|--E0,R1,S0 ----WAN link---->S1,R2,E0--|
Vijay,
You are correct in saying that an outbound filter on R1,S0 would have less
impact on your WAN link than an inbound filter on R2,S1, but what about an
inbound extended access list (that considers destination address) on R1,E0?
It might accomplish the same thing, and be more efficient (depending on what
might be happening on R1's S1, S2, S3, S4 etc.).
You really have to examine closely which traffic you intend to filter, and
what impact the filter will have at any of the valid places you may apply
it. It is difficult to generalize this, it needs to be examined
case-by-case...
Dale
[=`)
>From: Vijay Ramcharan <[EMAIL PROTECTED]>
>Reply-To: Vijay Ramcharan <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Subject: RE: accesslists outbounds?
>Date: Wed, 23 Aug 2000 14:02:27 -0400
>
>There is another advantage to placing access lists outbound. Traffic won't
>have to travel across the network only to be dropped on the other side.
>Less bandwidth consumption across your WAN. That's why it is recommended
>that access lists be placed as close as possible to the traffic source. My
>2 cents.
>
>
>Vijay Ramcharan
>CCNP, CCDA, MCSE
>
>
>-----Original Message-----
>From: Atif Awan [mailto:[EMAIL PROTECTED]]
>Sent: Wednesday, August 23, 2000 11:28 PM
>To: Dale Holmes; [EMAIL PROTECTED]; [EMAIL PROTECTED]
>Subject: Re: accesslists outbounds?
>
>
>they say that outbound access lists are less processor intensive because
>the
>router has only to process those packets destined for the destination you
>are trying to affect. When you apply it inbound then the router has to
>match
>each packet coming into that interface even though that packet might not be
>relevant to the access list. The scenario presented is just a simple one
>and
>in this case it does not matter where you place the access list but think
>of
>two more serial interfaces in addition to S3. if you apply the access list
>inbound then packets destined for S4 and S5 will also have to be processed
>through the list even though they have nothing to do with the S3 interface.
>
>So the conclusion is that "Outbound access lists are IN GENERAL less
>processor intensive than in bound access lists" ... remember IN GENERAL ...
>there can be exceptions
>
>Regards
>Atif
>
>-----Original Message-----
>From: Dale Holmes <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>; [EMAIL PROTECTED]
><[EMAIL PROTECTED]>
>Date: Wednesday, August 23, 2000 8:04 PM
>Subject: Re: accesslists outbounds?
>
>
> >Hard to imagine that it would be more efficient outbound on s3 rather
>than
> >inbound on s2. The router would have to go to all the trouble of
>determining
> >the path for the packet, only to drop it... seems kinda foolish.
> >
> >The process of reading the header and running down the access list
>entries
> >for a match is processor intensive, but it should not be more or less
> >intensive in any one direction... the process is still the same, isn't
>it?
> >
> >Dale
> >[=`)
> >
> >
> >>From: "Martin Eriksson" <[EMAIL PROTECTED]>
> >>Reply-To: "Martin Eriksson" <[EMAIL PROTECTED]>
> >>To: <[EMAIL PROTECTED]>
> >>Subject: accesslists outbounds?
> >>Date: Wed, 23 Aug 2000 13:01:27 +0200
> >>
> >>Hi!
> >>
> >>Found a little something in the CCNA Router and Switching Study Guide
> >>(http://www.rkingma.com/cisco/TestHome.htm).
> >>that I can't really recall reading anywhere else..
> >>
> >>A simple scenario...
> >>
> >>s1 10.10.10.102
> >> |
> >> |---------------routerA---------s3 10.10.20.1
> >> |
> >>s2 10.10.10.101
> >>
> >>Access-list 1 permit 10.10.10.101
> >>Access-list 1 deny 10.10.10.0 0.0.0.255
> >>
> >>According to the text: " We could apply it as an inbound filter on
>Router
> >>A's interface to network 10.10.10.0, or as an outbound filter on Router
>A's
> >>interface to network 10.10.20.0. Outbound filters are less processor
> >>intensive for the router, so let's apply it outbound.".
> >>
> >>It's the last part I get confused with, "outbound filters are less
> >>processor intensive".
> >>I thought it was the opposite that it's better to stop the packets at
>the
> >>entry instead of the exit.
> >>
> >>I'm sure someone can sort things up for me..
> >>
> >>best regards!
> >>Martin, E
> >>
> >>
> >
> >________________________________________________________________________
> >Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
> >
> >___________________________________
> >UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> >FAQ, list archives, and subscription info: http://www.groupstudy.com
> >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >
>
>___________________________________
>UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
>FAQ, list archives, and subscription info: http://www.groupstudy.com
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>___________________________________
>UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
>FAQ, list archives, and subscription info: http://www.groupstudy.com
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
