Simple ACL Question

Unanswered Question
Feb 25th, 2009

Ok simple question but I have to ask it anyway:

When applying an inbound ACL to a router - does it matter if you apply it to the inside or outside interface?

I have a couple of routers that seem to be configured differently and I'm trying to clean up some of the configs.

One has:

interface FastEthernet0/0.1 (inside)

encapsulation dot1Q 8 native

ip dhcp relay information trusted

ip address x.x.x.x x.x.x.x

ip access-group 101 in

interface FastEthernet0/1.1 (outside)

encapsulation dot1Q 4

ip address x.x.x.x x.x.x.x

Yet another has:

interface FastEthernet0/0.1 (inside)

encapsulation dot1Q 8 native

ip dhcp relay information trusted

ip address x.x.x.x x.x.x.x

interface FastEthernet0/1.1 (outside)

encapsulation dot1Q 4

ip address x.x.x.x x.x.x.x

ip access-group 101 in

Which is correct?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Wed, 02/25/2009 - 11:02

They are both correct depending on how your access lists are written and what you are trying to block and in what direction.

rcoote5902_2 Wed, 02/25/2009 - 11:15

In both examples the ACL's are identical, they are permitting inbound traffic from other sites.

So does that make a difference?

acomiskey Wed, 02/25/2009 - 11:49

Yes, look at the source and destination addresses in the acl's. If all of the source addresses are on the outside then the acl would be applied into the outside interface.

Actions

This Discussion