Another thing, you can use the newer TurboACL
(compiled ACLs) on higher platforms.
access-list compiled
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s6/turboacl.htm
--- Robert Cabeca <[EMAIL PROTECTED]> wrote:
> Just want to say that this was a great and useful
> response!!
> Rob
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
> Date: Tuesday, June 27, 2000 19:51
> Subject: Which access-list increase load the most?
>
>
> >
> >
> >
> >It depends (well, what did you expect??)
> >As a general rule, you're better off putting the
> access list on the
> outgoing
> >interface. That way you don't waste bandwidth by
> transmitting traffic
> you're
> >just going to throw away anyway.
> >BUT, your *first* priority is to make sure the
> access list does what you
> want.
> >To do this, you may need to use an incoming access
> list instead.
> >
> >Example...
> >
> >rtrA -------- rtrB
> >
> >Let's say you want to prevent telnet traffic from
> rtrA to rtrB.
> >Assume for now that the link between the routers is
> a serial link (int S0
> on
> >both routers).
> >You could put an outgoing access list on S0 on
> rtrA:
> >rtrA:
> >access-list 101 deny tcp any any eq 23
> >access-list 101 permit ip any any
> >int s 0
> >access-class 101 out
> >
> >This will work fine (assuming my access list syntax
> is correct which I am
> making
> >no guarantees about - I haven't checked it). You
> could put the same access
> list
> >on rtrB as an incoming access list instead, and it
> would have the same
> effect,
> >but your telnet traffic would cross the serial link
> before being dropped -
> >generally not very efficient.
> >
> >OK, what if it's not a serial link, but an
> ethernet? Time to throw another
> >router into the mix...
> >
> >rtrA -------- rtrB
> > |
> > rtrC
> >
> >Now, putting that same outgoing access list on rtrA
> has a different effect
> to
> >putting it as an incoming access list on rtrB. If
> you put the outgoing
> access
> >list on rtrA, you will not be able to telnet from
> rtrA to rtrB *or to
> rtrC*. If
> >you put it as an incoming access list on rtrB, you
> will not be able to
> telnet
> >from rtrA to rtrB but you will be able to telnet
> from rtrA to rtrC.
> >In this case, where should you put the access list?
> That depends
> completely on
> >what you are trying to achieve with your access
> list.
> >
> >Regardless of where you are putting your access
> list, try to put the lines
> that
> >will get the most hits near the top (again, make
> sure you don't change the
> >meaning of the access list if you change the order
> of statements). The
> lines of
> >an access list are checked in order, and once a
> match for a packet is
> found, the
> >rest of the list isn't checked - so if most of your
> packets match the first
> >line, rather than the last, your router will spend
> less time checking
> access
> >lists.
> >
> >Here endeth the chapter :-)
> >
> >JMcL
> >
> >---------------------- Forwarded by Jenny
> Mcleod/NSO/CSDA on 27/06/2000
> 16:28
> >---------------------------
> >
> >
> >"K.FUJIWARA" <[EMAIL PROTECTED]> on 26/06/2000
> 15:59:31
> >
> >Please respond to "K.FUJIWARA"
> <[EMAIL PROTECTED]>
> >
> >
> >To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
> >cc: (bcc: JENNY MCLEOD/NSO/CSDA)
> >Subject: Which access-list increase load the most?
> >
> >
> >
> >Hi, all.
> >
> >Though the null interface is the best solution for
> load in the ruter
> >CPU, which
> >extended / standard access-list is the best to
> reduce the load?
> >Extended one's result may be depends on where it
> will be put or the
> >case, so where
> >should it be configured? Destination?
> >If you have some good examples, please show me.
> >
> >And then, do you know good tools or utility to
> monitor the routers
> >performance on
> >CPU or RAM in real time?
> >
> >Kazuyo Fujiwara
> >MCSE/CCNA
> >Japan Kobe
> >
> >
> >
> >___________________________________
> >UPDATED Posting Guidelines:
> http://www.groupstudy.com/list/guide.html
> >FAQ, list archives, and subscription info:
> http://www.groupstudy.com
> >Report misconduct and Nondisclosure violations to
> [EMAIL PROTECTED]
> >
> >
> >
> >
> >
> >
> >
> >___________________________________
> >UPDATED Posting Guidelines:
> http://www.groupstudy.com/list/guide.html
> >FAQ, list archives, and subscription info:
> http://www.groupstudy.com
> >Report misconduct and Nondisclosure violations to
> [EMAIL PROTECTED]
> >
>
> ___________________________________
> UPDATED Posting Guidelines:
> http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]
=====
- Erick B. | erickbe(a)yahoo.com | http://berk.dhs.org
__________________________________________________
Do You Yahoo!?
Get Yahoo! Mail - Free email you can access from anywhere!
http://mail.yahoo.com/
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
