It really depends.
If you have a small size of routing table but huge
access-list, you put it inbound. If the most of the
incoming traffic are not routable by your router, they
pass through the access-list and get dropped, because
your router has no routes for them. Under this
circumstance I think I will put the access-list
outbound to save the CPU of the router.
So it is really depends on what situation we have.
Thanks
Kent
--- Tom Holbrook <[EMAIL PROTECTED]> wrote:
> Jenny-
>
> My understanding was that you should apply them
> inbound,
> so the traffic doesn't have to go through a route
> lookup
> process, just to be dropped. Am I missing something
> here?
>
> -Tom
> At 05:06 PM 6/27/2000 +1000, you wrote:
>
>
> >It depends (well, what did you expect??)
> >As a general rule, you're better off putting the
> access list on the outgoing
> >interface. That way you don't waste bandwidth by
> transmitting traffic you're
> >just going to throw away anyway.
> >BUT, your *first* priority is to make sure the
> access list does what you want.
> >To do this, you may need to use an incoming access
> list instead.
> >
> >Example...
> >
> >rtrA -------- rtrB
> >
> >Let's say you want to prevent telnet traffic from
> rtrA to rtrB.
> >Assume for now that the link between the routers is
> a serial link (int S0 on
> >both routers).
> >You could put an outgoing access list on S0 on
> rtrA:
> >rtrA:
> >access-list 101 deny tcp any any eq 23
> >access-list 101 permit ip any any
> >int s 0
> >access-class 101 out
> >
> >This will work fine (assuming my syntax is correct
> which I am making no
> >guarantees about - I haven't checked it). You
> could put the same access
> >list on
> >rtrB as an incoming access list instead, and it
> would have the same
> >effect, but
> >your telnet traffic would cross the serial link
> before being dropped -
> >generally
> >not very efficient.
> >
> >OK, what if it's not a serial link, but an
> ethernet? Time to throw another
> >router into the mix...
> >
> >rtrA -------- rtrB
> > |
> > rtrC
> >
> >Now, putting that same outgoing access list on rtrA
> has a different effect to
> >putting it as an incoming access list on rtrB. If
> you put the outgoing access
> >list on rtrA, you will not be able to telnet from
> rtrA to rtrB *or to
> >rtrC*. If
> >you put it as an incoming access list on rtrB, you
> will not be able to telnet
> >from rtrA to rtrB but you will be able to telnet
> from rtrA to rtrC.
> >In this case, where should you put the access list?
> That depends
> >completely on
> >what you are trying to achieve with your access
> list.
> >
> >Regardless of where you are putting your access
> list, try to put the lines
> >that
> >will get the most hits near the top (again, make
> sure you don't change the
> >meaning of the access list if you change the order
> of statements). The
> >lines of
> >an access list are checked in order, and once a
> match for a packet is
> >found, the
> >rest of the list isn't checked - so if most of your
> packets match the first
> >line, rather than the last, your router will spend
> less time checking access
> >lists.
> >
> >Here endeth the chapter :-)
> >
> >JMcL
> >
> >---------------------- Forwarded by Jenny
> Mcleod/NSO/CSDA on 27/06/2000 16:28
> >---------------------------
> >
> >
> >"K.FUJIWARA" <[EMAIL PROTECTED]> on 26/06/2000
> 15:59:31
> >
> >Please respond to "K.FUJIWARA"
> <[EMAIL PROTECTED]>
> >
> >
> >To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
> >cc: (bcc: JENNY MCLEOD/NSO/CSDA)
> >Subject: Which access-list increase load the most?
> >
> >
> >
> >Hi, all.
> >
> >Though the null interface is the best solution for
> load in the ruter
> >CPU, which
> >extended / standard access-list is the best to
> reduce the load?
> >Extended one's result may be depends on where it
> will be put or the
> >case, so where
> >should it be configured? Destination?
> >If you have some good examples, please show me.
> >
> >And then, do you know good tools or utility to
> monitor the routers
> >performance on
> >CPU or RAM in real time?
> >
> >Kazuyo Fujiwara
> >MCSE/CCNA
> >Japan Kobe
> >
> >
> >
> >___________________________________
> >UPDATED Posting Guidelines:
> http://www.groupstudy.com/list/guide.html
> >FAQ, list archives, and subscription info:
> http://www.groupstudy.com
> >Report misconduct and Nondisclosure violations to
> [EMAIL PROTECTED]
> >
> >
> >
> >
> >___________________________________
> >UPDATED Posting Guidelines:
> http://www.groupstudy.com/list/guide.html
> >FAQ, list archives, and subscription info:
> http://www.groupstudy.com
> >Report misconduct and Nondisclosure violations to
> [EMAIL PROTECTED]
>
> Tom Holbrook
> Network Engineer
> Earthlink
>
> ___________________________________
> UPDATED Posting Guidelines:
> http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]
__________________________________________________
Do You Yahoo!?
Get Yahoo! Mail – Free email you can access from anywhere!
http://mail.yahoo.com/
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
