I agree. Using the scenario that Jenny used:
rtrA <------>rtrB
If you wanted to block telnet traffic from going from RouterA to RouterB,
you could put the access list on the outgoing interface of router A and save
bandwidth across the link between A and B. However, the traffic attempting
to travel from RouterA to RouterB came from somewhere (unless you are "in"
RouterA attempting to telnet to RouterB). Assuming the traffic came from
somewhere, our picture would look more like this
NetA (connects to Ethernet0 on RtrA)
|
RtrA-----------RtrB
|
NetB (connects to Ethernet1 on RtrA)
Since the traffic you want to block is coming from NetworkA or NetworkB, you
could apply that same access list to the two Ethernet interfaces to filter
traffic as it comes in from the two networks. That way the traffic wouldn't
even enter the router and have to be dealt with.
So, yes, you are correct Tom. The best bet would be to apply them inbound
on the interfaces where the traffic you want to block is originating.
Mike W.
Tom Holbrook <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Jenny-
>
> My understanding was that you should apply them inbound,
> so the traffic doesn't have to go through a route lookup
> process, just to be dropped. Am I missing something here?
>
> -Tom
> At 05:06 PM 6/27/2000 +1000, you wrote:
>
>
> >It depends (well, what did you expect??)
> >As a general rule, you're better off putting the access list on the
outgoing
> >interface. That way you don't waste bandwidth by transmitting traffic
you're
> >just going to throw away anyway.
> >BUT, your *first* priority is to make sure the access list does what you
want.
> >To do this, you may need to use an incoming access list instead.
> >
> >Example...
> >
> >rtrA -------- rtrB
> >
> >Let's say you want to prevent telnet traffic from rtrA to rtrB.
> >Assume for now that the link between the routers is a serial link (int S0
on
> >both routers).
> >You could put an outgoing access list on S0 on rtrA:
> >rtrA:
> >access-list 101 deny tcp any any eq 23
> >access-list 101 permit ip any any
> >int s 0
> >access-class 101 out
> >
> >This will work fine (assuming my syntax is correct which I am making no
> >guarantees about - I haven't checked it). You could put the same access
> >list on
> >rtrB as an incoming access list instead, and it would have the same
> >effect, but
> >your telnet traffic would cross the serial link before being dropped -
> >generally
> >not very efficient.
> >
> >OK, what if it's not a serial link, but an ethernet? Time to throw
another
> >router into the mix...
> >
> >rtrA -------- rtrB
> > |
> > rtrC
> >
> >Now, putting that same outgoing access list on rtrA has a different
effect to
> >putting it as an incoming access list on rtrB. If you put the outgoing
access
> >list on rtrA, you will not be able to telnet from rtrA to rtrB *or to
> >rtrC*. If
> >you put it as an incoming access list on rtrB, you will not be able to
telnet
> >from rtrA to rtrB but you will be able to telnet from rtrA to rtrC.
> >In this case, where should you put the access list? That depends
> >completely on
> >what you are trying to achieve with your access list.
> >
> >Regardless of where you are putting your access list, try to put the
lines
> >that
> >will get the most hits near the top (again, make sure you don't change
the
> >meaning of the access list if you change the order of statements). The
> >lines of
> >an access list are checked in order, and once a match for a packet is
> >found, the
> >rest of the list isn't checked - so if most of your packets match the
first
> >line, rather than the last, your router will spend less time checking
access
> >lists.
> >
> >Here endeth the chapter :-)
> >
> >JMcL
> >
> >---------------------- Forwarded by Jenny Mcleod/NSO/CSDA on 27/06/2000
16:28
> >---------------------------
> >
> >
> >"K.FUJIWARA" <[EMAIL PROTECTED]> on 26/06/2000 15:59:31
> >
> >Please respond to "K.FUJIWARA" <[EMAIL PROTECTED]>
> >
> >
> >To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
> >cc: (bcc: JENNY MCLEOD/NSO/CSDA)
> >Subject: Which access-list increase load the most?
> >
> >
> >
> >Hi, all.
> >
> >Though the null interface is the best solution for load in the ruter
> >CPU, which
> >extended / standard access-list is the best to reduce the load?
> >Extended one's result may be depends on where it will be put or the
> >case, so where
> >should it be configured? Destination?
> >If you have some good examples, please show me.
> >
> >And then, do you know good tools or utility to monitor the routers
> >performance on
> >CPU or RAM in real time?
> >
> >Kazuyo Fujiwara
> >MCSE/CCNA
> >Japan Kobe
> >
> >
> >
> >___________________________________
> >UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> >FAQ, list archives, and subscription info: http://www.groupstudy.com
> >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >
> >
> >
> >
> >___________________________________
> >UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> >FAQ, list archives, and subscription info: http://www.groupstudy.com
> >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
> Tom Holbrook
> Network Engineer
> Earthlink
>
> ___________________________________
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> ---
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
