Where to apply ACL? ingress vs egress

I really find this post from user “jlim13” from (thwack.solarwinds.com)quite useful in understanding where to apply the ACL.

In order to brush off your confusion, think for a moment that you are a router, your left hand is the WAN and your right hand is the LAN. Whenever you say Ingress, it means traffic is towards you, depending on the hand you are looking at. When you upload data to the internet its going out of your local network so the traffic is egress based on the LAN’s perspective but not the router, it will treat  that data as ingress since is coming towards it. The only time it will be egress is if it finished sending it to its WAN interface out to the internet. So if you are looking at the routers Netflow data, the ingress and the egress will always be the same value; In order for you to get the true value of your ingress and egress data, you have to look into the interface Netflow data.

 

 

NTA.png

 

Practical application of this is if you want to apply an Access List (ACL) towards your hosts/clients in a certain VLAN, ACL is applied in the “out” or “egress”.
Refer to this link how to apply ACLs
Configuring Access Lists or ACL in Cisco Switch using object-group with Examples
Bogon IPv4 Ingress and Egress Filtering in Cisco IOS-XR

Be First to Comment

Leave a Reply