In a 4506, I would like to apply some Router ACLs to VLANs, to avoid some traffic between them.
But I have 2 elementary questions:
If I ONLY deny the traffic originated in the VLAN 2 with destination VLAN 3:
Is the traffic denied in both directions?
I mean, if I start a communication from VLAN 3 to VLAN 2:
- packets from VLAN 3 to VLAN 2 will be accepted
- but, the response packets to this communication will have an origin=VLAN2, destination=VLAN3, which is not allowed.
That means communication is not allowed.
Or I am wrong, and only the establishment of the communication is taken into account (that is, who is originating the communication: if VLAN 2 rejected, if VLAN 3 accepted).
The second question is the difference between inbound and outbound traffic. I think I understand the difference between both cases regarding how access lists have to be built. But I don't see when I must use each one. I don't see the reason for rejecting the packet before or after being processed by the router.
In fact, I think is always better to reject/deny before processing (inbound always).
In which case is better to apply the ACL to the outbound traffic? (an example would be ok)
I have read a lot of documentation but I really don't find a clear explanation about these two topics.
I hope my questions are clear enough.
Many thanks in advance.