Cisco Support Community
Community Member

ACL help

Somebody please help me understand the concept:

I have VLAN500 on a 6509, with a network of 172.17.x.x and I want to apply an extended ACL to allow any host on that VLAN to telnet to a host on VLAN 600 (network 17.16.x.x). So I created the following ACL

Extended IP access list VLAN500

permit tcp any host eq telnet

and added this line to the VLAN500 interface:

ip access-group VLAN500 out

And it didn't work, until I changed the interface statement to:

ip access-group VLAN500 in

And it really doesn't make sense to me that I would have to apply it in. Why wouldn't I apply it out since any host on the local VLAN can telnet out to a host on another VLAN? If anyone can explain this to me, it would be appreciated. Thanks in adavance.


Re: ACL help


The concept is that the packets are checked to the ACL based on how they

travel and as if you would sit on the router. So if you have an ACL in on a VLAN the packets will be checked whene they come from this vlan.

So if you like to have the ACL out you have to change the statements in the ACL

as following:

Extended IP access list VLAN500

permit tcp eq telnet any

Hope that helps you.


Community Member

Re: ACL help

So, what would the best scenario be for this instance? IN or OUT


Re: ACL help

It depends on what you want to achive, but with

the in ACL the packets do not have to be processed by the router

as soon as the are dropped on the ACL.

If you have an ACL out, the packets come in on an interface and will be

processed by the router till they finnally come to the outgoing interface where

they maid be dropped.

Hope that this gives you a decision basis.



Community Member

Re: ACL help

So, by the sounds of it, it would depend on where the packets are originating. Is that a correct statment?

Thanks again.


Re: ACL help

Kind of....basically it's nice to "drop" packet as close to the source as

possible but if you have a lot of packet sourced from this vlan to different one (not the one you like to filter) it is maybe better to append the ACL outgoing.

Hope that gives you a feeling.


CreatePlease to create content