Applying ACLs in the Right Direction

The objective of this page is to clarify some possible confusion about how standard access control lists (ACLs) are applied to interfaces on Cisco routers. This shouldn't take long.

I'm currently reviewing for the CCNA using the free course from Jeremy's IT Lab (Jeremy is excellent, by the way), and it reminded me that a lot of my classmates from school (it's been a few years) were confused by the fact that standard ACLs get applied to an interface in the out direction for inbound network traffic and vice versa.

The key thing to remember here is that ACLs are applied from the router's perspective, not the network's perspective. Data inbound to any network is exiting the router. Data outbound from any network is entering the router. See? It's that simple. All done.

With that said though, I still like to name rules from the network's perspective because it makes at-a-glance rule interpretation easier for me. For example, if I want to apply a standard ACL to traffic destined for LAN01_Dummies, I will name it something like INBOUND_LAN01_Dummies. Then I just remember that I need to flip the direction so that it lines up with the router's perspective. The Cisco IOS commands on the router would look something like this:

ip access-list standard INBOUND_LAN01_Dummies
<some_access_control_entry>
<some_other_access_control_entry>

interface <interface_for_LAN01_Dummies>
ip access-group INBOUND_LAN01_Dummies out

I hope that anyone who happens to find my obscure little wiki will find this clarification helpful.

Give Jeremy money.