It depends (well, what did you expect??)
As a general rule, you're better off putting the access list on the outgoing
interface. That way you don't waste bandwidth by transmitting traffic you're
just going to throw away anyway.
BUT, your *first* priority is to make sure the access list does what you want.
To do this, you may need to use an incoming access list instead.
Example...
rtrA -------- rtrB
Let's say you want to prevent telnet traffic from rtrA to rtrB.
Assume for now that the link between the routers is a serial link (int S0 on
both routers).
You could put an outgoing access list on S0 on rtrA:
rtrA:
access-list 101 deny tcp any any eq 23
access-list 101 permit ip any any
int s 0
access-class 101 out
This will work fine (assuming my syntax is correct which I am making no
guarantees about - I haven't checked it). You could put the same access list on
rtrB as an incoming access list instead, and it would have the same effect, but
your telnet traffic would cross the serial link before being dropped - generally
not very efficient.
OK, what if it's not a serial link, but an ethernet? Time to throw another
router into the mix...
rtrA -------- rtrB
|
rtrC
Now, putting that same outgoing access list on rtrA has a different effect to
putting it as an incoming access list on rtrB. If you put the outgoing access
list on rtrA, you will not be able to telnet from rtrA to rtrB *or to rtrC*. If
you put it as an incoming access list on rtrB, you will not be able to telnet
from rtrA to rtrB but you will be able to telnet from rtrA to rtrC.
In this case, where should you put the access list? That depends completely on
what you are trying to achieve with your access list.
Regardless of where you are putting your access list, try to put the lines that
will get the most hits near the top (again, make sure you don't change the
meaning of the access list if you change the order of statements). The lines of
an access list are checked in order, and once a match for a packet is found, the
rest of the list isn't checked - so if most of your packets match the first
line, rather than the last, your router will spend less time checking access
lists.
Here endeth the chapter :-)
JMcL
---------------------- Forwarded by Jenny Mcleod/NSO/CSDA on 27/06/2000 16:28
---------------------------
"K.FUJIWARA" <[EMAIL PROTECTED]> on 26/06/2000 15:59:31
Please respond to "K.FUJIWARA" <[EMAIL PROTECTED]>
To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
cc: (bcc: JENNY MCLEOD/NSO/CSDA)
Subject: Which access-list increase load the most?
Hi, all.
Though the null interface is the best solution for load in the ruter
CPU, which
extended / standard access-list is the best to reduce the load?
Extended one's result may be depends on where it will be put or the
case, so where
should it be configured? Destination?
If you have some good examples, please show me.
And then, do you know good tools or utility to monitor the routers
performance on
CPU or RAM in real time?
Kazuyo Fujiwara
MCSE/CCNA
Japan Kobe
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
