Networking Tutorials

Inbound vs Outbound ACL: Direction Matters

ACL direction is defined relative to the interface, not the network: inbound filters traffic entering the interface (before routing); outbound filters traffic leaving the interface (after routing). Getting the direction wrong is one of the most common ACL mistakes.

Side by side

FactorInbound (in)Outbound (out)
FiltersTraffic entering the interfaceTraffic leaving the interface
TimingBefore the router routes itAfter routing, as it exits
EfficiencyDrops unwanted traffic earlyTraffic is processed then dropped
PerspectiveFrom the interface's point of viewFrom the interface's point of view

The details that matter

The key mental model: direction is always from the router interface's perspective. Traffic a host sends toward the router arrives inbound on the interface facing that host. Traffic the router sends toward a host leaves outbound on the interface facing that host. Inbound ACLs are generally more efficient — they drop unwanted traffic before the router spends effort routing it. But the right choice depends on where the ACL sits relative to source and destination: this is exactly why standard ACLs go near the destination and extended near the source. Visualising direction correctly is what makes ACL placement click. Practise in the ACL placement lab.

Frequently asked questions

What is the difference between inbound and outbound ACLs?

Inbound filters traffic entering an interface (before routing); outbound filters traffic leaving an interface (after routing). Direction is relative to the interface.

Which is more efficient, inbound or outbound?

Inbound is generally more efficient — it drops unwanted traffic before the router spends resources routing it.

How do I know which direction to apply an ACL?

Think from the interface's perspective: traffic arriving at the interface is inbound; traffic departing is outbound. Match this to where your source and destination sit.

VS
Vipul Sir — Lead Instructor, Attila Technologies20+ years in Cisco networking. Teaching CCNA, CCNP, CCIE & CyberOps in Ahmedabad since 2004.

Want hands-on training?

Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.

Start your networking career with Attila Technologies

Hands-on Cisco training, real lab devices and placement support in Ahmedabad.