There is another advantage to placing access lists outbound. Traffic won't
have to travel across the network only to be dropped on the other side.
Less bandwidth consumption across your WAN. That's why it is recommended
that access lists be placed as close as possible to the traffic source. My
2 cents.
Vijay Ramcharan
CCNP, CCDA, MCSE
-----Original Message-----
From: Atif Awan [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 23, 2000 11:28 PM
To: Dale Holmes; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: accesslists outbounds?
they say that outbound access lists are less processor intensive because the
router has only to process those packets destined for the destination you
are trying to affect. When you apply it inbound then the router has to match
each packet coming into that interface even though that packet might not be
relevant to the access list. The scenario presented is just a simple one and
in this case it does not matter where you place the access list but think of
two more serial interfaces in addition to S3. if you apply the access list
inbound then packets destined for S4 and S5 will also have to be processed
through the list even though they have nothing to do with the S3 interface.
So the conclusion is that "Outbound access lists are IN GENERAL less
processor intensive than in bound access lists" ... remember IN GENERAL ...
there can be exceptions
Regards
Atif
-----Original Message-----
From: Dale Holmes <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>; [EMAIL PROTECTED]
<[EMAIL PROTECTED]>
Date: Wednesday, August 23, 2000 8:04 PM
Subject: Re: accesslists outbounds?
>Hard to imagine that it would be more efficient outbound on s3 rather than
>inbound on s2. The router would have to go to all the trouble of
determining
>the path for the packet, only to drop it... seems kinda foolish.
>
>The process of reading the header and running down the access list entries
>for a match is processor intensive, but it should not be more or less
>intensive in any one direction... the process is still the same, isn't it?
>
>Dale
>[=`)
>
>
>>From: "Martin Eriksson" <[EMAIL PROTECTED]>
>>Reply-To: "Martin Eriksson" <[EMAIL PROTECTED]>
>>To: <[EMAIL PROTECTED]>
>>Subject: accesslists outbounds?
>>Date: Wed, 23 Aug 2000 13:01:27 +0200
>>
>>Hi!
>>
>>Found a little something in the CCNA Router and Switching Study Guide
>>(http://www.rkingma.com/cisco/TestHome.htm).
>>that I can't really recall reading anywhere else..
>>
>>A simple scenario...
>>
>>s1 10.10.10.102
>> |
>> |---------------routerA---------s3 10.10.20.1
>> |
>>s2 10.10.10.101
>>
>>Access-list 1 permit 10.10.10.101
>>Access-list 1 deny 10.10.10.0 0.0.0.255
>>
>>According to the text: " We could apply it as an inbound filter on Router
>>A's interface to network 10.10.10.0, or as an outbound filter on Router
A's
>>interface to network 10.10.20.0. Outbound filters are less processor
>>intensive for the router, so let's apply it outbound.".
>>
>>It's the last part I get confused with, "outbound filters are less
>>processor intensive".
>>I thought it was the opposite that it's better to stop the packets at the
>>entry instead of the exit.
>>
>>I'm sure someone can sort things up for me..
>>
>>best regards!
>>Martin, E
>>
>>
>
>________________________________________________________________________
>Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
>
>___________________________________
>UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
>FAQ, list archives, and subscription info: http://www.groupstudy.com
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
