Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
601
Views
0
Helpful
1
Replies

When to use "access-group xx OUT"

ccsn-cnap
Level 1
Level 1

‎03-02-2002 07:24 PM - edited ‎03-08-2019 09:57 PM

I'm sure I'm missing something simple but humor me here. O.K. given the idea that you want to put extended ACL's nearest to the source of the traffic being denied. When you applied that ACL to the interface using the "access-group" command I am assuming you'd apply that as an inbound ACL using the "in" parameter at the end of the "access-group" command. So, when would you need to specify the "in" parameter? Just curious. Thanks for entertaining this question.

Joshua

Labels:
0 Helpful
1 Reply 1

Gilles Dufour
Cisco Employee
Cisco Employee

‎03-04-2002 12:31 PM

traffic is always coming in 1 interface and going out another interface (or the same interface but to make it simple will say another interface).

If you have multiple inside interfaces and 1 outside, it makes sens to filter on the outside interface with an access-group out.

But if you habe only 1 inside and multiple outside, to avoid configuring you outside acl on all outside interfaces, you can create an incoming acl and filter on the inside interface.

You can filter the same thing with an outgoing acl and an incoming acl. Just sometimes it makes more sens to filter out and sometimes to filter in.

0 Helpful
Customers Also Viewed These Support Documents