07/23/2007 - 12:31

Just like Rick pointed out - direction is very important for ACL.

OUT is direction from ROUTER to the INTERFACE (be it VLAN, FastEthernet, Serial or other)

IN is direction from INTERFACE to the ROUTER.

If you apply it in the wrong direction it does not have to match anything.

Also, all ACL have implicit deny at the end, meaning that your ACL with one line would drop all the traffic (invisible "deny ip any any" at the end)

junshah22 Wed, 07/25/2007 - 01:47

Dear All,

can anybody explain me how it reverses its addresses...




Let's consider the following:

You have a network on the LAN interface with and want to restrict the address to reach the

access-list 101 deny ip host host

access-list 101 permit ip any any

If you apply this rule to outbound direction to the ethernet interface you achieve that.

You can achieve the same by apply this rule to inbound on the interface facing to the WAN (like serial0). The result almost the same apart from that with the second case the packet will not be allowed to enter the router therefore you can save some resource.

Hope it clears,


Richard Burts Wed, 07/25/2007 - 18:08


I like the idea of Krisztian to create a small example to explain the issue. I would suggest a slightly different way to explain it. Using his example is the inside address and is outside. Then we need to consider which interface and which direction the access list will be applied. His example assumes an Ethernet and a serial. So lets start with the Ethernet interface. If we apply the access list inbound then the traffic is from inside toward outside and the inside address is the source and the outside address is the destination and the access list would be deny host host On the same interface if we apply the access list as outbound then the traffic is from outside to inside and the outside address is the source and the inside address is the destination and the access list would be deny host host

So the essential point is that the decision of which is source and which is destination depends on whether we are looking at traffic inbound or outbound.

I hope that this explanation helps you to understand this concept.




This Discussion