Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

When to use "access-group xx OUT"

I'm sure I'm missing something simple but humor me here. O.K. given the idea that you want to put extended ACL's nearest to the source of the traffic being denied. When you applied that ACL to the interface using the "access-group" command I am assuming you'd apply that as an inbound ACL using the "in" parameter at the end of the "access-group" command. So, when would you need to specify the "in" parameter? Just curious. Thanks for entertaining this question.


Cisco Employee

Re: When to use "access-group xx OUT"

traffic is always coming in 1 interface and going out another interface (or the same interface but to make it simple will say another interface).

If you have multiple inside interfaces and 1 outside, it makes sens to filter on the outside interface with an access-group out.

But if you habe only 1 inside and multiple outside, to avoid configuring you outside acl on all outside interfaces, you can create an incoming acl and filter on the inside interface.

You can filter the same thing with an outgoing acl and an incoming acl. Just sometimes it makes more sens to filter out and sometimes to filter in.