Differences between IN and out in Cisco ACL

Differences between IN and out in Cisco ACL
In and out are relative, for example: A (s0) ----- (s0) B (s1) -------- (s1) C suppose you want to deny A access to C, and assume that you are required to do the ACL on B (of course C can also), we will replace this topology with an example: the s0 port of B is the front door, and the s1 port is the back door, B is your living room, A is connected to the front door, and the living room backdoor is connected to your vault (C)

In and out are relative, for example:
A (s0) ----- (s0) B (s1) -------- (s1) C

Assume that you want to deny access to C by A, and assume that you want to perform an ACL on B (of course, C can also), we will replace this topology with an example:
B's s0 port is the front door, s1 port is the back door, B is your living room, the front door is connected to A, the living room backdoor is connected to your vault (C)
If you want to reject thieves from A, there are two ways to make A setup in your living room:
1. install an iron gate (ACL) in the front door of your living room (B) (s0 of B) and prevent thieves from coming in (in ).
2. install an iron gate (s1 of B) in the back door of your living room. Although thieves enter your living room, they still cannot go out (out) from the back door to your vault (C)

Although these two methods (in/out) can achieve the effect, there is a difference in performance. in fact, the best way is to choose method 1, just like although thieves didn't enter the vault, they should at least enter your living room (B) and dirty the carpet in your living room (B needs to consume additional unnecessary processing)

Suppose you want to put the iron gate (ACL) in C, should you use in or out at that time?
You can answer this question by yourself.
 
Compared with a vro, the incoming
The extended acl must be close to the source. The standard acl is close to the target address.

In fact, in and out applications are flexible.