Cisco ACL Directionality
As anyone who has ever applied an access-list to an interface knows you must specify the direction in which you wish to apply the access-list. This direction is used to determine which side is to be used as the source or destination. While this sounds fairly straight forward it remains a black magic area for many engineers. Today we are going to demystify this directionality and make it simple and straight forward.
Background
The first thing we must acknowledge is that unicast communications is always between two parties. As such there is always a direction that communications is flowing. For the purpose of this post we are going to define those directions as local and remote. The local side is the interface that has the access-list on it and the remote side is whoever is on the other end of that interface.
Since all unicast communications is between two parties there is always a source and a destination. These are the terms used within the access-list creation process. The question is which side local or remote is the source and which side local or remote is the destination. This is where the direction statement you specify on the interface comes into play.
Which Direction Am I Going?
If you apply the direction IN on an interface’s access-list the interface (local side) considers the source address to be the remote side. If you apply the direction OUT on an interface’s access-list the interface (local) considers the destination access to be the remote side. Thus the packet is flowing IN from the remote side or OUT to the remote side.
Why is this important?
Directionality is very critical into the effectiveness of access-lists. If you do not understand which side is the source or destination your access-lists might result in being more open than originally intended or even worse longer than necessary.