Look at it from both the Router and the Interface perpective.eg if the interface facing your LAN is E0 and the interface to the internet is S0.
For traffics coming from your LAN into the Router through the E0 interface, as the traffic is entering that interface from your LAN it is 'in' and as it passes and go out of that interface into the backplane of the router, it is considered 'out' relative to interface E0 and 'in' relative to interface S0, when it leaves interface S0 into the internet, it is then considered 'out' relative to interface S0. For traffics coming from the internet into the Router through the S0 interface, as the traffic is entering that interface from the internet it is 'in' and as it passes and go out of that interface into the backplane of the router, it is considered 'out' relative to interface S0 and 'in' relative to interface E0, when it leaves interface E0 into your LAN, it is then considered 'out' relative to interface E0. You now see that each interface have two instances of 'in' and two instances of 'out'. Most security designs uses 'in' more often than 'out' and you should consider using it as well, if tight security implementation is your goal. The 'in' keyword makes the router to examine the packets before they enter the interface and impose the Access-list on the traffic before they ever have the chance of either entering the Router or your network, while the 'out' keyword only do that after the traffic have pass through the interface in question, this should only be allowed for trusted traffics for which you only want to disallow access to certain services. If you want to restrict a particular source address from entering into your network or router, using the 'out' keyword have no effect and it is a security breach because the traffic would have entered your router or network before it is acted upon. Have a clear picture of what you want the access-list to do against the particular traffic, that will give you a clue on the keyword to use. However for me security is always at the back of my mind, so by default I use the 'in' keyword except where otherwise unnecessary. Regards. Oletu ----- Original Message ----- From: none ya To: Sent: Friday, February 15, 2002 6:03 PM Subject: access-group ## in or out? [7:35578] > Would someone please give me a simple explanation/example that will clarify > when to use "in" or "out" when you apply an ACL to a router interface? > Thanks! _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35651&t=35578 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
