Just want to say that this was a great and useful response!!
Rob
-----Original Message-----
From: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Tuesday, June 27, 2000 19:51
Subject: Which access-list increase load the most?
>
>
>
>It depends (well, what did you expect??)
>As a general rule, you're better off putting the access list on the
outgoing
>interface. That way you don't waste bandwidth by transmitting traffic
you're
>just going to throw away anyway.
>BUT, your *first* priority is to make sure the access list does what you
want.
>To do this, you may need to use an incoming access list instead.
>
>Example...
>
>rtrA -------- rtrB
>
>Let's say you want to prevent telnet traffic from rtrA to rtrB.
>Assume for now that the link between the routers is a serial link (int S0
on
>both routers).
>You could put an outgoing access list on S0 on rtrA:
>rtrA:
>access-list 101 deny tcp any any eq 23
>access-list 101 permit ip any any
>int s 0
>access-class 101 out
>
>This will work fine (assuming my access list syntax is correct which I am
making
>no guarantees about - I haven't checked it). You could put the same access
list
>on rtrB as an incoming access list instead, and it would have the same
effect,
>but your telnet traffic would cross the serial link before being dropped -
>generally not very efficient.
>
>OK, what if it's not a serial link, but an ethernet? Time to throw another
>router into the mix...
>
>rtrA -------- rtrB
> |
> rtrC
>
>Now, putting that same outgoing access list on rtrA has a different effect
to
>putting it as an incoming access list on rtrB. If you put the outgoing
access
>list on rtrA, you will not be able to telnet from rtrA to rtrB *or to
rtrC*. If
>you put it as an incoming access list on rtrB, you will not be able to
telnet
>from rtrA to rtrB but you will be able to telnet from rtrA to rtrC.
>In this case, where should you put the access list? That depends
completely on
>what you are trying to achieve with your access list.
>
>Regardless of where you are putting your access list, try to put the lines
that
>will get the most hits near the top (again, make sure you don't change the
>meaning of the access list if you change the order of statements). The
lines of
>an access list are checked in order, and once a match for a packet is
found, the
>rest of the list isn't checked - so if most of your packets match the first
>line, rather than the last, your router will spend less time checking
access
>lists.
>
>Here endeth the chapter :-)
>
>JMcL
>
>---------------------- Forwarded by Jenny Mcleod/NSO/CSDA on 27/06/2000
16:28
>---------------------------
>
>
>"K.FUJIWARA" <[EMAIL PROTECTED]> on 26/06/2000 15:59:31
>
>Please respond to "K.FUJIWARA" <[EMAIL PROTECTED]>
>
>
>To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
>cc: (bcc: JENNY MCLEOD/NSO/CSDA)
>Subject: Which access-list increase load the most?
>
>
>
>Hi, all.
>
>Though the null interface is the best solution for load in the ruter
>CPU, which
>extended / standard access-list is the best to reduce the load?
>Extended one's result may be depends on where it will be put or the
>case, so where
>should it be configured? Destination?
>If you have some good examples, please show me.
>
>And then, do you know good tools or utility to monitor the routers
>performance on
>CPU or RAM in real time?
>
>Kazuyo Fujiwara
>MCSE/CCNA
>Japan Kobe
>
>
>
>___________________________________
>UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
>FAQ, list archives, and subscription info: http://www.groupstudy.com
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>
>
>
>
>
>
>___________________________________
>UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
>FAQ, list archives, and subscription info: http://www.groupstudy.com
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
