Inbound vs Outbound ACL: Direction Matters
ACL direction is defined relative to the interface, not the network: inbound filters traffic entering the interface (before routing); outbound filters traffic leaving the interface (after routing). Getting the direction wrong is one of the most common ACL mistakes.
Side by side
| Factor | Inbound (in) | Outbound (out) |
|---|---|---|
| Filters | Traffic entering the interface | Traffic leaving the interface |
| Timing | Before the router routes it | After routing, as it exits |
| Efficiency | Drops unwanted traffic early | Traffic is processed then dropped |
| Perspective | From the interface's point of view | From the interface's point of view |
The details that matter
The key mental model: direction is always from the router interface's perspective. Traffic a host sends toward the router arrives inbound on the interface facing that host. Traffic the router sends toward a host leaves outbound on the interface facing that host. Inbound ACLs are generally more efficient — they drop unwanted traffic before the router spends effort routing it. But the right choice depends on where the ACL sits relative to source and destination: this is exactly why standard ACLs go near the destination and extended near the source. Visualising direction correctly is what makes ACL placement click. Practise in the ACL placement lab.
Frequently asked questions
What is the difference between inbound and outbound ACLs?
Inbound filters traffic entering an interface (before routing); outbound filters traffic leaving an interface (after routing). Direction is relative to the interface.
Which is more efficient, inbound or outbound?
Inbound is generally more efficient — it drops unwanted traffic before the router spends resources routing it.
How do I know which direction to apply an ACL?
Think from the interface's perspective: traffic arriving at the interface is inbound; traffic departing is outbound. Match this to where your source and destination sit.
Related articles
Want hands-on training?
Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.